The Internet of Things (IoT) has entered the home. As cloud technology continues to expand its market reach, cloud-based applications are starting to make waves in the consumer market. Today, numerous mobile phones, desktops, TV applications equipped with IoT capabilities are available to purchase. Combined with a robust market of industry-specific platforms already in use, it is clear the future of digital integration into everyday life will come from IoT developments.
However, the development and implementation of IoT-based products is anything but a risk free zone. Plenty of risks abound, especially in terms of security. The more people using IoT devices, there needs to be a clearly defined accreditation process in place to ensure:
1. The quality of products
2. A surveillance protection policy is in place
A robust security infrastructure to prevent hacking and other forms of cyber crime
Given these pressing concerns, the certification process for IoT products must be water-tight and efficient. Setting standards and norms is difficult in every industry, as it requires a set of objective standards and strong third-party intervention. In IoT it is particularly challenging because so few standards have been set.
The Common Criteria Framework
The Common Criteria framework for achieving security certification has been inherited from traditional IT security assurance. CC is an international standard for certifying IT security, though an exhaustive verification process which is defined on a case-by-case basis. There are seven security assurance levels in total.
In traditional IT such as Firewalls, Switches and Routers, new products are subject to a Common Criteria (CC) evaluation. Under CC, companies can list the security functional requirements (SFRs) within a security target. Since every product can be designed differently, and new products are always being developed, Protection Profiles (PPs) have been created for common products (like a firewall system, for instance).
PPs act as a benchmark in terms of quality and security for the product. That means that if a company wants to introduce new security features to a firewall, they can use the PP of a standard product to compare their new offering against. Once validated by a third party, a certificate is given out by national governments and recognized by the global community.
This is the framework traditional IT and cloud companies must work through to gain security accreditation for any new products, or new product updates. Although it is a tedious system, it does provide strong third-party security standards.
Smart TVs and a CC Framework
It is only recently that IoT companies have been passing through the CC framework successfully. In 2016, Samsung achieved an Evaluated Assurance Level (EAL) 1 for their Smart TV. Then in April of 2017, LG took a step further and achieved a EAL 2 for their Smart TV product. The company published a study detailing their certification process, and here are two important takeaways:
The Certification Process
In order to achieve a level 2 rating, LG has to ensure the Smart TV back-end operates smoothly and has strong security built-in.
Step 1: Operational Capacity
It is the company’s responsibility to show with adequate proof that their product is resistant to malware or external attack. LG put the software underlying the Smart TV through a series of tests to show its operational capacity.
Step 2: Security Requirements
In the absence of PPs for the Smart TV, LG created security targets based on similar PPs, for the following areas:
Kernel
Mobile Device
DRM (Digital Rights Management)
Application of Smart TV
Conclusion
In achieving EAL 2 status, LG has both designed an internal IoT security assurance framework CC-ready and demonstrated that CC is one of the best available certification processes to increase security and reliability of IoT products. Indeed, if tailored to IoT technical and commercial constraints as supported by specialized security labs, CC is the only existing certification framework that is recognized in many countries worldwide, provides flexible assurance levels, covers a large scope of IT/IoT product types and finally delivers formal and objective results. Although it remains relatively a costly and time-consuming process, it is still the best choice for some specific products and markets and LG has shown it is very much delivering a strong value.