IoT security is getting its own crash tests

25.05.2016
The thousands of endpoints in IoT systems may have to protect themselves against thousands of dangers. A decades-old IT lab wants to tell you if they’re up to the task.

On Wednesday, ICSA Labs announced a program to test the security features of IoT devices and sensors. If the products pass, ICSA will give them a seal of approval. It can also keep testing them periodically to make sure they’re still safe.

Consumers and enterprises are wary about security in the Internet of Things, where hardware, software and even use cases are brand new in many cases. Tiny connected devices that run all the time in the background could be vulnerable to completely new kinds of attacks.

ICSA will test both consumer and enterprise IoT products, mostly for vendors but also for some large enterprises trying to implement IoT in a secure way, said George Japak, managing director for ICSA Labs.

The lab has been owned by Verizon since 2007 but operates mostly on its own, Japak said. It has been testing and certifying a variety of IT products, including VPNs and firewalls, since 1989.

The IoT tests will examine six security components to make sure they give adequate protection: alerts and logging, cryptography, authentication, communications, physical security and platform security. Each relevant piece in a product will either pass or fail, and those that fall short will have to go back to the vendor for more work.

The program is open for business immediately. It’s not a guarantee of security everywhere a product is used, Japak warned, because it only tests careful lab implementations. Mistakes in the field can render security protections useless.

There are other players working on defining security and privacy requirements for IoT, including the Online Trust Alliance, the Industrial Internet Consortium, and the Open Web Application Security Project (OWASP). ICSA is collaborating with them to make sure its tests cover all the requirements they’ve identified, Japak said. Through those groups and other channels, enterprises’ emerging IoT security needs should find their way into ICSA’s testing, he said.

Stephen Lawson