Forget about Congress’s latest attempt to regulate IoT security. CTIAs new certification is the toothiest standard going. In this Spotlight Podcast, we talk with Sameer Dixit of Spirent * on the sidelines of RSA about why.
The U.S. House of Representatives and the Senate both introduced new legislation this week to secure the burgeoning Internet of Things. Versions of the Internet of Things Cybersecurity Improvement Act would require connected devices for purchase by the U.S. Federal Government to meet strict information security standards.
The proposed legislation is just the latest effort by lawmakers in Washington D.C. to reign in insecure IoT endpoints. While it doesn’t set a federal standard for private sector firms, it does look to use the Federal Government’s purchasing power as a lever to force changes on the private sector.
A New Standard…with Some Teeth
The fate of the legislation is uncertain. But while those bills work their way through Congress, a much more consequential standard is already taking root: this one backed by CTIA, the trade group that represents major telecommunications and Internet providers.
Introduced in August, 2018, the CTIA Cybersecurity Certification Program for Cellular Connected Internet of Things devices is being promoted as a way to protect consumers and the nation’s wireless infrastructure from harm caused by insecure IoT endpoints.
But what does the standard entail and how are products evaluated? To find out, we sat down with Sameer Dixit, the Senior Director of Security Consulting at Spirent Communications.
Spirent is one of just 5 CTIA authorized test labs operating around the world. Working together, the five labs helped develop the cybersecurity standard, which is intended to set minimum standards for IoT devices that use cellular networks.
“We’re seeing a lot of demand for IoT security by the service providers across the globe, whether its APAC or the US or the UK,” Dixit told me. The new standards set a consistent measure across all the IoT testing labs.
Setting a Bar on IoT Cyber Security
Dixit tells me that the standards include basic features like password management features, a strong authentication scheme in place and provisions for patching and updating the device’s software (or “firmware.”)
He said most connected device makers are most concerned with the cost and complexity of standards. Spirent and other labs worked to make the standards easy to understand and comply with.
In this conversation, Sameer and I talk about the new CTIA standard and what it requires. We also talk about how the CTIA standard fits in with other IoT evaluation standards, such as those by Underwriters Lab.
And, in an environment in which voluntary standards are the norm, we also talk about the “teeth” in the new standard, as CTIA has made certification a prerequisite for PTCRB certification, which is needed to connect devices to cellular networks in the U.S.
Spirent is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.