FYI; CSA (Connectivity Standards Alliance, formerly the Zigbee Alliance) has announced “IoT Device Security Specification 1.0” as a new cross-ecosystem product security standard that aims to unify the industries many defragment security standards into one specification.
In short, this common schema should especially be applied by different IoT gateway/hub/bridge software application implementations, including Zigbee, Z-Wave, Thread + Matter gateways/hubs/bridges solutions as well as for individual IoT devices if want to get and advertise CSA’s security certification for cybersecurity marketing purposes and some kind of easy of mind for consumers/end-users who buy and install various IoT solutions in their home without as much worry during today’s rapidly evolving cyber threat landscape.
Anyway, to allow compliance to be show so it can be seen that different solution implementation follow this new standard the CSA has now introduced a product security verified mark for certified applications so products can incidate compliance with this new security specification standard:
For reference regarding fragmentation of security standards; last year FCC and NIST unveiled the “Cyber Trust Mark”, a voluntary US IoT security label for the United States of America, and also the European Union introduced the “Cyber Resilience Act” (CRA) which is EU’s Cybersecurity Regulation Proposal for Digital Products in Europe can also be found online.
CNX Software blog has nice summery article which explains the highlight of the specific requirements:
IoT Device Security Specification 1.0 at a glance:
- Unified Security Standard – Integrates the major cybersecurity baselines from the United States, Singapore, and Europe into one comprehensive framework.
- Product Security Verified Mark – A new certification mark that indicates compliance with the IoT Device Security Specification, designed to enhance consumer trust and product marketability.
- No Hardcoded Default Passwords – Ensures all IoT devices utilize unique authentication credentials out of the box, improving initial security.
- Unique Identity for Each Device – Assigns a distinct identity to every device, crucial for traceability and secure management.
- Secure Data Storage – Mandates that all sensitive information on devices be stored securely to prevent unauthorized access.
- Secure Communications – Requires encryption and other security measures to transfer security-sensitive information.
Regular Secure Software Updates – Devices must support secure update mechanisms throughout their supported life to defend against emerging threats. - Vulnerability Management – Includes a rigorous development process that ensures vulnerability handling and patching.
- Public Security Documentation – Requires manufacturers to provide clear, accessible documentation about the device’s security features and support period.
- Wide Industry Collaboration – Nearly 200 member companies including tech giants like Amazon, Google, and Infineon Technologies AG, contribute to the framework, ensuring a broad adoption and relevance across various sectors.
Broad Application Spectrum – Applicable to a wide array of smart devices, from residential IoT products like lighting and cameras to more complex systems. - Streamlined Certification Process – By consolidating various international requirements, the certification process is simplified, enabling manufacturers to achieve compliance for multiple regions simultaneously.
- Manufacturers meeting the IoT DSS standards will receive a CSA-verified mark and a link detailing the device’s security measures. Currently, the IoT DSS standard combines key IoT requirements from the U.S., Singapore, and Europe, with plans to integrate future global security updates.