Should IoT devices carry a security star rating?

By Svein-Egil Nielsen, CTO, Nordic Semiconductor

Until recently the security of connected devices has been something of an afterthought. Things are improving but the industry is still a long way from the level of security that’s trusted by end users as much as, for example, SSL certificates are for websites. A good place to focus improvement would be to address the security issues exploited by the most well-publicized hacks to date.

Some industry initiatives are underway. For example, Arm, an embedded processor vendor whose technology is used in many IoT devices, is leading a cross industry initiative called Platform Security Architecture (PSA), in partnership with Nordic and others. PSA aims to design-in security from the silicon level upwards. It targets four broad sources of insecurity: Communications, silicon, product lifecycle, and software (the most common vulnerability of all). A similar model could work for the industry as a whole.

But manufacturers complain it’s expensive and time consuming to ensure connected products address all security concerns. And the makers say consumers who are comfortable with taking some risk will buy less secure devices if the price is right. But how do consumers know what they’re getting for their money?

Moves are already afoot to answer this question. For example, a U.S. consumer rights organization, Public Knowledge, has urged the country’s government to mandate some kind of cybersecurity rating to denote the protection status of a connected device.

Answer is a Star Rating

“Star” indication works well for energy efficiency rating (consider Energy Star in the U.S.) and crash safety (for example, Euro NCAP in Europe). It’s also worth considering for communicating the security status of a connected device too.

Star ratings are simple to adopt and effective in promoting competition and product improvement. Nobody buys a car with a 1/5 safety rating, which is why car manufacturers don’t build inherently unsafe vehicles. The same would apply to connected devices; IoT device manufacturers would quickly struggle to sell devices that are granted a lowly status. Star ratings also allow consumers to choose to pay more for products with higher ratings if they want peace of mind or select to save money if security is less of a problem to them.

Achieving high ratings won’t be easy though. To get five stars, security must be built in at every stage of the design. Further, a device manufacturer should be able to update or patch any security loopholes that may appear once the device is in the field – that means support for over-the-air firmware updates. Security must also be maintained for the life of the product – just because a smart device ages is no excuse for increased vulnerability.

Svein-Egil Nielsen, CTO, Nordic Semiconductor

The future growth of the connected device industry will be hampered until the security question is answered. Part of that answer is a star rating. We need one soon.

This article is republished from Nordic Semiconductor’s Wireless Quarter with permission.