A small Australian group says it has developed a scheme to validate the security of millions of internet connected devices, promising much needed confidence in the hardware long seen as a major security risk.
Melbourne-based Enex Testlab began life as a research lab at RMIT before commercialising as an independent company in 2007, initially testing UK critical infrastructure and government electronic security assurance.
The work quickly expanded over the next decade, says Enex Testlab managing director Matt Tett, with the lab moving into cybersecurity standards, hardware, performance, and security testing, as governments and businesses looked to verify vendors’ security claims.
“You name it, we break it, and write reports,” he tells InnovationAus.com.
Enex Testlabs shifted its focus to IoT cybersecurity assurance around 2017 and began developing an Internet of Things (IoT) labelling scheme.
The scheme is designed to scale to a global level, including harmonising the various approaches across jurisdictions, in a federated model where various stakeholders can fill each role in different markets.
IP for the scheme was transferred to new venture Trust Mark, which has completed a pilot program while awaiting final certification trademarks. Trust Mark is now seeking expressions of interest from vendors interested in putting their devices through the tests in the next phase of the scheme.
Mr Tett says Trust Mark will turn the security, safety and privacy of IoT from a risk into a selling point.
“End users are beginning to start asking the questions of their technology vendors: what do you do for my security? What do you do from a safety point of view and from a privacy point of view?
“So what we’re trying to do with Trust Mark is provide an independent benchmark or baseline of what is security good practice – there’s never any best practice when it comes to security – and validate that independently for the vendors.”
Mr Tett said IoT vendors often rely on either their own non-validated claims, or they point to standards that can vary across jurisdiction and may mean little to individual buyers.
“Consumers, when you’re talking about [IoT], can be anything from a critical national infrastructure provider or a government client, all the way through to a mum and dad that’s buying a kettle that they’re about to connect to the internet.”
The Trust Mark scheme can be applied to all the devices, but will likely start with critical infrastructure and government tenders, possibly as a prerequisite, Mr Tett said, eventually trickling down to consumer products as a “selling point” in retail stores.
As for keeping pace with the fast-moving technology and the threats that follow, Mr Tett said Trust Mark uses “live labels” and a stoplight system so users can always check on the status of a certification.
“You can be secure today, but the minute the tests are finished, there’ll be a known vulnerability that’s released tomorrow publicly. Then your product isn’t secure until you’ve patched it, or you’ve updated it, or you’ve addressed that.”
The Trust Mark comes with a QR code in the centre so users know it has passed the initial tests but can also scan to check the current status through a traffic light system.
Green means still certified – nothing to worry about. Amber means suspended – nothing to necessarily panic about but good to know. Red means expired or revoked. The Trust Mark is revoked when there is a vulnerability that can’t be repaired, meaning the product should be pulled off the shelf.
“Potentially, it’s a liability for the vendors,” Mr Tett said. “But you’d like to think that that are proactive enough to make sure that they have mechanisms in their products to always be able to keep them secure.”
Trust Mark is much more than a label though, Mr Tett insists.
To get the label requires an integrated scheme with a host country organisation, an accredited testing facility and decision authority, which would all differ depending on the jurisdiction in a full scheme.
Currently between Ennex Testlabs and Trust Mark, the organisations can cover the entire range of testing and accreditation functions, but the goal is to have other labs and decision making authorities join a federated and truly global scheme.
The Australian company would retain the IP in the potentially massive scheme.
Costs and testing times are reasonable and capped — no more than 30-days at US$1,000 per-day, plus any relevant local taxes — in a bid to not act as a final hurdle to launch. It is anticipated that most products will go through the process in less than two weeks.
Vendors that fail won’t be named and shamed, with only those that pass published. But Mr Tett knows there is still a perception of independent testers to overcome. He remains confident vendors will come around.
“It happens a lot in our industry where people realise we’re not actually the bad guy, even though we are independent. We’re not there to beat them up with a big stick. So, to get the word out about that we are seeking proactive, leading vendors.”
Trust Mark is currently seeking expressions of interest for testing.
Do you know more? Contact James Riley via Email.