UL’s IoT security rating helps demonstrate product security to the marketplace

May 25th, 2020

The number of individual smart devices is increasing every year, with the global smart home market forecast to grow to $53.45 billion by 2022, according to the research firm Statista. With growth, however, comes growing pains, as the Federal Bureau of Investigation (FBI) warned on Dec. 3, 2019. Their news alert listed a host of devices—all connected by the Internet of Things (IoT)—that needed a digital defense.

The guidelines issued by the FBI were a much-needed reminder to consumers about the things they should do when bringing IoT devices into their home. Changing the default password, securing home networks and regularly updating the software of a connected device is helpful advice for us all—security, after all, starts at home, right?

Laurens van Oijen, solution leader, UL cybersecurity assurance, would probably disagree with this statement, however. IoT security starts at the design of the device, meaning that cybersecurity measures should be “baked” into the product and the IoT ecosystem it connects to. But, for many manufacturers, security is often given a lower priority than other value propositions, such as functionality, cost efficiencies and quicker time to market.

For other manufacturers, they may think they’re doing enough to protect the integrity of the device and its connected ecosystem, but they likely aren’t going through every step needed to verify the reliability of the security measures they have built into the product.

“The challenge with security for IoT products isn’t a technology problem,” van Oijen said. “It’s a commercial problem … to build security into connected products takes time, and it takes money. Previously there was no way to get a return on such investments and to convey the product’s security capabilities to the marketplace and end customers.”

A path forward

To help manufacturers overcome that commercial challenge, UL developed the IoT Security Rating, a security verification and labeling solution for IoT products that categorizes products according to an ascending five-level scale: Bronze, Silver, Gold, Platinum and Diamond. Verified products receive a differentiated UL Verified Mark security label—specifying the achieved security level—and are evaluated on an ongoing basis by UL.

UL’s solution helps manufacturers and developers demonstrate the security due diligence of their products by leveraging proven best practices for security and rating the security posture of IoT products. UL’s IoT Security Rating also helps demonstrate security compliance for meeting the threshold of reasonable security features, as required of manufacturers in the first legally binding regulations for consumer IoT in the California and Oregon Cybersecurity Bills that went into effect January 2020.

UL’s IoT Security Rating was developed based on the security framework UL MCV 1376, Methodology for Marketing Claim Verification: Security Capabilities Verified to Level Bronze/Silver/Gold/Platinum/Diamond, which outlines the specific requirements and testing methodologies for each rating level and includes baseline security capabilities that are aligned with global industry frameworks and best practices.

“The UL MCV 1376 security framework is publicly available and it’s downloadable for free; anybody can access it,” van Oijen said. “This framework gives manufacturers guidance for what types of security capabilities they should consider building into their products. And the IoT Security Rating provides a way to assess and demonstrate to regulators, retailers and end customers their product’s security posture, as well as differentiate their IoT products from other nonverified or lower-rated IoT devices.”

IoT defined

IoT can be defined as referring to any collection of functions that includes at least one physical component that can be connected to over a wired or wireless network, plus all the components of that collection: the physical components, the software inside its various computing elements and any software residing in a mobile app or in the cloud, for instance.

Security is therefore included in the products that one may not typically associate with security risk, things like Bluetooth speakers, earbuds, headphones or door locks, for example.

The role of accessibility in IoT security

Van Oijen pointed out that not every device needs the highest level of security, while some manufacturers may just now be adding IoT capabilities to their connected product roadmap. For these manufacturers, it’s a crawl, walk, run scenario. 

However, when choosing which level of security is needed for your IoT product, the decision comes down to two things: opportunity and value. Ask yourself how easily can the system be accessed and how much value can be gained from such access?

Source: Determining security assurance levels for your IoT products whitepaper

Storage, processing power, output and data bandwidth, network functions and the location of a device should be considered when determining the security measures needed for a device.

Having a tiered system allows the manufacturer to appropriately demonstrate the security

capabilities for their products. The different levels of the IoT Security Rating also empower consumers to choose which level of security they’re most comfortable with and what they’re willing to pay when considering the security of a device.

“From a consumer purchase decision standpoint, it’s like an airline flight,” said Michael Jensen, UL global marketing lead, Cybersecurity. “Do I want to fly first class, business class, upgraded economy or do I fly coach? The IoT Security Rating empowers consumers to make conscious purchase decisions based on the level of security in their connected products.”

Manufacturers on board

One of the many big announcements to come out of CES 2020 was that GE Appliances would become the world’s first household appliance brand to test its connected products against UL’s IoT Security Rating assessment. And, in another first, GE Appliances recently achieved a Gold level IoT Security Rating for GE Appliances Powered by SmartHQ across brands, including GE™, GE Profile™, Café™, Monogram™ and Haier™.

Connected products on the GE Appliances SmartHQ IoT security platform were tested to help demonstrate the baseline security capabilities and protection of consumer data collected at the appliance level and for the data transmitted from the appliance to the GE Appliances mobile app and its cloud systems.

GE Appliances made a significant commitment to demonstrating the security built into their connected products,” Jensen said. “It’s across a large number of SKUs in their product lines within GE Appliances’ house of brands.”

This includes cooking products, microwaves, dishwashers, washers, dryers, refrigeration products, air conditioners, water heaters, water softeners and SmartHQ connectivity modules that a consumer can purchase separately to make a GE Appliances product connected.”

GE Appliances – Gold UL IoT Security Rating

It’s all in the value proposition

Jensen pointed out that the IoT Security Rating is a great proof point for manufacturers to demonstrate the cybersecurity capabilities of their connected products. And, it’s one that more and more consumers are starting to expect when purchasing IoT devices as discovered by a CIGI-IPSOS Global Survey in 2019. Consumers are willing to pay a nearly 30% premium for secure products.

Which is why Jensen is so bullish about UL’s IoT Security Rating.

“No matter where you are as an organization with your product cybersecurity maturity or your connected product roadmap, UL’s IoT Security Rating can help you demonstrate the security level of your connected products and help differentiate them in the marketplace.