SESIP’s role in the IoT ecosystem

By Gil Bernabeu, Technical Director, GlobalPlatform.

  • Monday, 7th November 2022 Posted 2 years ago in by Phil Alsop

The number of Internet of Things (IoT) devices available throughout the globe is forecast to be 29 billion by 2030. With technology adoption showing no signs of slowing down – as consumer spending on smarter technology continues to skyrocket – the need for greater efficiency, that is both cost-effective and secure, is clear.

However, while a smarter future is an exciting prospect throughout the globe, the introduction of even more connected devices brings about a brand-new set of challenges.

From interoperability obstacles to an increasing number of standards and regulations to swiftly address, product vendors must be equipped with not only the tools but also the knowledge to work efficiently and cost-effectively when evaluating the security of products.

The statistics evidence the need for additional layers of security too – with many devices still having little to no protection. According to research, only 4% of deployed IoT products have secure measures in place, leaving enterprises and consumers extremely vulnerable to cyberattacks.

While it is no secret that some industries are more susceptible to data breaches than others – for example, healthcare, finance, education and retail, to name a few – threats can apply to any product, of any value, if they do not have robust security in place. And when protection is lacking, any level of cyberattack can create costly damages to not only revenue, but overall brand reputation.

The role of certification bodies in the IoT’s quest for greater security

As technology continues to advance at a rapid rate, the number of attacks does the same – and they are getting more sophisticated by the day. With the variety of device types and limited cybersecurity expertise throughout the consumer landscape, this ultimately leaves a significant challenge to overcome for many. Cyber-crime is reportedly going to cost the global economy $10.5 trillion annually by 2025, so there has never been a more critical time to implement stronger security measures and more robust infrastructure to cope with the growing number of IoT devices.

To support their quest to keep cyberattacks at bay, IoT stakeholders must understand the positive impact that certifications can have on building trust when deploying a product. Certification bodies play a central role by maintaining the quality of security labels and raising the overall levels of security assurance across the ecosystem.

Security laboratories in particular have a never-ending task to maintain their cybersecurity skills so they can perform state of the art evaluation. But the IoT stakeholders are the ones that set requirements and overall schemes objectives that should adequately address product security for their market. In addition, they may select optimised and standardised evaluation methodologies or proprietary ones.

The trusted role of the SESIP methodology

That is where the Security Evaluation Standard for IoT Platforms (SESIP) methodology comes to the fore. Ensuring that IoT device makers and certification bodies can adopt and establish their own IoT device security certification schemes, SESIP presents a flexible and efficient approach that both addresses unique challenges of IoT product development and drives consistency across markets.

Firstly, the SESIP methodology uses a simple and universal language to explain security requirements. Based on an ISO standard created by experts, there has been a conscious effort made to provide product vendors – that are not security experts – with a language that is consistent with their product features and ultimately supports their product improvement needs. Overall, this simple language allows IoT stakeholders to define a security profile that is understood by product vendors.

Secondly, as the demand to keep up with emerging cybersecurity legislation continues at pace, the SESIP methodology allows certification bodies to develop schemes that recognise and reuse the security capabilities of a product’s components, regardless of device type. That means IoT stakeholders can adopt trusted components that have already been evaluated and combine to create a new product with greater efficiency, cost-savings, and security.

Reducing the complexity of certification and addressing interoperability challenges

It is no secret that the IoT market remains fragmented because different industries demand different security measures. Not only that, different countries or regions are defining security, privacy or resilience regulation that request specific security features to be evaluated.

However, the good news for IoT stakeholders is that SESIP addresses such challenges by aligning certification schemes to ensure there are comparable evaluations across the entire IoT ecosystem. By mapping to other standards – from bodies such as ETSI, ISO/IEC and NIST – the methodology provides a common and optimised approach for evaluating the security of connected products across a broad range of regulatory and security frameworks, as well as specific vertical regulations.

As an alternative solution that reduces the complexity of certification, SESIP helps to develop trust among consumers. It also encourages greater adoption of their products or services and addresses interoperability challenges with emerging technology.

Without SESIP, the IoT ecosystem will only become more fragmented because each industry, region – and sometimes country – will continue to define its own security needs using different languages and requirements. And the result? Cybercrime vulnerabilities rise due to discrepancies in policy making and expertise.

Armed with the SESIP methodology, certification bodies have a toolkit that comes complete with efficient and cost-effective security evaluations and accelerates the go-to-market of certified products for vendors. And regardless of industry, collaboration will always be key, therefore if SESIP-certified laboratories, certification bodies and device makers can work together to ensure the methodology is accessible to all – and consistently applied throughout each sector – this can empower product vendors to future-proof their offering and further strengthen security assurances for consumers.