WCRC Director Paul Peters recently met with Martin Duffy, from IASME (Information Assurance for Small and Medium Enterprises), which is committed to helping businesses improve their cyber security, risk management and good governance through an effective and accessible range of certifications. Martin manages an IoT Cyber Security Certification Scheme on behalf of IASME, for internet-connect product.

Read Paul’s Q&A session with Martin where he got under the skin of what the IoT Cyber Security Certification Scheme is and how it can help businesses.

Paul: Martin, you work for The IASME Consortium – could you tell me a little bit about IASME please?

Martin: IASME offers a range of effective and accessible certifications, principally in cyber security to businesses in the UK and beyond. We work alongside a network of over 280 certification bodies.

We have a range of schemes now, and one such is the IASME IoT Cyber Scheme, which is a certification scheme for Internet of Things (IoT) products.

Paul: Ah, so it’s a certification on the product, not on the business, OK! Can you tell me a bit more about the Internet of Things?

Martin: The Internet of Things could be considered the third wave of the internet. Some of us are old enough to remember a world before the internet. When the internet was invented, it existed only on desktop computers. Hence, the first wave: The internet of the computer.

The second wave was the Internet of the Mobile Device, when mobile phones and then later tablets went online through the Global System Mobile for Communication (GSM) connectivity. And now we have the third wave, The Internet of Things consisting of the network of physical objects—a.k.a. "things” such as internet-connected alarms, meters, energy monitors, smart fridges and fish tanks.

Paul: Internet-connected fish tanks? Can you explain more about this please?

Martin: Indeed – there was a famous case a few years ago of a casino which got hacked through an internet-connected thermostat in a fish tank which resulted in exfiltration of customers’ data, although there was network segregation in the business. Because the thermostat (the IoT device) was on the network, the hackers were able to use this as a springboard to access other parts of the network.

Paul: Do you have any other examples more relevant to Welsh businesses?

Martin: A smart fridge or smart coffeepot on your premises could act as the perfect site for the initial attack, because unlike an Amazon Echo for example, the companies manufacturing such appliances often do not possess years of experience developing complex code with layers of privacy protection technology. These systems operate as appliances first, providing digital technology and security second. Such devices generally possess "minimal" security functionality and can be considered as potentially rogue technology.

Today, there exists little legislation to enforce strong security on IoT products on the market …. But it’s coming!

Paul: Can you give the UK as an example? What is the status today?

Martin: In the UK, the ‘Product Security and Telecommunications Infrastructure (PSTI) Bill’ will mandate that device manufacturers guarantee that their products meet minimum security standards. The bill introduces duties on businesses to investigate and take action in circumstances of non-compliance. Similar legislation is imminent across Europe and indeed around the world. It is proceeding through the House of Lords currently and is expected to be brought into law in early 2023.

The requirements are a subset of the ETSI EN 303645 standard. By attaining the IASME IoT Cyber certification, the manufacturer/reseller is certifying that it is compliant with the legislation.

Paul: Coming back to the IASME IoT certification, what is the final word on why Welsh businesses be interested in this certification?”

Martin: Well, if you are a manufacturer, a reseller or a distributor of IoT devices, you are going to have to abide by the imminent legislation – and the certification will confirm that.

If you are a user of IoT devices in your business, then be conscious of the security (or lack thereof) of the “things” on your business network. One way of gauging this is looking for a valid reputable certification of the product, aligned with legislation and with a worldwide standard in IoT product security.

For businesses requiring support on how to handle an IoT security breach, then contact IASME at info@iasme.co.uk. You can also get in touch with the WCRC for guidance on how to stop a breach.

For more information regarding the IoT Cyber Security Certification Scheme head to the IASME website.