The CSA's IoT Device Security Specification Promises Better Security, More Transparency

The Connectivity Standards Alliance (CSA), best known for its stewardship of the Matter standard, has announced the release of the Internet of Things (IoT) Device Security Specification 1.0 — with a Product Security Verified Mark for IoT devices passing its requirements.

"The unveiling of the IoT Device Security Specification 1.0, alongside its certification program and the Product Security Verified Mark, signals an important milestone in bolstering IoT security and building confidence with consumers," claims CSA president and chief executive officer Tobin Richardson. "By bringing together diverse international regulations into a cohesive specification, the Product Security Certification Program streamlines the process, reduces redundancy, and provides manufacturers with a singular, respected avenue for certifying their devices globally."

That security is sometimes an afterthought in the rush to get an Internet of Things product to market is no secret: an oft-repeated saw has it that the "S" in "IoT" stands for "Security." The CSA's new specification, then, aims to deliver confidence that an IoT product or service meets a set criteria for security — including unique identities for each device with no hard-coded passwords, a method for storing sensitive data securely, secure software updates through a set support period, and public documentation that must include the length of said support period.

The specification comes through the collaboration of almost 200 CSA member companies, including Amazon, Arm, Google, Infineon, NXP Semiconductors, Schneider Electric, and Silicon Labs, and is claimed by the organization to cover the security requirements of "multiple countries or regions" including the US, Europe, and Singapore in a single evaluation. This should include the US Cyber Trust Mark, announced by the US government back in July and designed to require minimum security standards on a range of "common devices" capable of connecting to the IoT and a smart home network.

Interested parties can request a copy of the specification from the CSA website; the organization has not yet stated when the first marked products are likely to hit store shelves.