Cybersecurity for Wireless Products

TÜV Rheinland specializes in product safety, regulatory RF & EMC compliance and cybersecurity for IoT and connected devices, delivering both customized security assessments and support in meeting regulatory requirements. As regulatory demands become as crucial as radio approvals, our goal is to help manufacturers ensure their products are secure and compliant with international standards. We provide critical security services for manufacturers and developers, ensuring that connected products are not only compliant with evolving international standards but are also equipped with robust defenses against cyber threats.

Regulatory Compliance for Connected Products and Product Security

At TÜV Rheinland, we recognize that regulatory landscapes for connected products are continuously evolving and still under preparation in many areas. Our proactive and grounded approach is designed not only to guide customers through current requirements but also to anticipate future mandates, while leveraging the security level with the intended use of the connected device. We provide insights into what is necessary today, what will likely become obligatory, and how to leverage these standards to stand out in the market. By partnering with us, you can ensure your products are not just compliant, but also superior to the competition, offering enhanced security and value to your customers. Our comprehensive compliance services extend across various international standards and certifications, positioning your products at the forefront of safety, security, quality, and performance.

Introduction to PSTI Act: The UK's Product Security and Telecommunications Infrastructure (PSTI) Act, effective from April 29, 2024, introduces a groundbreaking change in cybersecurity for consumer connectable products. TÜV Rheinland is prepared to help manufacturers navigate this new regulatory landscape, ensuring compliance with one of the first mandatory cybersecurity and product security standards.

Overview of the PSTI Act:

• The PSTI Act, overseen by the UK's Department for Science, Innovation and Technology, aims to bolster the security of a wide range of consumer connectable products.
• This legislation is critical in the context of the increasing reliance on such devices in everyday life.

Products in Scope:

• The Act applies to internet-connectable products that can connect directly to the internet, as well as network-connectable products meeting specific conditions related to TCP/IP connectivity or the ability to connect to multiple products at once.

Compliance Mechanism:

• Manufacturers are required to assert compliance with the PSTI Act through a statement or summary, confirming adherence to the necessary security standards.
• The Act acknowledges the role of third-party testing and certification in verifying compliance, a service that TÜV Rheinland is equipped to provide.

Key Requirements of the PSTI Act:

1. Default Passwords: Products must not have universal default passwords.

2. Security Update Mechanism: Products should be capable of receiving timely security updates.

3. Incident Reporting Procedures: Effective reporting channels for cybersecurity threats are essential.

TÜV Rheinland’s Support:

• TÜV Rheinland offers comprehensive testing and certification services to ensure PSTI compliance.
• Our expertise in ETSI EN 303 645 positions us to provide thorough assessments, covering all necessary PSTI requirements.

For manufacturers looking to enter or maintain their presence in the UK market, partnering with TÜV Rheinland offers a seamless path to compliance with the PSTI Act. Our services ensure your products meet these essential security standards, paving the way for safer and more secure consumer connectable products.

The Radio Equipment Directive (RED) Article 3.3 is one of the first regulatory requirements in the European Union addressing cybersecurity for radio equipment. This directive, part of the broader RED 2014/53/EU, sets essential requirements for safety, health, EMC, and now, cybersecurity. Effective from February 2022 and becoming mandatory by August 1, 2025, it covers a wide array of products capable of internet communication, including mobile phones, laptops, and wearable devices.

Historically, ETSI EN 303 645 has been the go-to industry standard for IoT consumer products, focusing on aspects like personal data protection and secure communication. However, the landscape is evolving with the preparation of the harmonized standard EN 18031 by CENELEC (currently in draft status). Once in effect, EN 18031 will provide common security requirements across various types of radio equipment, further solidifying the regulatory framework in the EU.

• Key Aspects of Article 3.3:
  • Article 3.3(d): Enhances network protection by requiring devices to have features that prevent harm to communication networks and avoid disrupting the functionality of websites or services.
  • Article 3.3(e): Strengthens the protection of personal data and privacy. This includes measures to prevent unauthorized access or transmission of consumers' personal data.
  • Article 3.3(f): Aims to reduce the risk of fraud, mandating features like improved user authentication controls to minimize fraudulent electronic payments and monetary transfers.

Scope of the Regulation:

The regulation applies to devices capable of communicating over the internet, either directly or through other equipment. This includes devices that may handle sensitive data, including personal data, traffic data and location data.
Examples of in-scope products include:

• Mobile phones, tablets, and laptops.
• Wireless toys and children’s safety equipment, like baby monitors.
• Wearable devices, such as smartwatches and fitness trackers.

Testing Requirements:

• Manufacturers must conduct tests focusing on network security, data protection, and the integrity of communication protocols.
• Devices should be evaluated for their resilience against unauthorized access and potential fraud scenarios.

Outlook to the Cyber Resilience Act:

• The forthcoming Cyber Resilience Act aims to strengthen cybersecurity across the EU for digital products, creating a comprehensive framework that will cover products throughout their lifecycle. This includes hardware and software products, emphasizing security-by-design and vulnerability management and reporting.

TÜV Rheinland supports manufacturers in navigating these evolving standards, from current compliance with RED and ETSI EN 303 645 to future readiness for EN 18031 and the Cyber Resilience Act, ensuring products meet the highest standards of cybersecurity.

While the FCC Cyber Trust Mark is currently voluntary, its alignment with NIST standards indicates a move towards more structured cybersecurity measures in the IoT industry, similar to the European Union. However, there is no indication at this time (Q1 2024) that the FCC will make this a mandatory requirement in the future. The program’s development and potential future changes will be important for manufacturers to monitor, as they could significantly impact the IoT marketplace.

FCC Cyber Trust Mark:

• The FCC's U.S. Cyber Trust Mark, proposed in July 2023, is a voluntary cybersecurity labeling program for IoT or smart devices, with the aim to launch in late 2024.
• This program, similar to the Energy Star label, will provide clear information about the cybersecurity of internet-connected devices, helping consumers make informed purchasing decisions.
• The label will be binary and layered, indicating whether IoT devices meet specific cybersecurity standards, with the option for consumers to access more detailed information via QR codes or URLs.
• The cybersecurity standards for the U.S. Cyber Trust Mark will be based on criteria developed by NIST, offering flexibility for IoT manufacturers to meet these criteria through various cybersecurity outcomes like product configuration, interface access control, software updates, and documentation.
• There are still unanswered questions regarding the program’s administration, enforcement, and the roles of entities known as CyberLABs, who will be responsible for assessing compliance.

NIST Standards:

• The NIST Cybersecurity for IoT Program aims to foster trust and innovation in IoT globally through standards, guidance, and tools.
• NIST IR 8425, "Profile of the IoT Core Baseline for Consumer Products," identifies essential cybersecurity capabilities needed in the consumer IoT sector, focusing on home or personal use products.

This consumer profile was developed as part of NIST’s response to Executive Order 14028 and aims to apply cybersecurity outcomes to the entire IoT product, covering various aspects like data protection and secure communication protocols

Overview of IEC 62443 Standards: IEC 62443 is a series of international standards focused on cybersecurity for industrial communication networks and system security. It comprises four main parts, each addressing different aspects of industrial automation and control systems (IACS) security.

Component and Product-Related Standards:

• Part 4-1: Secure Product Development Lifecycle Requirements: This section outlines secure development processes for IACS products. It covers areas such as development management, security requirement definition, security solution design, secure development, testing of security features, vulnerability handling, and the creation and publication of updates.
• Part 4-2: Technical Security Requirements for IACS Components: This part defines technical requirements and common component security constraints (CCSC) for IACS components. It includes standards for considering general security characteristics, compensating countermeasures at the system level, applying the 'Least Privilege' principle, and ensuring compliance with secure development processes outlined in Part 4-1.

TÜV Rheinland’s Expertise: TÜV Rheinland offers comprehensive services to ensure manufacturers comply with the IEC 62443 standards, particularly focusing on the component and product-related requirements. We assist in implementing secure product development processes and ensuring that IACS components meet the stringent technical security requirements and constraints specified in the standards. Our expertise ensures that your products are not only compliant but also resilient against emerging cybersecurity threats in the industrial sector.

Introduction to CSA and PSWG: The Connectivity Standards Alliance (CSA) is an industry alliance with over 600 members, focused on simplifying compliance for manufacturers in the realm of IoT security. Its Product Security Working Group (PSWG) plays a pivotal role in this mission by developing a product security certification program.

Key Aspects of the PSWG:

• The PSWG’s certification program is designed to align with various global regulations, including standards set by ETSI EN and NIST, streamlining compliance processes for manufacturers.
• This program establishes a verified self-declaration scheme, allowing manufacturers to confidently assert their products' compliance with security best practices and technical capabilities.
• The certification standard set by the PSWG ensures that IoT devices meet a baseline security threshold, fostering consumer trust and confidence in these products.

TÜV Rheinland’s Expertise: TÜV Rheinland offers specialized services to assist manufacturers in meeting the standards and certification processes laid out by the PSWG under the CSA. Our support encompasses:

• Guiding manufacturers through the verified self-declaration process with our PSWG Authorized Test Laboratories
• Ensuring that products comply with the comprehensive security standards, covering aspects from various global regulations.
• Providing an end-to-end solution that not only meets the CSA and PSWG requirements but also ensures a broader compliance with international standards.

By partnering with TÜV Rheinland, manufacturers can navigate the complex landscape of IoT security with ease, ensuring their products are compliant, secure, and trusted in the global market.

TÜV Rheinland specializes in identifying and addressing security vulnerabilities across a wide range of systems and infrastructures. Our penetration testing services focus on ensuring the safety and integrity of connected devices, systems, and management structures.

Key Features of Our Services:

• Tailored Testing: We conduct in-depth analysis specific to your product's software and hardware, ensuring a thorough evaluation of potential vulnerabilities. Learn more about our process
• System-Wide Evaluations: Our comprehensive approach extends to entire systems, including network interfaces and communication protocols, for a holistic security assessment. Discover our full range of evaluations at our OT Security page.
• Cyber Attack Simulations: By simulating real-world cyber threats, we assess the resilience of both individual products and their supporting systems. Detailed insights can be found in our Cybersecurity Service Portfolio.
• Detailed Reporting and Mitigation Strategies: Following each assessment, we provide a comprehensive vulnerability report and actionable recommendations for security enhancements as well as functional safety
• Automotive Cybersecurity

For detailed information on our services, including IT safety, industrial automation, and technical inspection, explore our Automotive Cybersecurity solutions and other specialized services.