The U.S. federal government has announced plans to introduce a U.S. Cyber Trust Mark to enable consumers to easily assess product security and therefore make more informed decisions when purchasing IoT products. Retailers and major device makers joined the announcement from the White House, declaring their support and commitment to the program.
This initiative joins worldwide efforts to introduce product security regulations and labelling schemes, each aimed at increasing consumer confidence in IoT products and establishing a common baseline for product security.
Nordic Semiconductor is committed to providing hardware, software and services to empower all developers to build secure connected products. In partnership with the Connectivity Standards Alliance Product Security certification program, Nordic has committed to providing hardware and software to enable the development of products which can be certified as meeting product security requirements.
As an active member of the Connectivity Standards Alliance, Nordic is contributing towards the development of a new global product security certification program which aims to harmonize global product security requirements. The Alliance’s product security certification program should enable product manufacturers to demonstrate compliance in different markets with a single certification, for example, by covering the U.S. Cyber Trust Mark requirements.
The Connectivity Standards Alliance brings together over 620 technology companies to collaborate on standards which enable scalable and interoperable IoT solutions. Nordic was a significant contributor to the development of the Matter specification and software development kit (SDK) within the CSA. The company extends its commitment and collaboration to support the development of the product security certification program to improve the experience for product manufacturers.
The Connectivity Standards Alliance collaborative approach encourages industry feedback to proposed and developing government regulation. This aims to reduce the differences in requirements between countries. The initial focus of the CSA Product Security Certification program focuses on Consumer IoT products in the Smart Home, and addresses the requirements from ETSI EN 303645, NIST IR 8425 and the Singapore Cybersecurity Labelling scheme.
Combined, these standards cover the requirements for most major markets as they are known to be influential in the development of regulations for other areas. Future iterations of the certification program are expected to align with standards and regulations which are still under development.
Governments around the world are in the process of developing product security regulations and labelling schemes. In Europe, the European Union (EU) has passed an enhancement to the existing Radio Equipment Directive to include a new delegated act addressing cybersecurity requirements for wireless devices. The final requirements are still in development but are expected to align closely with ETSI EN 303 645. The U.K. Product Security Telecommunications Infrastructure (PSTI) Act which is due to come into force in April 2024 is independent yet heavily influence by this ETSI standard. In contrast, some markets are further ahead, for example Finland and Singapore have established product security certification and labelling schemes.
These are just a few examples of regions which are today taking similar steps to improve the security of products sold in their regions, but which could benefit from a unified global certification for product security to ease the journey for product manufacturers.
Product security requirements help to ensure trust in IoT products. Gaining such trust from consumers is an important step to enable wider adoption of IoT technologies, in the smart home, workplace, and for personal health and wellbeing.
In the past, it has been left to product manufacturers to decide on the appropriate level of security for their product. This is very different to product safety requirements, where extensive specifications—covering electrical, mechanical and functional safety—have been in place for a long time to protect customers from physical harm.
The foundation of security for any connected product is its Root of Trust. To demonstrate the robustness of Nordic’s solutions and reduce customer certification requirements we undertake PSA Certification of Silicon and Root of Trust. PSA Certifications have been achieved for the nRF52840 and nRF5340 SoCs, and the nRF9160 SiP.
The recently announced nRF54H20 is designed from the ground-up to meet the requirements of PSA Certified Level 3, the highest level of PSA Silicon and Root of Trust certification. with built-in physical security features for robustness against side-channel and tamper attack.
Every manufacturer of a connected product has a responsibility to ensure it is secure not just for the safety of that device but for the safety of all. Global initiatives to establish regulation, certification and labelling schemes are encouraging them to do exactly that.