Get started certifying your IoT products
As of 1 August 2024, all smart devices have to meet minimum cyber security requirements. That means manufacturers still have two years to get their products tested and certified. “But don't wait too long,” warns Sabyne van Mourik, Business Development Manager at Kiwa. “We are talking about a huge number of IoT products.”
Consumers have to be able to trust that their purchased products can be safely used. The CE certification for electric devices indicates that the manufacturer or importer declares that the product complies with all requirements and takes responsibility for this. Requirements for electrical devices include testing for fire safety and electromagnetic compatibility.
Consumers are also looking for that trust when purchasing connected devices, whether it's a smart fridge, doorbell or even a toilet bowl. “However, consumers are disappointed in this,” explains Van Mourik. “For products connected to the Internet of Things, cyber security is simply not yet demonstrably in place or there are no legal requirements at all. And this while the number of security incidents involving smart devices has been increasing rapidly in recent years.”
Certification more relevant than ever
“Certification of internet-connected products is more relevant than ever,” affirms Van Mourik. “Without a certificate, it's left to consumers to assess the cybersecurity of an IoT device and this is becoming increasingly more difficult, according to Sabyne. “Especially when we see how everything is interconnected these days. The complexity of the chain is continuously increasing.”
She gives the example of a smart toilet bowl that tests the faeces of the user to evaluate their health. “This toilet bowl recognises the user and ensures that all test data is automatically saved in an electronic patient file in the cloud. If needed, the family doctor can follow up with the patient.” This concept involves numerous parties, from the suppliers of the toilet bowl, the sensors and the software to the cloud provider that stores the data. It is then difficult for the consumer or purchaser to find out whether all these parties have their technology, processes and people in order, and whether personal data is and remains safe. “A certificate provides transparency and ensures that the toilet bowl complies with minimum security requirements.”
Meet with a Notified Body as quickly as possible.Sabyne van Mourik
The manufacturer of the toilet bowl in this example also has a lot to gain from this transparency. “Traditional manufacturers who are now producing smart products are faced with many new issues. How do you know that the selected software is secure by design? And how do you know that the cloud infrastructure and any data stored here are safe? The complexity of the chain also makes it hard for manufacturers to assess. Certification also provides manufacturers with insight into the cybersecurity of their products.”
Radio Equipment Directive
As of 1 August 2024, all smart devices in Europe also have to comply with the cybersecurity requirements of the Radio Equipment Directive (RED). This includes requirements for password use, updating software and administering and protecting personal data. The manufacturer may not affix CE marking to IoT products which do not comply with it. That means these products cannot be sold on the European market.
RED compliance can be proven by testing products according to the ETSI EN 303 645 norm, which contains requirements and procedures for the cybersecurity of IoT devices. “There is no harmonised norm yet for suppliers to confirm that their IoT products comply with security requirements,” explains Van Mourik. As long as there isn't a harmonised norm, all products have to submitted to an independent assessment by a Notified Body, such as Kiwa. This body determines whether the product meets the requirements by means of an assessment. Hereby, the product becomes eligible for certification and may receive the CE mark.
A collaborative process
“Don't wait too long to certify your IoT products,” Van Mourik urges manufacturers. “An enormous number of products will have to be certified. Many manufacturers have up to 150 IoT products in their portfolio. So plan ahead to understand the impact of this new legislation on your portfolio. Make sure you have your risk analysis in order and think about what budgets you will make available for certification.”
“Sit down with a Notified Body as soon as possible,” Sabyne continues. “Look for cooperation. So that we can think together about how certification can be made manageable and determine what the test plan looks like. Make sure, for example, that someone is available to answer questions during the tests. Certification institutes can sometimes be seen as a black box where you send something and then maybe it will yield a result. We want to prove them wrong. We want to ensure, together with the customer, that the certification process is completed as quickly as possible.”
According to Van Mourik, purchasing parties also have a role in accelerating the certification processes. “Already now, design your procurement policy in accordance with the RED and consider what requirements you should set for the cyber security of the products you purchase. In this way, you create a push towards the market. And why should you wait with the procurement of safe products?”
Testlab KPN Security
Kiwa itself has done what is necessary to speed up the certification process. For example, the authority offers a 'pre-compliance check'. Van Mourik: “We look at the products, determine which scope is applicable, help draw up a test plan and make a careful assessment of whether a product will pass the test or not. This enables the supplier to make a well-founded decision as to which products should be offered for certification first, and which products first need to be adapted.”
For the actual testing of consumer products, Kiwa has concluded an agreement with cybersecurity provider KPN Security. Under the agreement, KPN Security tests in its high-quality test facilities whether IoT products comply with the ETSI EN 303 645 standard and are therefore sufficiently cyber-secure in the basic sense. The test facilities are monitored by Kiwa as an independent testing institute. In this way, quality, independence and impartiality are guaranteed. Kiwa can therefore accept the test results - in combination with the results of additional tests carried out by Kiwa - for the issue of a product certificate.
“Short lead times are important for manufacturers. They just want to get a product to market as quickly as possible,” said Van Mourik. “KPN has a state-of-the-art test lab with the capacity required for large-scale testing of IoT products. Within the lab environment of KPN Security, we can help customers quickly.”
Label in development
Kiwa is also developing a label for certified cyber-secure IoT products. “In the run-up to 1 August 2024, you can use this to show that your products have been independently tested by a Notified Body. We will continue to develop that label after this deadline as well, so that the label shows which issues are met in addition to the minimum security requirements,” Van Mourik concludes. “We will develop this in cooperation with market parties, because it must offer added value for them.”
About Sabyne van Mourik
Sabyne van Mourik has more than 20 years of experience in fire safety and security. At Kiwa Nederland she has exercised the position of manager of the Fire Safety & Security-products business unit, among other functions. Since January 2021, she has been serving as Business Development Manager at Kiwa and is responsible for developing the cybersecurity testing and certification services for IoT products.
Cyber Security Perspectives 2022
This article was originally published in KPN Security's "Cyber Security Perspectives 2022" issue. Download the magazine here (Dutch)