BSI launches kitemark for internet of things devices

The British Standards Institution (BSI) has launched a new kitemark for internet of things (IoT) devices in the hope of helping consumers make more informed decisions about which devices and services can be trusted.

The launch comes two months after the government proposed the introduction of just such a scheme in a wide-ranging review of IoT security conducted by the National Cyber Security Centre (NCSC).

In its Security by Design report, the government laid out plans to make industry embed security in the design process, rather than including it as an afterthought, and to establish a code of practice to improve the security of consumer IoT devices and services.

Currently, each household in the UK is thought to own around 10 internet-connected devices, with this number set to grow over the coming years, while the volume of attacks exploiting flaws in IoT devices is rapidly increasing.

“Connected devices can bring huge benefits to consumers, but as they become ever more commonplace it’s imperative that both their function and their security is up to scratch,” said David Mudd, BSI IoT business development director.

“The new BSI kitemark for IoT devices will provide consumers with a quick and easy way of identifying which products they can trust to not only perform as expected, but also keep their data secure.”

The BSI will issue three different types of kitemark depending on whether or not the device is intended to be used in a residential or commercial setting. The third, enhanced type, will be for use in high-value or high-risk applications across both settings.

Prior to being awarded the kitemark, device manufacturers will be assessed against the ISO 9001 standard, and their products will have to pass an assessment of both functionality and interoperability, alongside rigorous penetration testing to scan for vulnerabilities.

The kitemark also builds on the guidelines proposed in the government’s March review by incorporating ongoing independent audits and assessments of devices to determine that they are functioning and communicating as they should, and this will also include regular penetration testing.

The BSI added that it would not hesitate to revoke the kitemark should security levels and product quality not come up to scratch.

The BSI said a number of products are already moving through the accreditation process, with the first compliant devices set to hit the market during the summer of 2018.