IoT Cyber Scheme

Who is it for?

The Internet of Things (IoT) refers to any device you have that connects to the internet
– examples include devices such as virtual assistants, smart energy meters, connected appliances e.g., fridge or washing machine, fall detectors, baby monitors, building sensors,
electric vehicle charging stations and intruder alarm systems.

It is estimated that adult only households have approximately 10 IoT devices,
whereas households with children have approximately 15 IoT devices. So, as you can
imagine, it is imperative that these devices are protected from cyber security risks.

An attacker may be able to exploit vulnerabilities within your IoT devices to gain access to your network, allowing them to access sensitive data including personal information, bank details, and user credentials visible within your network.

Alternatively, an attacker may be able to target an IoT device directly, for example, manipulating an electric vehicle charging station to consume large amounts of energy, impacting required costs for electricity and operating costs, or alternatively compromising digital signage devices to display undesirable content as a form of defamation for a brand.

The UK is the second largest manufacturer of IoT devices in the world, so the resulting
concern, as more and more people trust poorly secured devices with their personal data,
prompted the implementation of a scheme to ensure manufacturers comply with the globally recognised standard for IoT – ETSI EN 303 654

How can we help?

Secarma are an IASME Accredited Certification body that can certify that a device is compliant with current legislation. Contact us today to get a quote and understand how to ensure your device is:

• Compliant with current UK Legislation (Product Security and Telecommunication Infrastructure Act 2022 (PSTI2022)
• Defended against enforcement action regarding the above legislation. (Product recall is a potential outcome)
• To reassure potential buyers of the device that their data is secure
• To stand out in a competitive market
• To allow sale of devices into regulated industries.

Unlike Cyber Essentials which is applicable to the whole business, each individual device
requires its own certification.

The IASME IoT Cyber Scheme certification must be renewed annually.

What we test

By certifying against the IASME IoT Cyber Schemes, your organisation is showing firstly,
that your device is compliant with UK and European Law and secondly, that you are taking
appropriate measures to mitigate potential cyber security risks to enhance the protection of your customer data.

IASME IoT Cyber Assurance Scheme:

• Certifies against all 13 ETSI EN 303 654 standards,
• Protects against common vulnerabilities such as weak passwords, legacy software, and insecure communications.

It is worth noting that IoT Assurance Level 2 has been identified by Secured by Design, which is a Police Crime Prevention Initiative, as one of the ways that manufacturers can ensure their products have the highest level of cyber security.

If you want to know more about what your organisation needs, feel free to contact us here
at Secarma on 0161 513 0960 and speak to our Business Development Team who will be happy to support your security needs.

Certification under the IASME IoT scheme lasts for 12 months and there are two IASME Internet of Things Schemes that you as an organisation can certify against – IoT Cyber Baseline and IoT Cyber Assurance.

Within each scheme, there are two levels: level 1 and level 2.
Level 1 consists of a self-assessment which is completed by your organisation as
the applicant, and is then reviewed by one of our qualified assessors here at Secarma as
a certification body,

Level 2 includes a technical audit of the device by an appointed assessor, including
an interview and full review of supporting documentation.

Please Note: Level 1 is a mandatory prerequisite prior to applying for the level 2 certification.

IASME IoT Cyber Baseline Scheme:

• Certifies against the top 3 ETSI EN 303 654 standards,
• Can be used by manufacturers to improve the security of their internet connected
  devices.

The top 3 standards of ETSI EN 303 654 are:

• Ensure no default passwords are used,
• Implement a vulnerability disclosure policy,
• Ensure software is supported and maintained with security updates when available