Connected Product Security Audit

blog-image

“Why do I need this service?”

The aim of this service is to provide evidence that you understand and have considered the security needs of your product and that it contains the necessary level of protection against threats.

If you produce or are developing a connected IoT product (for example a “smart” home, industrial, automotive or medical product) and you have not properly evaluated your security then you may be at risk of:

  • Brand damage
  • Legal liability
  • Financial damage
  • Being unable to sell your product into certain countries or regions
  • Being unable to sell your product to buyers with supplier security requirements

Legislation is increasingly being applied to the security and privacy of connected products and getting it wrong could result in significant damage to your company. Although security and privacy are not the same thing, poor security can also result in privacy issues.

Legislation affecting IoT products includes the following, with more, such as the EU Cybersecurity act and UK IoT security regulation, expected in the near future:

  • The European Medical Device Regulation (MDR) which requires that medical devices are cyber-secure
  • California’s IoT Device Security Act (SB-327) which has to be complied with for products to be sold into California
  • The US Federal Trade Commision Act (FTC Act)
  • The Australian Competition and Consumer Act
  • The Health Products Act (HPA) of Singapore
  • The European General Data Protection Regulation (GDPR) which requires that data is stored, transmitted and handled securely
  • The California Consumer Privacy Act (CCPA)
  • The Australian Privacy Act

Releasing an insecure product into the market at this stage could result in costly modifications or even product recalls. “Retrofitting” security is also considerably more expensive and time-consuming than designing in appropriate security in the first place.

“What will you do?”

Different products require different levels of security - there is no “one size fits all” or simple solution for security. We will analyse your product (including technical design, development, manufacturing and management) and provide feedback on the following:

  • Have you identified the right things to protect?
  • Do you have enough security to protect these?
  • Are there any security gaps?
  • The risks you expose yourself to if your security is not sufficient
  • How you can reduce or avoid these risks
  • If your current protections are compliant with best practice and market regulations
  • If there is any way to safely cost-reduce the security to save money
  • The security level in relation to others in your market segment

The audit will look at the security of your:

  • Device
  • Connectivity and network
  • Cloud interface
  • Manufacturing process
  • Development process
  • Supply chain
  • Sensitive data management and handling processes (including physical security)

As well as:

  • Security issue reporting and tracking
  • Security incident response process
  • Compliance with regulations
  • Privacy implications

It will then provide a score for each area and recommendations for improvement if required.

This process is suitable even if you do not currently have a defined security process or documentation - we can work with you to identify and develop what you need

For market segments that are not yet subject to regulation, we can additionally assess your security against a recognised security framework such as the IoT Security Compliance Framework.

“How long will it take and how much will it cost?”

Our assessments are fixed price and typically take between 2 and 4 weeks depending on the complexity of the product and how much security expertise you already have. If you provide us with an overview of your product and an indication of the level of security analysis (if any) already performed, then we can provide a fixed price quote.

“Why pick Cerberus?”

We have a number of attributes that we believe give us an advantage over other suppliers:

  • Our background is in embedded electronics and communications and not just IT systems
  • We’ve worked in low-cost, high volume markets such as consumer, so we’re familiar with the need for pragmatic, low-cost and highly scalable solutions
  • We actively develop security-related hardware and software for our customers so we’re always up to date with the latest technology. We may even have “off the shelf” components to accelerate our work and reduce your costs
  • We work closely with silicon manufacturing companies (often becoming their security partners) and even help many of them to develop their microcontroller and microprocessor chip security
  • We actively perform real-world security testing on products and develop low-cost attack methods and hardware

You can also find out what our customers have to say.

“How do I find out more?”

Please email us at info@cerb-labs.com or contact us

If you are a manufacturer or operator/automotive OEM and require security auditing of your 3rd party suppliers, then we can develop a custom audit to match your supplier cyber security requirements.