CYBERSECURITY CERTIFICATION - BUREAU VERITAS IoT CYBERSECURITY EVALUATION
Bureau Veritas has developed a referential and certification scheme in order to help IoT device manufacturers develop products that follow the State of the Art in terms of cyber security with a recognized label that consumers can recognize
To cover the wide range of IoT consumer devices, 3 classes of security requirements have been defined as part of the BV IoT certification scheme, leading to 3 different level of security and label.
Bureau Veritas has defined 5 IoT security Levels
These five levels have been developed to answer the market demand to:
- Provide consumers with cybersecurity levels that can be compared
- Address the current and impending regulations, such as the cybersecurity changes to the Radio Equipment Directive in Europe
- State compliance with existing guidelines
Three classes of security requirements have been defined as part of the Bureau Veritas IoT cybersecurity certification scheme
Class 1: Basic Essential
Applies to the following products: • Smart light • Connected appliances • Washing machines • Wearables • Smart speaker • Environment sensors • smart button
- 5 days evaluation
- Black Box
- Public Documentation
- Vulnerability Scan
Class 2: Basic Advanced
Applies to the following products: • Connected children's toy • Smart home assistants • Smart Camera • Connected Thermostat / Smart Air Quality • Tracker • Smart Navigation System • Smart door bell • TV Home automation • Fridges
- 10 days evaluation
- Grey Box
- Internal Documentation
- Security Function Testing
Class 3: Substantial Essential
Applies to the following products: • Connected safety-relevant products such as smoke detectors • Door Locks • Connected home automation and alarm systems • Smart Meters / Smart Thermometer • Blood pressure monitor • Drones
- 15 days evaluation
- Grey Box
- Additional and Deeper Evaluation
- Security Function Testing
- Basic Penetration Testing
A total of 15 security categories have been defined representing the State of the Art in the matter of cybersecurity.
Cybersecurity Certification Process
- The manufacturer chooses a class of requirements and submit the device to be assessed.
- Class#1 : For IoT products that operate in a non-sensitive environment, in which the common usage is not security oriented. Limited impact if the object is hacked. Connected to a local network only. Limited or no private data
- Class#2 : For objects that need a first level of security, which operate in a sensitive environment. Serious and visible impact in case of service disruption or significant financial impact. Unauthorized disclosure of information shall be expected to have a serious adverse (private or sensitive data). Indirect connection to the web (i.e. connected to the wifi home box)
- Class#3 : Reserved for products that need a real security assurance (substantial security level). Safety, security or serious financial impact if the object is hacked. Direct connection to the web. Unauthorized disclosure of information shall be expected to have a critical adverse (very sensitive data. Disruption of access to this device shall be expected to have a critical adverse effect on the service or the user.
- The manufacturer submit and Application Form to ask for the certification, which becomes the contract for the service.
- Additional information (questionnaire, evidences) are requested to the device vendors as per described in the BV cybersecurity IoT certification scheme and the Bureau Veritas IoT device cybersecurity Evaluation Methodology
- The Assessor verify the conformance of the devices to the selected requirements via testing, auditing or inspection
- In case of successful evaluation the certificate is deliver to the manufacturer
- Surveillance is performed for the Basic Advanced and Substantial Essential certificates