To show the world that their IoT product is safe to use, ERNIT has had a third-party security screening conducted at the Nordic IoT Centre. It is important that this approval is in place both in relation to the customers, who are the banks, as well as when ERNIT conducts business with the export markets.
Cyber security is a central parameter for the Danish start-up company ERNIT. The company has developed a virtual piggy bank that teaches children how to save up with the help of IoT technology.
The idea behind ERNIT was created New Year’s Eve about four years ago when the company’s founders – all of them family fathers – discussed how they could give their children the best possible economic start to life. They all had piggy banks when they were young, but as payments today are done via credit card or mobile phone, they observed that their children did not have the same savings habits.
The situation prompted the three entrepreneurs to construct an IoT solution consisting of an app connected to a physical piggy bank with electronics inside. Every time parents, grandparents, or someone else transfer money, the piggy bank lights up and sends out sounds, so the child can see the progress of their savings goal. The goals can be entered in the app – it can be anything from a new bike, a doll, or a football.
“Playing and the fact that we are turning a trivial task like savings into a game and a competition is a key part of ERNIT. The piggy bank motivates and teach the children that money actually exists,” says Søren Nielsen, director of ERNIT and one of the three founders.
Sensitive data areas demand a high level of trust
Because ERNIT’s product is geared towards children and their money, their customers and collaborative partners have placed high demands on the security of the product. Which is why ERNIT approached the Nordic IoT Centre to have a security screening carried out.
“We will use the security screening and UL 2900-1 approval to increase the feeling of security and confidence in the product among our end users, the banks that we are collaborating with, as well as the investors who have invested money into ERNIT. Our product involves both money and children. These are some of the most sensitive data areas, which require extremely high levels of trust concerning the product,” explains Søren Nielsen.
Security screening generates trust in the product
The two collaborating GTS institutes in the Nordic IoT Centre, FORCE Technology and the Alexandra Institute, performed the security screening of ERNIT’s piggy bank according to the UL 2900-1 standard. The standard is currently the most operational of its kind for screening physical IoT devices, as a corresponding and suitable European standard does not exist.
Nordic IoT Centre’s role as impartial third party is of great significance to ERNIT:
“It is important for us to find an impartial third party to carry out a security screening of our product in order to generate a feeling of complete confidence in terms of the product. We believe that a security screening conducted by an impartial third party creates greater confidence in the product than if we carried it out ourselves. It can help close any loopholes that might exist, because we are not completely infallible either,” says Søren Nielsen.
A comprehensive review of the product
The security screening itself consisted of three parts.
First, FORCE Technology performed a verification of ERNIT’s self assessment, where the product documentation and the product’s intended use was reviewed. What the product will be used for, in what context it will be used, and whether the product has a firewall, are typical questions to consider. FORCE Technology then validated ERNIT’s Risk Management Report. The report describes the risks of the product and how ERNIT is working at reducing these risks.
The next step was a more physical test of the product’s safety. Here FORCE Technology subjected the electronic piggy bank to various different tests such as a vulnerability test, infection test, and encryption test. During the process it was checked whether the product had any viruses or malware and whether it was vulnerable to cyber-attacks.
Finally, the Alexandra Institute’s Security Lab performed a code review, analysing the product’s source code to find pieces of code with failures that needed fixing. They looked both at whether ERNIT’s own code was written properly, as well as whether there were known vulnerabilities in the external pieces of code which were also used. The code review was carried out by a professional specialising in the coding language used in the product.
Throughout the process there was an efficient communication between the Nordic IoT Centre and ERNIT to cover and respond to different aspects of the areas that were examined. When companies have a security screening of their product carried out, they must be ready to set aside time to answer any questions that might pop up along the way, for example regarding the documentation material.
Clear sales advantages
Many Danish companies lack a security certificate to refer to when they sell their IoT products, because the customers want to be sure that the IoT products are safe to use and have a high level of protection against viruses and hacker attacks.
For ERNIT there are clear sales advantages associated with obtaining cyber security approval, not least because this can help the company to stand out from its competition:
“A UL 2900-1 safety approval of our product will give us clear competitive advantages over our competitors. We are often met in our sales work with questions concerning the product’s security, and we are certain that if we can show them a UL 2900-1 security approval, then it will open new doors and lead to increased sales of the ERNIT product,” says Søren Nielsen.
European Cyber Security Act in the pipeline
Many Danish companies experience problems with the splitting of requirements in relation to export, i.e. that their IoT product is met by one set of cyber security requirements by a customer in one country, and another set of requirements by the next customer in another country. This makes it essential that a joint certification scheme across the EU is established based on international standards.
At European level, FORCE Technology works actively together with Danish Standards to draw up a European certification model (Cyber Security Act) for cyber security screening. Until this model has been adopted, standards such as UL 2900-1 will be used for security approval.
If you would like to know more about the cyber security screening of IoT products, UL 2900-1 approval and code reviews, you can contact Gert Læssøe Mikkelsen, Head of Security Lab, Alexandra Institute, email@example.com, tel. +45 24 26 99 11 or Anders P. Mynster, Senior Specialist, FORCE Technology, firstname.lastname@example.org, tel. +45 43 25 14 25.