Mapping the Global Security Landscape: Where CRT Fits (and Where It Doesn’t)

Leave a Reply

This blog article critically examines the global landscape of consumer product cybersecurity standards and the proposed role of the UK’s Cyber Resilience Testing (CRT) initiative. It maps key frameworks (PSTI Act, CRA, ETSI EN 303645, IEC 62443, FCC labelling, etc.) and identifies opportunities for CRT to provide ‘above and beyond’ assurance through resilience testing and threat simulation. While acknowledging the challenges of market saturation and standard overlap, it argues that CRT can add unique value — especially in underregulated sectors and poorly enforced product classes — by validating real-world security outcomes rather than static compliance.

Contents

Table of Contents

Introduction: Framing the Landscape

Consumer-facing cybersecurity has matured significantly in recent years. From policy interventions and regulatory instruments to voluntary certification and market-led initiatives, the global security landscape has shifted decisively towards structured, standards-based oversight. Into this already crowded space enters the Cyber Resilience Testing (CRT) initiative — an effort led by the UK’s National Cyber Security Centre (NCSC) to offer an added layer of resilience validation for connected consumer products.

This article offers a critical, research-informed commentary on CRT’s positioning and perceived value in light of the detailed mapping of existing standards, regulations, and schemes. The document reviewed outlines more than a dozen initiatives, and this expanded analysis aims to not only amplify its content but also interrogate its implications.

The Purpose of CRT in Context

CRT is not intended to replace existing schemes — a point the NCSC has stressed repeatedly. Rather, it is envisioned as a layer ‘above and beyond’ compliance, designed to test real-world resilience rather than check-box conformity. It seeks to complement the current architecture of product assurance, targeting areas where existing certifications may fall short — either in breadth, enforcement, or outcome.

The objective is not to build another standard, but to test the limits of existing ones, thereby identifying blind spots in the protective layer that covers the consumer tech ecosystem.

Current Standards, Regulations, and Certification Schemes

UK Standards and Regulations

UK Product Security and Telecommunications Infrastructure (PSTI) Act

The PSTI Act represents a significant step in the UK’s domestic cybersecurity framework. It mandates:

  • Prohibition of universal default passwords.
  • Commitment from manufacturers to disclose minimum durations for security updates.
  • Requirement to provide clear vulnerability disclosure policies.

It applies broadly to “smart” consumer products and their associated services, providing baseline protections but not extending into active assurance or resilience testing.

BSI Kitemark for IoT

The British Standards Institution (BSI) offers the Kitemark for IoT, which certifies that:

  • Devices meet rigorous privacy and security benchmarks.
  • Testing includes both functional assurance and ongoing surveillance.
  • Manufacturers follow secure software update processes and risk management practices.

Kitemark offers strong market signalling but is voluntary and commercial — uptake varies considerably across sectors.

Cyber Essentials

Cyber Essentials focuses more on organisational IT hygiene than device-level certification. It includes five basic controls:

  • Firewalls
  • Secure configuration
  • Access control
  • Malware protection
  • Patch management

While not IoT-specific, the principles are transferable. CRT could align particularly with enhanced levels (Cyber Essentials Plus) where independent assessment is required.

Other UK Schemes

  • IASME Governance: Broader than Cyber Essentials, includes GDPR elements.
  • Sectoral Certifications: E.g., energy or finance.
  • NCSC-assured training or consultancy: Trust signals without enforcement.

These are important components of the assurance ecosystem but generally do not address consumer devices explicitly.

EU Frameworks

European Cyber Resilience Act (CRA)

Still in legislative development, the CRA will:

  • Mandate cybersecurity by design and default.
  • Apply across both software and hardware supply chains.
  • Introduce conformity assessments for critical product classes.

CRT could play a post-market role here — validating that products continue to meet CRA expectations post-deployment.

ENISA’s Security Frameworks

ENISA has been instrumental in shaping:

  • Threat modelling methodologies for IoT.
  • Security guidance for SMEs.
  • Sector-specific frameworks (e.g., smart hospitals, mobility).

ENISA’s materials are highly informative but often lack enforcement teeth. CRT could provide the practical, testable implementation layer.

CE Marking & Security Compliance

CE marking is a declaration of conformity — not a security certification per se. However:

  • Future CRA requirements may strengthen its security component.
  • Current directives (e.g., RED, LVD) already offer security-relevant clauses.

CRT could act as a supplementary assurance signal, clarifying that CE-marked products also pass real-world resilience tests.

US & North American Approaches

NIST Cybersecurity Framework for Consumer Devices

NIST’s guidance includes:

  • Device risk profiling.
  • Secure update architecture.
  • Transparency principles (e.g., SBOMs).

CRT could integrate NIST’s recommendations but test implementation depth, not just design.

FCC’s Cybersecurity Labelling Programme (Pilot)

Key features include:

  • A label that indicates basic compliance.
  • Voluntary uptake.
  • Consumer-facing design (akin to nutrition labels).

CRT could be positioned as a “tested level” badge — going beyond what the FCC currently envisions.

UL IoT Security Rating

UL’s scheme includes 5 levels:

  • Bronze to Diamond.
  • Based on the UL Maturity Model.

This offers tiered assurance, which CRT might build upon — particularly if independent validation is required at higher levels.

Global Standards & Initiatives

ISO/IEC 27400:2022

Aims to establish international consensus on:

  • Threat analysis methodology for IoT.
  • Security principles.
  • Governance frameworks.

Valuable as a reference document, but not a certification mechanism. CRT could operationalise these principles.

ETSI EN 303645

Perhaps the most widely referenced IoT security standard globally. Covers:

  • No default passwords
  • Secure boot
  • Secure update mechanisms
  • User data protections

It is a design-focused, implementation-agnostic document. CRT could test whether those implementations actually work in practice.

IEC 62443

Designed for industrial control systems, but now applied more broadly to:

  • Embedded systems
  • Safety-critical systems
  • Network-connected consumer platforms

However, its complexity limits adoption among consumer device makers. CRT could offer simplified validation inspired by this framework.

GSMA IoT Security Guidelines

Strong on network-level concerns and mobile operator responsibilities. Less directly relevant to:

  • Standalone devices
  • Edge or fog computing

CRT could complement GSMA principles by testing endpoint security and lateral movement scenarios.

Australian & Singapore Labelling Schemes

  • Australia: Voluntary, based on ETSI.
  • Singapore: Graded system (1–4 stars).

Both focus on consumer visibility. CRT could either plug into these or model a similar multi-level framework.

Gaps and Challenges

Overlap and Fragmentation

Redundancy and inconsistency remain issues. While harmonisation is improving, vendors often struggle to:

  • Interpret overlapping requirements.
  • Understand where one standard ends and another begins.
  • Avoid duplication of effort.

CRT must clarify how it maps to existing schemes and avoid being “yet another certification.”

Perceived Complexity and Saturation

Stakeholders note that with widespread adoption of ETSI EN 303645 and IEC 62443, CRT may appear redundant. To succeed, it must:

  • Clearly explain its unique value.
  • Avoid bureaucratic overreach.
  • Focus on tangible outcomes (e.g., mitigated risks, validated controls).

Low Consumer Awareness

Despite labels, consumers are still:

  • Unclear what security standards mean.
  • Unable to compare across devices.
  • Unmotivated by technical credentials.

CRT might need a consumer narrative, not just an engineering framework.

Global Inconsistency

Jurisdictional differences hinder manufacturer compliance:

  • What passes in the UK might fail in the US.
  • Post-Brexit divergence adds further complexity.

CRT should aim for cross-market recognition, perhaps via ISO alignment or mutual recognition agreements.

Neglected Device Classes

Smart kettles, connected toys, fitness wearables — many lack clear inclusion in security mandates. CRT could fill this regulatory vacuum.

Opportunities for CRT

Complementarity

CRT must highlight its role as:

  • Assurance on top of compliance.
  • Focused on resilience, not just hygiene.
  • Offering adversarial validation, not self-attestation.

Target Sectors with Poor Uptake

CRT could pilot in:

  • Retail-grade consumer electronics
  • Low-cost smart home tech
  • Emerging categories (e.g., health IoT)

Plug Gaps in Established Standards

ETSI and IEC are foundational — but implementation is variable. CRT can:

  • Test enforcement.
  • Offer feedback loops.
  • Share anonymised learnings with regulators.

Align with Regulators

CRT should be positioned to support:

  • UK’s PSTI Act enforcement
  • CRA’s conformity assessments
  • FCC’s labelling transparency

Develop Non-IoT Coverage

CRT could expand to:

  • Connected but non-networked devices
  • Embedded ML inference devices
  • Digital consumer goods that operate “silently”

Conclusion & Strategic Recommendations

Key Takeaways

  • CRT must not be a competing standard — it must be a validating layer.
  • Harmonisation is real, but resilience remains untested in many products.
  • Consumer trust depends on clarity, not just coverage.

Next Steps

  1. Map CRT directly to existing schemes.
  2. Focus pilots on hard-to-regulate sectors.
  3. Work with ENISA, FCC, and ISO to position CRT globally.
  4. Develop a public-facing narrative, perhaps through a graded badge.
  5. Publish findings openly to stimulate vendor engagement.

Final Thought

In a world where cybersecurity standards increasingly resemble a box-ticking exercise, CRT could be the hammer that tests the box — not to destroy it, but to prove its strength.