Cybersecurity Product Testing: Ensuring Compliance, Security & Market Access

From medical devices to baby monitors, the number of consumer and industrial smart devices on the market today continues to soar. Because they communicate wirelessly over networks, these smart products present additional security risks, along with their many benefits.

In response to the growing threat of cyberattacks, governing bodies around the world have enacted new cybersecurity testing, certification, and labeling requirements to help consumers make informed choices about the privacy and security of the devices they purchase.

Examples of Products Subject to Cybersecurity Testing

• Smart Phones
• Smart Thermostats
• Smart Lights
• Smart Appliances
• Smart Cameras, TVs & Speakers
• Fitness Trackers
• Home Office Routers
• Smoke Detectors
• Digital Personal Assistants
• Home Security Systems
• GPS Trackers
• Medical Devices
• Garage Door Openers
• Children’s Toys & Baby Monitors

Even when it is not legally mandated, manufacturers should consider cybersecurity testing to provide users and regulators confidence that the device is reasonably secure from cyberattacks — and maybe even gain an edge against less-diligent competitors.

What is Cybersecurity Product Testing?

Cybersecurity product testing is a structured approach to assess a wireless device’s ability to withstand real-world cyber threats and ensure that it is fit for sale. The goal is to identify and address vulnerabilities before attackers have the opportunity to exploit them and do real harm.

Cybersecurity testing answers critical questions in a controlled environment, such as:

• Is the device easily compromised?
• How does the device respond when under attack?
• Does the product meet the manufacturer’s security standards, regulatory requirements and customer needs and expectations?

Cybersecurity testing can be done across a product’s full lifecycle, spanning design, hardware, firmware and software, communications and interfaces, physical and local access and operational security.

Common cybersecurity testing methods include:

• Security Design Review
• Threat Modeling
• Vulnerability Assessment
• Penetration Testing (Ethical Hacking)
• Fuzz Testing (Fuzzing) (attempting to crash the system to reveal flaws and vulnerabilities)
• Supply Chain & Third-Party Component Analysis

An experienced lab provider will be familiar with all applicable codes and regulations in the target market and will be able to provide guidance on the type(s) of testing needed for your project.

Why Cybersecurity Product Testing is Critical for Today’s Products

Today’s wireless products are more inherently connected that ever, and the number of smart devices continues to skyrocket. The number of connected Internet of Things (IoT) devices worldwide is forecast to more than double from approximately 19.8 billion in 2025 to more than 40.6 billion by 2034.

Because they are not isolated devices, smart products create more opportunities for potential hackers to wreak havoc. The fallout from a high-impact cyberattack can include costly production shutdowns, product recalls, data breaches, legal liabilities, damaged brand reputations and customer trust — even safety issues.

As some companies have learned the hard way, it is far easier and faster to fix security issues before a new product launch than after.

In markets where cybersecurity testing is mandated, failure to test could keep a manufacturer from competing in that market and lead to fines, penalties, legal liabilities, and enforcement action. The cybersecurity testing process provides a path to identify and remediate flaws and vulnerabilities before the product hits the market and demonstrates that the manufacturer took due care to comply with local laws.

Key Standards & Regulations Driving Cybersecurity Product Testing

Cybersecurity standards and regulations continue to evolve and depend on the product, industry, and target market in question. Regulations typically outline what types of products must be tested, as well as the testing scope, methods, acceptance criteria, and labeling and reporting needed before a product can be launched or sold.

Key standards and regulations influencing cybersecurity product testing today include the following:

• IEC 62443 (Industrial & OT Products)
• ISO 27001 (Organizational Information Security Management)
• ISO 27034 (Application Security)
• UL 2900 Series (Medical, Industrial, Commercial IoT products)

The following laws, regulations, and standards includes cybersecurity requirements that may mandate testing depending on the applicable jurisdiction, product type, or market access pathway:

• U.S. IoT Cybersecurity Improvement Act
• Radio Equipment Directive Articles 3.3(d), 3.3(e), and 3.3(f)
• EU Cyber Resilience Act (CRA)
• UNECE R155 / R156 (Automotive/ Vehicle & Automotive Electronic Systems)
• UK Product Security and Telecommunications Infrastructure (PSTI) Act
• ISO/IEC 27001 / 27034
• NIST IR 8259 (Enterprise/Government IoT)
• ETSI EN 303 645 (Consumer IoT)
• U.S. FDA Cybersecurity Guidance (Medical & Healthcare Devices)

Along with detailed reports and risk findings, an accredited lab will provide regulatory insight and guidance to address potential vulnerabilities, as well as security documentation that can be used to market the product and provide evidence of compliance.

Benefits of Using IIA for Cybersecurity Testing

To help our customers comply with changing regulations, Industrial Inspection & Analysis (IIA) expanded our Florida Lab services to include Cybersecurity Testing and Certification. Our ISO-accredited services comply with cybersecurity testing requirements in European Union (EU) and United Kingdom (UK), as detailed below:

UNITED STATES Federal Communications Commission (FCC) Public Safety and Homeland Security Bureau (PSFSB): Pending approval as an accredited and recognized CyberLAB, IIA will be authorized to test wireless products to demonstrate compliance to the FCC’s IoT Cybersecurity Label requirements; and as an accredited and recognized Cybersecurity Label Administrator (CLA), IIA will be authorized to accept and review applications and test reports and approve the use of the FCC IoT Label.

EUROPEAN UNION Conformité Européenne (CE): IIA is accredited as a Notified Body designated for Cybersecurity under the Radio Equipment Directive (RED), which enables us to conduct cybersecurity conformity assessment of radio equipment for network protection, data privacy, and fraud prevention, in accordance with Articles 3.3(d), 3.3(e), and 3.3(f).

UNITED KINGDOM PSTI Product Security Regime: While there are no third-party conformity assessment procedures under the PSTI, our cybersecurity team is equipped to test consumer wireless (IoT) products in compliance with the UK Product Security and Telecommunications Infrastructure (Product Security) regime, which came into effect on April 29, 2024. Our team is here to help you assess your product for compliance with EN 303 645.

Cybersecurity testing by a qualified provider like IIA is a proactive way for manufacturers to ensure their product meets legal requirements and customer expectations. As a trusted partner and one-stop-shop for manufacturers around the world, IIA is a natural choice to perform the cybersecurity testing needed to comply with new and changing regulations.

As the risk of cyberattacks continues to rise, and pressures mount to produce more secure electronic devices, cybersecurity is evolving from a technical issue into a product differentiator. IIA is here to help manufacturers deliver the safe, secure product their customers expect and deserve — and maybe even stay one step ahead of the competition.

LEARN MORE ABOUT IIA’s CYBERSECURITY TESTING SERVICES & EMC/RF TESTING SERVICES.

Read more about the FCC’s Cybersecurity Labeling program for Wireless Consumer Products