JC-Star, JC star, IPA

[Japan Cybersecurity] Japan Launches JC-STAR IoT Security Rating System, and THE ONE Provides Full Support.

/in

JC-STAR IoT Security Rating System

The Japan Information-technology Promotion Agency (IPA) has recently introduced the JC-STAR (Japan Cyber-Security Technical Assessment Requirements), a security rating system for IoT devices. This initiative aims to enhance the security of IoT products while providing consumers with clear and reliable information about product safety. The system aligns with international standards such as ETSI EN 303 645 and NISTIR 8425, establishing a unique evaluation framework for IoT security in Japan.

Overview of the JC-STAR System

The JC-STAR system is based on technical security requirements designed to evaluate and label IoT products that meet safety standards. The system categorizes products by different security levels and uses labeling to provide consumers with a clear understanding of a product’s security level.

Currently, the entry-level “★1” rating has been introduced, setting a foundational security standard broadly applicable to various IoT devices. This ensures that these devices possess minimum defensive capabilities to resist common cyberattacks.

Key highlights of the “★1” rating include:

  • Preventing IoT devices from being infected with malware and becoming part of botnets.
  • Defending against remote attacks from the internet.
  • Requiring clear policies for addressing and supporting vulnerabilities or defects.
  • Ensuring the proper deletion of data generated during device operation when it is disposed of or resold.

Applicable Products

The “★1” rating primarily applies to IoT devices that meet all the following criteria:

  1. Products include hardware, with the label affixed to the device. Software or cloud services alone are not included.
  2. Devices must have the capability to send and receive data using internet protocols (IP).
  3. Devices may connect to the internet, directly or indirectly.
  4. Devices are difficult or impossible to add new security features post-purchase (beyond updates).

Examples of devices not typically covered by the “★1” rating include personal computers, smartphones, and tablets, as they do not meet the fourth criterion. Additionally, devices physically or logically isolated from the internet are also excluded.

Application Requirements and Process

The “★1” rating evaluation follows a self-declaration model, where manufacturers are responsible for assessing their products’ compliance with the security standards. The application process includes the following steps:

  1. Prepare Supporting Documents:
    While proof of compliance is not required during application submission, supporting documents such as technical files, internal reports, and regulations must be prepared for the evaluation process.
  2. Complete the “Suitability Evaluation Checklist”:
    Using the prepared documentation, carefully complete the checklist to ensure accurate evaluation results for each item.
  3. Submit the Checklist:
    Once completed, submit the checklist to complete the application.
  4. IPA Review:
    IPA will review the submitted checklist upon receipt.
  5. Possible Submission of Supporting Documents:
    During the validity period of the rating or if IPA raises questions regarding the application, manufacturers may be required to provide supporting documents for review.

Manufacturers can opt to work with external agencies (e.g., JC-STAR evaluation or verification agencies) to assist in the evaluation and checklist completion. Additionally, even under a Non-Disclosure Agreement (NDA), IPA reserves the right to request supporting documents. Manufacturers must ensure the accuracy and authenticity of their submissions and actively cooperate with IPA’s review requirements.

THE ONE’s ★1 Services

THE ONE offers comprehensive support for your “★1” rating application, including:

  • Assisting with documentation preparation.
  • Conducting product evaluations.
  • Performing necessary testing to provide evidence for evaluation.
  • Submitting applications on your behalf.

For any inquiries or service requests, feel free to contact us.

Email: Charles.liao@theonelab.co
Phone: 02-8601-2828

 

RED

Understanding EN 18031 : Key Highlights Explained by The One

/in

Understanding EN 18031 : Key Highlights Explained by The One

RED Cybersecurity Requirements

In 2022 and 2023, the EU issued supplementary delegated acts for the RED Directive, namely (EU) 2022/30 and (EU) 2023/2444. These acts mandate manufacturers to integrate three cybersecurity requirements into product design and production processes. The new rules will take effect on August 1, 2025.

  • Article 3.3(d):
    Radio equipment must not harm the network or its functionality, nor misuse network resources, thereby avoiding unacceptable degradation of service.
  • Article 3.3(e):
    Radio equipment must include safeguards to protect the personal data and privacy of users and subscribers.
  • Article 3.3(f):
    Radio equipment must support specific features to ensure protection against fraud.

Scope and Exemptions

Scope

  • Article 3.3(d): Applies to any radio equipment capable of internet communication, whether directly or via other interconnected devices.
  • Article 3.3(e): Covers radio equipment capable of processing personal, traffic, or location data. This includes internet-connected devices, child-care equipment, most wireless toys (per Directive 2009/48/EC), and wearable devices.
  • Article 3.3(f): Applies to internet-connected radio equipment enabling the transfer of money, financial assets, or virtual currencies.

Exemptions

  • Articles 3.3(d), (e), and (f) do not apply to medical devices regulated under (EU) 2017/745 and (EU) 2017/746.
  • Articles 3.3(e) and (f) are also excluded for:
    • Remote-controlled drones and specific non-airborne radio equipment under (EU) 2018/1139;
    • Motor vehicles and related systems or components under (EU) 2019/2144;
    • Road toll systems governed by Directive (EU) 2019/520.

EN 18031 Standards

The EN 18031 series comprises three parts (EN 18031-1, EN 18031-2, and EN 18031-3), each addressing different cybersecurity requirements in the RED Directive:

  • EN 18031-1: Ensures that radio equipment does not adversely affect the network or its functionality and prevents misuse of network resources that could severely impact services. Applicable to all radio equipment capable of internet communication.
  • EN 18031-2: Provides safeguards to protect users’ and subscribers’ personal data and privacy. Applicable to devices handling personal data, such as internet-connected devices, child-care equipment, wireless toys, and wearable devices.
  • EN 18031-3: Ensures that internet-connected radio equipment facilitating the transfer of money or virtual currencies is equipped with features to prevent fraud.

Asset Types and Evaluation
The EN 18031 series categorizes assets into four types: security assets, network assets, privacy assets, and financial assets. Security assets are addressed across all three standards, while the other asset types are tailored to their respective standards. The evaluation process employs a mechanism-based approach to guide the application of security measures and assess their appropriateness and suitability.

Stay tuned as we delve deeper into the highlights of EN 18031-1, -2, and -3 in upcoming updates!

If you have any cybersecurity-related inquiries, feel free to contact our specialist, Charles, at charles.liao@theonelab.co.

NCCS

【INDIA ITSAR】Revision of Declaration of conformity cum Undertaking proforma for the Pro Tem certificate -reg.

/in

On 30 October, the Indian telecom authority, TEC, issued a new revision of MTCTE notification regarding the “Security Certification for IP Router and Wi-Fi CPE Products.”

These devices serve networking purposes, each with distinct roles and features. Routers are designed to route data packets between computer networks, while Customer Premises Equipment (CPE) connects the customer’s location to the service provider’s network. Although routers may sometimes be integrated into a CPE setup, their primary function differs.

After initially proposing these products for inclusion in its first MTCTE notification last year, TEC has since postponed the mandatory certification dates twice. The deadline was initially set for 1 April this year. Then, on 16 April 2024, the National Centre for Communication Security (NCCS) issued a notification dividing devices into two categories, labeled S No.1 and S No.2. The joint MTCTE & NCCS portal was set to accept security certification applications from 1 July for S No.1 and from 1 October for S No.2.

With the latest notification, TEC has now extended the application deadline for S No.2 products to 30 November. This category includes “IP Routers and Wi-Fi CPE equipment already certified under MTCTE ER, currently deployed in licensees’ (TSPs’) networks, and proposed for hardware or software changes.”

The application process is a documentation-based self-declaration of conformity to Indian Telecommunication Security Assurance Requirements (ITSAR). The Declaration format is provided with the notification. Upon submission, a “Pro Tem Certificate” valid for six months will be issued, allowing continued supply of these products until full certification is granted.

For further details on project and submission requirements, please contact charles.liao@theonelab.co .

For more details from NCCS, please read the official document.

 

EU CRA

EU Cyber Resilience Act (CRA) Overview——Aside from the RED

/in

EU Cyber Resilience Act (CRA) Overview

The Cyber Resilience Act (CRA), introduced by the EU in 2022 and adopted in October 2024, aims to ensure the cybersecurity of connected products. It mandates rigorous cybersecurity standards across digital products, specifically targeting devices and software that connect to the internet. CRA emphasizes product security throughout its lifecycle to mitigate cybersecurity threats and vulnerabilities.

Key Milestones:

  • September 2022: Initial draft introduced by the European Commission.
  • October 2024: EU Council adopts the act, setting new safety requirements.
  • November 2024: Expected to be published in the Official Journal of the EU, with enforcement beginning after 20 days and a 36-month compliance period for companies.

Core Requirements:

  1. Secure by Design: Products must incorporate security features from design to production stages.
  2. Ongoing Updates: Networked products must support regular security updates and patching.
  3. Transparency of Information: Manufacturers must provide security-related information, including design, known risks, and update policies.
  4. Regulatory Oversight and Penalties: Non-compliant products may face fines or market removal.

Scope of Products Covered:

CRA covers most internet-connected devices, including:

  • Smart Home Devices: E.g., smart refrigerators, TVs, cameras, and toys.
  • Wearables: Such as smartwatches and health monitors.
  • Everyday IoT Devices: E.g., smart bulbs, connected outlets, and home security systems.
  • Industrial IoT Devices: E.g., monitoring systems and automated equipment in factories.

Excluded Products:

Certain categories are exempt due to existing regulations:

  • Medical Devices: Covered by stringent healthcare laws.
  • Aviation Equipment: Governed by aviation regulations.
  • Automobiles: Secured under EU vehicle safety laws.
  • Open-source Software: Exempt when used non-commercially.

CRA’s Vision:

CRA aims to act as a digital safety wall in the EU, enhancing the security of every connected product. For companies, it presents not only a compliance challenge but also an opportunity to boost product credibility and competitiveness.

For further inquiries or assistance with CRA compliance, feel free to contact THE ONE Cybersecurity Lab. We’re dedicated to helping your products meet the latest cybersecurity standards.

 

Cybersecurity Solutions for RED: ETSI EN 303 645 and EN 18031 Standards

/in

The One Lab: A Leading Cybersecurity-Only Lab for EU Standards

The One Lab is a specialized cybersecurity laboratory focused on European standards. As experts in this field, we are particularly dedicated to the new cybersecurity requirements under the Radio Equipment Directive (RED), set to be enforced in August 2025. Below, we provide an overview of two key standards related to these cybersecurity requirements: ETSI EN 303 645 and the EN 18031 series.

ETSI EN 303 645: Cybersecurity for IoT Products

In 2019, ETSI TC CYBER introduced the first cybersecurity standard for consumer IoT products, which later evolved into ETSI EN 303 645. This standard aims to set baseline security requirements for consumer IoT products, outlining 13 security guidelines and 68 provisions to protect against large-scale attacks on smart devices. It also forms the foundation for future IoT certification programs.

ETSI EN 303 645 primarily provides security guidelines, while ETSI TS 103 701 details specific methods for testing and evaluation. Over time, EN 303 645 has proven to be an effective standard through extensive testing and has guided the security assessment of other electronic products. Many countries have referenced this standard when developing their own cybersecurity regulations, such as the UK’s PSTI and Singapore’s Cybersecurity Labelling Scheme.

EN 18031 Series: Comprehensive Cybersecurity Standards

The EN 18031 series is specifically designed to meet the new requirements of the RED and aims to become a harmonized standard for these regulations. The forthcoming Cyber Resilient Act (CRA) is also expected to adopt the EN 18031 series as its baseline requirement.

Approved by the European Union as an official EN standard, the EN 18031 series goes beyond IoT products covered by ETSI EN 303 645, including all network-connected radio equipment such as laptops, smartphones, and routers. It offers a more comprehensive set of testing and assessment methods, making it a crucial standard for all connected devices.

The One Lab’s Expertise in Cybersecurity Standards

The One Lab has obtained TAF certification for EN 303 645 and is on track to achieve certification for the EN 18031 series by Q1 2025. With our extensive expertise and solutions, we are well-equipped to support clients with various IoT products in navigating these cybersecurity standards. If you have any questions about your products, please reach out to us for guidance on planning for the European cybersecurity market.

By incorporating ETSI EN 303 645, EN 18031 series, cybersecurity, and RED into our services, The One Lab ensures your products meet the latest European cybersecurity requirements.

[Partnership Announcement] Congratulations to THE ONE and Eurofins on Signing a Cybersecurity MOU

/in

We are thrilled to announce that THE ONE has officially entered into a partnership with Eurofins. With ONELAB’s cutting-edge cybersecurity technology combined with Eurofins’ extensive customer base, we are committed to providing the highest quality cybersecurity testing services to our partners across various sectors of the electronics industry.

This collaboration also signifies that THE ONE‘s laboratory capabilities have reached a world-class standard, allowing us to establish profound partnerships with multinational corporations.

On the day of the agreement signing, THE ONE was represented by our Cybersecurity Lab Director, Mr. Norton, who signed the cybersecurity partnership agreement alongside Mr. Thami, the NB representative from Eurofins Germany, and Mr. Ethan, the representative from Eurofins Taiwan.

Through this partnership, we are dedicated to delivering the most professional testing and customer service, ensuring that your products can achieve cybersecurity certification and be sold globally.

If you have electronic products intended for export and are uncertain about the need for cybersecurity certification, we warmly invite you to reach out to us at service@theonelab.co for further inquiries.

IoT cybersecurity

【EDM】New challenges in the IoT market

/in

IoT cybersecurity

As the Internet of Things (IoT) market rapidly expands, so do the associated security risks. This year, countries around the world have begun to establish stringent cybersecurity regulations for IoT products, including:

  • The UK’s PSTI  (effective from April 29, 2024)
  • Europe’s EN 303645 and EN18031  (effective from August 2025)
  • The USA’s Cyber TrustMark initiative (currently in planning)
  • India’s BIS cybersecurity requirements  (requirements for CCTV, DVRs, etc. already implemented)

This means that IoT product manufacturers will need to quickly respond to these significant demands.

 

Our Value

The One Cybersecurity Lab was founded for this very purpose. As a leading IoT cybersecurity expert, we provide cutting-edge security solutions to help you navigate the challenges of new regulatory environments, protecting your products and users from cyber threats.

The establishment of The One Cybersecurity Lab stems from our deep understanding of the increasing need for digital security. With the global proliferation of IoT devices, these devices have become prime targets for cyberattacks. To address this challenge, we have assembled a team of seasoned cybersecurity experts, engineers, and researchers committed to developing and providing solutions that meet the highest security standards.

 

Our Services

Our range of services covers the extensive cybersecurity needs of IoT products, including home automation devices, smart appliances, and connected products. The One Cybersecurity Lab offers professional security assessments and solutions based on rigorous international standards and is accredited by the Taiwan Accreditation Foundation (TAF) (Accreditation No.: 4248) to ensure that our security measures meet and exceed the industry’s most stringent requirements.

In the global market, our services extend beyond Europe to Southeast Asia, the USA, India, and other regions. Our team has a deep understanding of the unique needs and security challenges of various markets, and we have developed targeted security strategies to ensure our clients maintain a leading position in any market.

We sincerely invite you to learn more about The One Cybersecurity Lab and look forward to the opportunity to collaborate with you to advance the future of IoT product security.

For more information or to discuss collaboration, please feel free to contact us. The One team is always at your service.

UK PSTI

Cybersecurity News – Latest Requirements of the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act

/in

UK PSTI

UK PSTI

The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act primarily targets the cybersecurity requirements for smart devices. This mandatory requirement was implemented in April 2024.

Below is a detailed explanation of the types of products that need PSTI testing, exceptions, and how to meet PSTI requirements.

PSTI testing applies to a wide range of internet-connected devices, including but not limited to:

  • Smart home devices (such as smart bulbs, smart locks, smart thermostats)
  • Consumer electronics (such as smart TVs, smart speakers, smartwatches)
  • Connected toys and baby monitors
  • Smart health and fitness devices (e.g., fitness trackers)
  • Other Network-connected devices

Manufacturers should conduct cybersecurity risk assessments for their products according to the specific terms of the PSTI and take necessary technical measures to mitigate these risks. By following these steps and requirements, manufacturers can ensure their products meet the PSTI cybersecurity standards, providing consumers with a safer user experience.

Exceptions

The following categories of devices are not covered by PSTI testing:

  • Enterprise-level network equipment
  • Industrial control systems
  • Devices with simple functions and no network connectivity
  • Personal computers and laptops

These products typically have specialized security standards and regulatory bodies for testing and certification, so they do not need to comply with PSTI requirements.

PSTI Requirements

To meet PSTI requirements, manufacturers should follow these steps:

  1. Firmware Update Mechanism: Ensure the device can receive and automatically install security updates to patch known vulnerabilities.
  2. Unique Default Passwords: Each device should use a unique default password or require users to set a strong password upon first use.
  3. Vulnerability Reporting Channel: Establish an easily accessible vulnerability reporting mechanism, allowing users and security researchers to report security issues with the device.

The cybersecurity testing laboratory at the One provides testing and certification services that meet the latest PSTI cybersecurity requirements. We continuously monitor the latest regulatory developments and offer appropriate cybersecurity testing services in line with regulatory changes, providing our clients with up-to-date cybersecurity testing and certification solutions.

For further information, please contact:

Email: service@theonelab.co