Choi Yoon-seon, the head of the KISA Digital Product Certification Team, presents. /Courtesy of KISA

The digital transformation is accelerating, and Internet of Things (IoT) devices are spreading into the daily lives of citizens and various industries. However, security issues with IoT devices are also arising, and the Korea Internet & Security Agency (KISA) is continuously improving the IoT security certification system and working to strengthen IoT security.

Choi Yoon-sun, head of the Digital Product Certification Team at KISA, noted on the 26th that “the domestic IoT market has grown more than four times from 6.4 trillion won in 2017 to 27.8 trillion won last year, and the number of domestic IoT devices (2.9 billion) ranks 4th in the world after the United States, China, and Japan.” Choi added, “However, as the information and communication technology (ICT) convergence creates a hyper-connected society, IoT security issues are directly affecting the daily lives of citizens.” Indeed, last year in the U.S., a Chinese-made robotic vacuum cleaner emitted curse words, and in Korea, 400,000 people's personal information was leaked on the dark web due to a hacking incident involving a wall pad in 2021, among other concerns regarding the hacking of IoT appliances.

To verify the security performance of IoT devices, KISA has been operating the IoT security certification system since 2017. Certification is administered by KISA, while testing is conducted by designated testing organizations such as the Korea Testing Certification Institute (KTC), Korea Information & Communication, and Korea Testing & Research Institute (KTR). This system targets eight fields for certification, including smart appliances, transportation, and energy, which utilize IoT functionalities to collect and analyze home lifestyle information and enhance services based on artificial intelligence (AI). The certification criteria consist of a total of 50 items across 7 areas, including identification and authentication, data protection, and encryption. According to security requirements, certification types are categorized into three types: ▲Light ▲Basic ▲Standard.

Choi explained, “The number of IoT security certifications has been increasing annually, from 4 cases in the early phases of the system in 2018 to 106 last year,” adding, “Particularly, the housing sector accounts for three-quarters of all certifications, as there is high demand for IoT security certifications in devices like wall pads and door locks.”

KISA is continuously working to enhance the IoT security certification system. Choi said, “IoT device manufacturers have faced challenges in product development or launches due to the burden of IoT security certification fees,” explaining that “to address this, a derivative model (A and B types) was introduced in 2023.” To implement the derivative model system, KISA conducted various legal reviews and tests comparing the security performance of the basic certification model and the derivative models, reflecting these findings in the IoT security certification system. Additionally, since December of last year, the fee for the derivative model A, which was lower in price at 700,000 won compared to the existing certification model, has been converted to free to alleviate the burden on small and medium-sized enterprises.

Choi stated, “To activate IoT security certifications, we are collaborating with relevant organizations such as the private sector, healthcare, and military to promote security certifications for products,” adding that “we are also operating incentive systems that support 80% of the fees for small and medium-sized enterprises or grant additional points (2 points) during the Venture Korea registration review for IoT security certified products.” He further mentioned, “To raise awareness of the relevant system among citizens, we have introduced a label-type certification label instead of the existing logo-type, and by scanning the QR code on the certification label, one can verify the security certification information of the digital product.”

KISA is also working to globalize the IoT security certification system. Choi mentioned, “Currently, we have signed a mutual recognition agreement (MRA) with Singapore and are in discussions with Germany,” and added, “This will support the global competitiveness of domestic corporations.” An MRA refers to the mutual recognition of each country's certification systems by national certification bodies that operate similar certification systems. Once the mutual recognition effect of the IoT security certification system between the two countries takes effect, it will not only enhance the international credibility of domestic products but also significantly save time and expense, as they will be able to export without needing local certifications.