Brightsight provides rigorous security evaluation services against established industry standards. We deliver comprehensive security evaluation reports that meticulously document the compliance status of your IoT device, clearly indicating whether all required criteria are met. Our evaluations provide a factual, objective assessment, allowing manufacturers to understand precisely where their products stand in relation to recognized security benchmarks. Reports are sent to the relevant scheme or certification body for final certification.
Digital trust in our hyper connected world
From smart home devices and connected vehicles to critical medical equipment and industrial control systems, IoT's potential is vast. However, this interconnectedness also introduces significant security risks. As the number of connected devices proliferates, so does the potential for cyberattacks, data breaches, and system vulnerabilities that can compromise user safety, privacy, and operational integrity.
Security evaluation is paramount in mitigating these risks
By rigorously testing and analyzing IoT devices, manufacturers can identify and address potential weaknesses before they are exploited. This proactive approach not only safeguards consumers and businesses but also builds trust in the burgeoning IoT ecosystem.
Brightsight, a leading security evaluation lab, empowers the IoT industry to navigate these security challenges.
- We specialize in providing comprehensive security evaluation services for a diverse range of IoT sectors, including consumer electronics, automotive, MedTech, and industrial applications.
- Our expertise enables us to assess the security posture of IoT devices against industry standards and regulatory requirements.
By partnering with Brightsight, manufacturers obtain clear, verifiable evidence of their product's security posture, facilitating the necessary steps for certification and market entry.
Product security evaluation services for IoT consumer products
As the world becomes increasingly interconnected, the number of consumer IoT devices continues to surge. In 2024, there were over 1.3 billion active consumer IoT connections in Europe alone, with projections expecting 3 billion by 2030. This rapid growth, however, brings new security challenges—hackers exploit vulnerabilities in everything from smart home devices to wearables and connected appliances.
Why IoT security matters
Consumer IoT devices interact with personal data, financial transactions, and even critical infrastructure. A lack of proper cybersecurity measures can lead to data breaches, identity theft, and unauthorized access to smart systems. Governments worldwide are responding with strict regulations to enforce higher cybersecurity standards for connected devices.
Navigating global cybersecurity regulations
How Brightsight helps you
- Pre-evaluation – Workshops, design reviews, and pre-assessments to identify vulnerabilities early.
- Security testing – Compliance assessments for ETSI EN 303 645, RED Article 3.3 (EN 18031), NIST IR 8259A, and other global standards.
- Certification – Achieve the SGS Cybersecurity Mark, proving your product’s security and compliance.
- Continuous monitoring – post-certification support to ensure your device remains secure over time.
Gain a competitive edge
IoT standards and recognitions
Product security evaluation services for the automotive industry
The rise of Autonomous Vehicles (AVs) and Connected Cars (CCs) is bringing new challenges to the automotive industry. Cutting-edge technologies such as artificial intelligence and machine learning, computer vision, high connectivity, cloud computing, complex OS, IoT and cybersecurity are merging into what will become a new industry paradigm. The applications of vehicle-connecting capabilities such as Vehicle-to-Everything (V2X) technology seem endless.
Security evaluations in the automotive industry
The automotive market still lacks specific security assessment frameworks. Until very recently, systems and methodologies in this domain were driven by safety alone. While safety and security are closely related, safety is driven by likelihood and statistics, whereas security is driven by the potential of particular attack scenarios.
Security evaluations can be applied to the different trust domains in the automotive market. This is a way to identify the product’s security functionality and its strength, giving full visibility to the rest of the trust domain regarding compliance with the security requirements in that particular domain. Security evaluation can take different shapes depending on the trust domain. For in-car systems, typical scenarios are working on the CAN bus performing remote attacks on CAN transceivers or performing fuzzing operations on CAN bus lines and other accessible transmission and input lines.
Certification programs
Security evaluations can be conducted using Common Criteria and SESIP-based methodologies to demonstrate readiness for or compliance with:
- GDPR
- J3061
- ISO 21434
- UNECE WP.29
- C2C V2X
- C-ITS
The duration of an automotive IoT security evaluation depends on the complexity of the vehicle's systems and the scope of the assessment. Factors like the number of ECUs, the complexity of the communication networks, and the availability of test vehicles influence the timeline.
Brightsight offers comprehensive automotive IoT security evaluation services. We assess vehicle systems against relevant industry standards and best practices, including ISO/SAE 21434, and provide detailed vulnerability analyses and penetration testing.
Brightsight helps by providing independent, expert evaluations that identify security vulnerabilities and provide actionable recommendations for remediation. We offer in-depth analysis and reporting, giving manufacturers the confidence to deploy secure connected vehicles.
Automotive standards and recognitions
Security evaluation services for medical devices
With the rising frequency and sophistication of cyberattacks, medical device regulations are increasingly mandating stricter security measures. Meeting these security requirements in the realm of medical technologies (MedTech) presents challenges, particularly when it comes to navigating the complex array of standards and regulations that must be followed.
Overcome obstacles
The first obstacle for medical device manufactures is the integration of cybersecurity into the existing processes and the harmonization of the security requirements to safety. The goal of cybersecurity regulations and guidance for medical devices is always the safety for the patient from physical and privacy-related harms. Thus, the motto “no safety without security”.
Cybersecurity requirements shall be included from the early phases of the product life cycle, guaranteeing “secure by design” products, to the legacy of the medical product. The long life cycle is yet another challenge, where manufacturers shall consider security solutions even after the support for the medical device is no more provided.
The consideration of the operating environment is an additional challenge. The complexity of the medical solutions, emergency situations and the distributed point of care, outside of managed and controlled networks, are critical aspects that shall be kept in consideration during the design phase of the medical device.
In addition, the medical device manufacturer shall ensure an appropriate level of the independence between the developing and testing groups, which requires additional technical experts and budget, which could be demanding for small to medium companies to sustain.
How Brightsight can support
We offer comprehensive training, testing, evaluation and certification services to support medical device manufacturers in the supply of safe and secure products. Our portfolio encompasses the pre-market phases of the product life cycle.
- Comparison of security regulations and standards
- Secure Product Life Cycle
- Security Risk Management Process
- Threat modelling and risk assessment
- Secure coding practices
- Testing activities
- Threat modelling and risk assessment review
- Conformance check against IEC 81001-5-1 and IEC TR 60601-4-5
- Vulnerability scans, penetration testing, source code review, etc.
- Pre-evaluation testing on specific components of the full product
- Focused testing upon customer requests
- Full testing campaigns
All our services take into consideration the requirements coming from different regulatory guidance (e.g. FDA, MDR, NMPA, …) and standards (IEC TR 60601-4-5 and IEC 81001-5-1). In this way, our reports can be summited to different notification bodies and agencies.
Even if the current landscape for medical device cybersecurity testing lacks clear requirements and testing procedures, Brightsight recognizes the importance of cybersecurity certification. For this reason, it endorses cybersecurity certifications like SESIP, DTSec and Cybersecurity Labelling Scheme (Medical Devices), which provide a well-defined evaluation procedure and security assurance of the evaluated product.
Length of evaluation or certification process
Training activities can be planned by the customer among the above-mentioned modules. They typically consist of one day training, subdivided into several sessions 2/3 hours each among several days.
Depending on the type of product and the complexity of the solution, a Technical Documentation Review is typically a 2-days workshop activity, where Brightsight experts will get through with the developer to the provided documentation and they will identify potential gaps and solutions on how to improve the security level of the product.
A full testing campaign lasts typically 3/6 weeks depending on the complexity of the product; the test plan is based on a defined scope, and it is characterized as a time-limited project. Tailored testing campaigns can be planned on specific functionalities, interfaces or any requested customer need.
Two categories of cybersecurity testing
The evaluator is placed in the role of an external adversary with no internal knowledge of the target system. Evaluators are not provided with any architecture diagrams or source code that is not publicly available.
Step 1: Qualification
Where the first contact aims to understand the customer request and the needs during an alignment with service offering.
Step 2: Scoping
Detailed technical questionnaires for the preparation of offering quotation are provided to the customer. The provided information will be then used to build a customized offer.
Step 3: Offering
Alignment call(s) with the experts can be organized to discuss the project scope, deliverables and commitments acquired, as well the service cost.
We can test...
- Implantable devices: pacemakers, insulin pumps
- Diagnostic equipment (MRI machines, blood glucose monitors, patient monitors
- Therapeutic devices: ventilators, Infusion pumps, robotic systems used to perform surgical procedures
- Wearable devices: smart watches
- Software as medical device
- Desktop-based applications
- Mobile-based applications
- Web-applications
- Network-based products
- E2621
Medical standards and recognitions
Product security evaluation services for industrial IoT
As the security landscape evolves rapidly, regulations are increasingly requiring proof of cybersecurity management in IoT, exemplified by the EU Radio Equipment Directive (RED) in 2025. The IoT sector is impacted by a range of legislation and standards, such as the NIS2 Directive, the EU Cyber Security Act, the EU Cyber Resilience Act, and NIST 8425 (USA).
Obtaining certification against recognized industrial IoT standards, like ISA/IEC 62443, not only demonstrates effective cybersecurity management but also empowers developers to minimize risks in their value chain and distinguish their offerings in the marketplace.
Obtain certification, minimize risk and distinguish your offering in the marketplace
International standards offer a framework and common language for deploying and understanding security. Vendors can use their security evaluation to prove readiness for international standards, like 62443.
Brightsight offers different services related to product security evaluation under certification programmes like SESIP, PSA Certified, Common Criteria, 62443.
Guiding principles for implementing industrial security
- Any regulation should refer to international standards and specifications.
- Frameworks or issuing of quality/security labels.
- International standards are the preferred means to demonstrate conformity with security requirements.
What is IEC 62443, IACS, IIoT?
Industrial standards and recognitions
Get your IoT devices certified today
Partner with Brightsight to ensure your IoT products meet global security standards.
