Japan’s Ministry of Economy, Trade and Industry (METI) has gone live with its STAR-1 labelling scheme for IoT cybersecurity. Vendors of IoT devices and technologies can now begin the process of obtaining the STAR-1 label based on a self-declaration of conformance to a unified baseline criteria of compliance.

The STAR-1 labelling scheme is a key part of the Japan IoT Product Security Conformity Assessment Scheme (JC-STAR) programme. JC-STAR establishes a national system to evaluate and advertise the security measures of IoT products through conformity assessment and labelling.

METI established the “Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme” in November 2022. The Japanese Government was increasingly concerned about the vulnerability of IoT and devices to cyber-attacks. Due to its advanced technology sectors as well as its strategic geopolitical position, Japan has become an attractive target for cyber hackers, including hostile state actors. Attacks on Japanese companies, critical infrastructure and consumers through IoT devices are rising steadily. In 2017, Japan’s Ministry of Internal Affairs and Communications warned that two thirds of all cyber attacks in Japan in 2016 were directed against IoT devices.

Japanese Government hacks IoT devices

At the beginning of 2019, the Japanese Government announced its intention to carry out its own cyber-attacks on Japanese companies and consumers to determine just how vulnerable Japanese infrastructure and citizens were to cyber attacks. Employees at the country’s National Institute of Information Communications Technology carried out the attacks against common IoT devices, including routers, webcams and Internet-connected devices, using nothing accept default passwords.

The results appear to have shocked the Japanese Government, and resulted in the JC-STAR programme being announced in 2022. The STAR-1 scheme is the first major outcome of the new programme.

The scheme aims to make it easier for procurers and end-users, including government agencies, critical infrastructure providers, local governments, large private companies, small and medium-sized enterprises, and consumers, to select and procure secure IoT products.

The scheme was originally intended to go live in the Summer of 2024. However, applications for the STAR-1 scheme did not open until the end of March 2025.

The scheme is designed to support selection and procurement of IoT products that meet required security levels for organisations by providing a common standard for evaluation and visualisation.

In addition, it defines requirements for IoT products used in specific sectors, allowing industry organisations to specify necessary certifications and labels, effectively using the Scheme as a sector-specific standard.

Scope of the STAR Scheme

The scheme aims to reduce the cost for IoT product vendors when exporting by coordinating with other countries’ schemes and aiming for mutual recognition.

The structure of the scheme is a voluntary, multi-level system to establish security requirements across different levels of threats and products.

Products covered include devices that have the ability to send and receive data using the IP protocol. This includes devices that can be connected to the Internet directly. But it also includes devices that can be connected to a network employing IP. Examples include hubs/switches, smart home devices, OA products, PLC, DCS, industrial control equipment, sensors, and controllers.

Certain types of products have been generally excluded from the scheme. This include general-purpose IT products such as PCs, tablets, and smartphones, where users can easily alter security measures such as via software products.

A nuance is added for IoT products with a general-purpose OS. These will be considered in scope of the scheme if users cannot easily add security measures to the product itself. Other products included in the scope of the scheme include drones, firewalls, webcams, and internet-connected appliances.

Information-technology Promotion Agency

The scheme is operated by the Information-technology Promotion Agency (IPA), an agency of METI, and operating under its direct supervision. The scheme expands upon IPA’s existing Japan Information Technology Security Evaluation and Certification Scheme (JISEC).

A Secretariat, jointly established by IPA and METI, is responsible for expanding the Scheme, coordinating with other schemes, promoting its use, and encouraging certification by vendors. A Steering Committee oversees operational policies and management, and a Technical Advisory Committee approves conformance criteria and other technical matters, supported by Conformance Criteria Working Groups for specific product categories.

STAR Ratings

The Scheme has multiple levels, indicated by ‘STAR’ ratings.

STAR-1 represents a unified baseline criteria common to all IoT products in scope, addressing minimum assumed threats. Conformity is based on a self-declaration by the IoT product vendor, with evaluation results documented in a checklist. IPA checks the format of the checklist and grants the label.

STAR-2 represents the baseline criteria (STAR-1) plus additional security requirements per product category. Like STAR-1, conformity is based on a self-declaration by the IoT product vendor, with evaluation results documented in a checklist.

STAR-3 and above (including STAR-4) is intended for products used in systems requiring high reliability, such as those used by government agencies, critical infrastructure providers, and large companies. Conformity is assessed through a third-party evaluation conducted by an independent test laboratory, and IPA, acting as the certification body, certifies and grants the label after reviewing the evaluation report.