The US Cyber Trust Mark program is scheduled to commence in 2024, with the introduction of the first IoT products bearing labels that assure consumers that those products conform to the latest cybersecurity measures. Industry participation in the program should go a long way in assuring a justifiably wary market of their IoT devices’ security.
Cyber insecurity
Initially, IoT devices were far less likely to have security built in. Cyber criminals quickly discovered that connecting unprotected IoT devices can open pathways of attack to far more valuable computing assets elsewhere on a network.
Also, when IoT began, the expectation was that many IoT devices would be unconnected to anything of real value, and therefore would be too inconsequential for anyone to bother attacking. Instead, malicious hackers have demonstrated that it is not only possible and easy, but also highly valuable to do so.
Clearly, no IoT target is off limits. Protecting all IoT devices is an imperative.
Cyber security first steps
Many of the leading companies that create enabling IoT technologies, including Silicon Labs, have developed a variety of technologies, techniques, and practices to keep the IoT secure. Standards and practices have been formalised by a number of organisations, including the IEEE and the Connectivity Standards Alliance.
Even so, coordinating and encouraging the industry-wide adoption of common security measures has proven to be too big a task for companies collaborating informally among themselves or even working together through industry groups.
At the same time, technology suppliers are in no position to compel customers to use the safety features they create.
Common principles
Governments have also started taking a keen interest in IoT security. In 2021, President Joe Biden signed an Executive Order on Improving the Nation’s Cybersecurity, leading to the creation of the US Cyber Trust Mark program.
The program leverages the efforts of the National Institutes of Science & Technology, which works with industry to keep an updated catalogue of best practices for IoT security, including developing, testing, and maintaining IoT devices.
The basic principles adopted by the US cover most of the key measures that security experts have been recommending all along. One of the key highlights is the ability for each IoT product to be uniquely identifiable so that at any point in the product’s lifetime, a user can validate the authenticity of the product. Another is the ability of the IoT products to be able to to protect user data and to safeguard against unauthorised access. Closely related to this is also for the product to be able to receive updates only through authorised entities in a safe and secure way. There are also requirements around securing interfaces between IoT devices, while also protecting the data that flows between these devices.
Similar regulations are being adopted in various other countries, including Germany, the UK, Australia, Singapore, and India. They generally agree on the same basic principles like the desire to have unique passwords as opposed to likeuniversal passwords, to be resilient to power outages, and to grant users the ability to manage their own data (specifically, to delete it).
Singapore’s program is called the Singapore Cybersecurity Labelling Scheme (SCLS), and the European Union created Radio Equipment Directive (RED) Security Requirements.
The Cyber Trust Mark
Manufacturers will earn the right to use the Cyber Trust Mark on their products by demonstrating those products meet an objective, verified baseline level of security based on the criteria defined in NIST IR 8425 (IoT Core Baseline for Consumer Products).
The value of such labels is that they will be “living” – they will include a link (a QR code, for example) that will lead consumers to updated information on the devices they are using.
This is important because cyber security is an endless process of black hat criminals finding new modes of attack and white hat security experts devising countermeasures. Consumers can be assured that the security of the device wasn’t compromised during transit from the manufacturer or while it sat on store shelves, let alone after they’ve installed the product.
Living labels make it possible for IoT device manufacturers to keep their customers informed of the latest developments as they happen.
An additional requirement of the program is providing means for the public to report security vulnerabilities.
Expanding a safe IoT
This increased transparency will enable consumers to make better-informed decisions and will also help the IoT industry scale up as trust grows not only with consumers but also among device vendors, ecosystem partners, Internet service providers, and the broader technology universe as more stakeholders embrace the security the label represents.
The expectation is that consumers will prefer products that provide assurances of cybersecurity. That should make having a label a significant product differentiator, providing incentive for more manufacturers to adopt cyber security measures that will qualify their products for the program. The sum effects should be making the IoT safer and the expansion of the IoT market.
Rohit Ravichandran is Product Manager at Silicon Labs.