This week the White House announced the launch of its Cyber Trust Mark program that introduces cybersecurity labeling for connected devices. Described as “Energy Star for IoT Cybersecurity”, the program will provide consumers with a clear way to compare the safety of smart devices and choose devices that are protected from cyberattacks.
To keep track of changes in the security posture, each labeled device will also come equipped with a QR code. The code will link to a registry of certified devices to provide up-to-date security information, such as software updating policies, information about vulnerability remediation, etc.
The program was initially unveiled last October, and according to the announcement, it will go into effect in 2024. The initiative will be spearheaded by Federal Communications Commission (FCC), in collaboration with the National Institute of Standards and Technology (NIST) and numerous regulatory and manufacturing leaders; Amazon, Logitech, Google, Samsung, LG Electronics, CSA, CyLab, UL Solutions, to name a few.
During the announcement session, which you can watch below, the participants provide their view and their vision for the program, all sharing the following common themes:
- The responsibility for device security lies with the IoT manufacturers.
- Transparency and clarity are critical for gaining consumer trust.
- Gaining said trust is critical to the widespread adoption of IoT technologies.
- The program lays the foundation for an international IoT security standard.
- There is a business benefit in labeling devices as more secure premium products.
These ideas and many others voiced during the session, echo the values we have been focusing on for years – the very mission for which Sternum came to be.
Now that the future we envisioned is starting to take shape, we wanted to take a moment and share some of our thoughts about the Cyber Trust Mark program, its implications, and the adoption cycle ahead.
What Are The Requirements?
In short, this is yet to be determined. What we know, for now, is that the process of defining the label requirements will involve a collaborative effort from government bodies, industry experts, and cybersecurity professionals. The likely starting point for this discussion is the definition laid out by NIST for a secure device, which includes:
- Asset Identification: Ensuring that each device has a unique identifier to track and manage its security.
- Data Protection: Implementing encryption and other safeguards to protect sensitive data from unauthorized access.
- Interface Access Control: Restricting access to critical functions and data through secure authentication mechanisms.
- Software Updates: Ensuring that devices can receive and apply security updates to address vulnerabilities.
- Cybersecurity State Awareness: Devices should have mechanisms to detect and respond to security incidents actively.
From an implementation perspective, ‘Data Protection’ and ‘Software Updates’ are relatively straightforward, as many devices already employ encryption and issue security patches to address vulnerabilities.
‘Interface Access Control’ is another low-hanging fruit. Although past issues with bad access control practices exist (e.g., universal default passwords), this is more of a user experience and education matter that can be addressed with existing technology integrated into devices.
However, ‘Asset Identification’ and ‘Security State Awareness’ present more significant challenges, as they require device-level solutions with active security, monitoring, and log management components.
Currently, few IoT manufacturers actively track individual device security or possess extensive incident response mechanisms beyond reactive patching. Incorporating new threat mitigation and monitoring capabilities demands a change in mindset and substantial resource investment, particularly for products already on the market.
“And this is where Sternum comes in…”—but let’s skip the sales pitch. The problem is genuine, and IoT builders are well aware of its significance. Seeing is believing and if you want to learn more about how we help, reach out and we can schedule a call and talk.
The Day After
The Cyber Trust program marks a pivotal moment, prompting us to ponder its potential implications and how events may unfold.
Initial Response and Eventual Adoption
It would be over-optimistic to expect the program to have an immediate effect. That said, its introduction would likely garner media attention, followed by companies vying for a first-mover advantage with product announcements.
Encouragingly, industry leaders’ commitment to the program ensures ongoing media interest. Still, ultimately, the market will decide the label’s short-term weight. Long-term, however, the label will become a fact of life. It’s not a question of “how”, but of “how soon”. Judging by the speed the administration was moving so far, it will be sooner than we might think.
Existing Products, New Market Opportunities
As the Cyber Trust Mark gains traction, manufacturers will face pressure to update devices already in the market, presenting significant business opportunities for security solution providers offering “retrofitted” solutions.
The act will also present device manufacturers with an opportunity to leverage security as a differentiator, expanding market share for existing products and enhancing overall brand perception, given security’s importance for any premium cutting-edge brand or product.
Raising the Technology Bar
The labeling program is not an isolated occurrence. In recent years, regulators worldwide have been enforcing higher security standards for specific IoT industries, with the latest example being the Omnibus Bill that expanded the FDA’s authority on medical device cybersecurity.
Elevating the standards for consumer devices will inevitably raise expectations for critical-function devices in hospitals, factories, and critical infrastructure. This demand will drive the market for new and advanced IoT security solutions, potentially sparking a technology race among major cybersecurity players and device manufacturers venturing into cybersecurity.
Moving Towards Defense in Depth
The concept of network-level protection served its purpose, enabling CISOs and their teams to secure and monitor devices. While such solutions remain relevant, the rise of on-device protection will lead to a sophisticated IoT security model, aligned to the ‘Defense in Depth’ approach.
In this model, perimeter security will be one of the defense layers safeguarding critical assets. Behind it you`ll find the devices themselves, equipped with active mitigation solutions, dynamic security controls, and threat monitoring and response mechanisms. When we see that happening, we`ll know that IoT security is finally starting to catch up.
