New Cyber Trust Mark Seeks to Make American IoT Devices Feel More Secure
Written by: Jason Segarra
Published: August 3, 2023
As smart IoT devices proliferate in our homes and places of business, so do security risks. That’s because most commercially sold IoT devices ship without any endemic security features, creating a potential entry point for bad actors once the device connects to a network.
The first two months of 2023 saw a 41% increase in the number of weekly attacks targeting IoT devices compared to 2022. This is an average of around 60 attacks per organization per week. These attacks span a number of different device types, from routers and printers to cameras and smart speakers.
This growing trend may make many consumers and organizations uneasy about purchasing and deploying IoT devices – a fact that has caught the attention of the US government. To this end, the Biden administration has introduced a new initiative that could help grant peace of mind to consumers in the market for connected devices.
What is the US Cyber Trust Mark?
Last month, the Biden-Harris administration announced a new cybersecurity certification and labeling program dubbed the “US Cyber Trust Mark.” This voluntary program, initially proposed by FCC Chairwoman Jessica Rosenworcel, would offer a unique label to IoT devices that provide certain security provisions, similar to the “Energy Star” program that targets household appliances.
For the purposes of the program, an IoT device would be defined as any commercially available connected device that includes specialty networking/gateway hardware such as a hub within the system where the IoT device is used, companion application software like an accompanying mobile app, and a backend such as a cloud service or other storage solution that houses or processes data from the device.
Criteria that must be met to earn the Cyber Trust Mark are being set by the National Institute of Standards and Technology and includes:
- Provisions that make each device uniquely identifiable by the customer and other authorized entities
- All devices must allow customers to change the configuration and settings of each product
- Protection from unauthorized access for all data stored and transmitted by any of the device’s components.
- The device must restrict logical access to local and network interfaces (and protocols therein) to only authorized entities and components
- Make software updates and patches easily available
- And more.
In addition to the badge, participating devices will also come with a QR code that can be scanned for up-to-date security information about the device. Program criteria remain TBD, though the consumer technology association believes that certifications may be fulfilled for some products in time for CES 2024 in January.
You can read what has already been proposed here.
The Latest in a Line of National IoT Security Efforts
The Cyber Trust Mark comes as several countries adopt similar standards to better protect their citizenry from cyber attacks.
2022 saw the enactment of the EU Cyber Resilience Act, which also established rules and guidelines to govern the security practices of commercially distributed IoT devices. Though that legislation has generally been met with praise, there have been calls for clearer language to avoid confusion and potential overreach.
Similarly, the UK launched the Product Security and Telecommunications Infrastructure (PTSI) Bill, which put forth its own criteria for commercial IoT Devices created within and imported into the UK.
The big difference between these programs and the one being introduced to the United States is that the Cyber Trust Mark is not legislation, but a voluntary program. Manufacturers are under no obligation to adhere to the security measures outlined in the program, which is mainly intended to help earn consumer trust.
The First Step Toward Safer IoT Devices
Despite not being mandatory, many officials believe the Cyber Trust initiative is a positive step toward a more secure IoT.
“Our hope is that this label will ignite a healthy sense of competition in the marketplace, compelling manufacturers to safeguard both the security and privacy of consumers who use connected devices and to commit to supporting those devices for the lifetime of those products,” Justin Brookman, the director of technology policy at Consumer Reports told the AP.
Organizations that have already agreed to participate in the program include Amazon, Best Buy, Google, LG, Logitech, and Samsung.
Of course, there are several things users can do to help ensure that their fleet of connected smart devices is secure even after they are in the field. Whether that involves taking your devices off of the public internet or taking advantage of private networking tools, security should always be front of mind when handling the deployment of connected devices.
…………………………..
Interested in learning how to keep your own deployment secure? Speak with us today! Our experts can help you build the solution that ensures your data and devices are secure and operating at peak performance.
