Cybersecurity Labeling for Consumer IoT Devices In the U.S.: The Who, What, When, Why, and How
October 27, 2022
Earlier this month, the White House brought together federal agencies and number of consumer companies, including Amazon, Google, and Intel, to discuss a cybersecurity labeling program for IoT consumer devices. The program calls for EnergyStar like labeling to educate consumers and give them piece of mind that the IoT devices they purchase have a “baseline” of security.
Editors note: Colin Duggan will be presenting in the Security at the Edge Session of the IoT Device Security Conference.
This effort started in the wake of the Colonial Pipeline and Solar Winds hacks in 2021, when President Biden issued executive order 14028 with the goal of improving the Nation’s cybersecurity. Among several directives, including improving end-point detection and response, implementing zero trust, and multi-factor authentication in federal agencies, was an order for an IoT devices consumer labeling program.
The National Institute of Standards and Technology (NIST), which is the Federal organization charted by congress to help both government and industry in implementing cybersecurity, was tasked in that executive order with developing guidance for this labeling program. NIST’s response includes workshops to spur inputs, solicitation of public comments, a white paper released earlier this year outlining recommendations, and a summary of these activities.
That white paper built upon work that NIST had done already recommending best practices for IoT cybersecurity. Those recommendations can be found in the NISTIR 8259 family of documents. These documents outline both technical and non-technical recommendations for IoT Device security. Because NISTIR 8259 provides a complete baseline for IoT device security and gives clear guidance, BG Networks has based its' cybersecurity automation on these recommendations.
The NIST whitepaper provides a good summary, in general, of what sort of security should be included in IoT products and correlates with NISTIR 8259 IoT Device Cybersecurity Capability Core Baseline. Those recommendations are shown below with items numbers 1 through 6 being technical and 8 through 11 being non-technical. Technical recommendations are security features to be included in the IoT device. The non-technical are activities that an IoT device developer/manufacturing company should take, such as documenting security features and educating the consumer.
Summary of NIST IoT device recommendations for a cybersecurity consumer labeling program:
- Asset identification – IoT devices can be identified by the customer and manufacturer
- Security configuration – Security on the device can be changed, including resetting to a secure state
- Data protection – Both on the device and when data is being transferred
- Interface Access Control - Secure the I/O to the IoT devices with strong passwords and ideally multifactor authentication
- Software updates – Needed to patch vulnerabilities that are discovered in the future
- Cybersecurity state awareness – To determine if the device is under attack
- Product security – A device needs to continue to function even if a network connection is lost
- Documentation – Document cybersecurity assumptions made during development, including security capabilities, and what’s needed to maintain through the product’s lifecycle
- Information for and Query from Customers – A program set up at a company to receive information about vulnerabilities and answer questions for consumers
- Information Dissemination – To inform consumers about vulnerabilities or other cybersecurity related topics
- Education and Awareness – Education aimed at the consumer
With that background, we can now discern the who, what, when, why, and how concerning the upcoming consumer labeling:
- Who: This program targets consumer electronics companies that make IoT devices for sale in the U.S. that are adding cybersecurity labeling to their devices.
- What: A QR code on the IoT consumer device will facilitate connection to a website with the IoT cybersecurity label information that will be based on NIST recommendations.
- When: The program starts in the Spring of 2023, with voluntary participation. No timeline has been given for a mandatory program.
- Why: There are many examples of consumer IoT devices getting hacked including video baby monitors, security cameras, fitness trackers, and home routers.
- How: It’s not yet clear how the program will be enforced. NIST has stated that “scheme owners,” both public and private entities, are needed to drive the program, to maintain the program’s integrity.
It’s important for companies that manufacture and sell IoT devices to watch how this program unfolds including who will administer the program and when it will become mandatory.
Colin Duggan is the CEO of BG Networks, an IoT cybersecurity software company. BG Networks’ mission is to enable IoT security everywhere through automation. Before founding BG Networks, Duggan worked at Analog Devices for 29 years in various engineering, management, and marketing roles.