A big part of the discussion around cybersecurity in the last several years has centered around the need for more transparency to help address what many consider to be a market failure of cybersecurity: the lack of a system to reassure consumers that products are safe. On the enterprise software supply chain security front, weâve seen efforts such as software bills of material (SBOM) and self-attestation platforms for suppliers following a secure software development lifecycle, such as the National Institute of Standards and Technologyâs (NIST) Secure Software Development Framework (SSDF).
However, there generally isnât much to help consumers using security as a criterion for how they spend their money make informed purchasing decisions. This is changing on the internet of things (IoT) front, with the introduction in 2023 of the US Cyber Trust Mark program, announced by The White House in July 2023. The announcement framed the program as a voluntary measure to be embraced by smart device and IoT manufacturers to help consumers choose products that are safer and less prone to cybersecurity attacks. The program continued to gain momentum; it was announced at the 2024 Consumer Electronics Show that the EU and US have agreed to pursue a âjoint roadmapâ for cybersecurity labels. âWe want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,â said Anne Neuberger, the White Houseâs deputy national security advisor for cyber and emerging technologies.
This line of thinking likely comes as a breath of fresh air from an industry that often voices concerns over the chaotic cybersecurity policy and regulatory landscape, often leading to duplicative, costly, and cumbersome requirements on technology suppliers.
If youâve ever purchased products such as appliances and electronics, you may have noticed âEnergy Starâ ratings, which is a program led by the US Environmental Protection Agency and Department of Energy to help consumers understand the energy efficiency of products. Despite internet-connected software being pervasive in exponentially more consumer goods over time, there is currently no universally accepted labeling scheme for cybersecurity that would help consumers understand the security and safety of products, such as IoT or smart devices.
In modern society it isnât just enterprises and businesses that are powered by software, but homes and personal lives as well. Appliances, electronics, wireless communication devices, and more are powered by software. This increasingly exposes consumers to cybersecurity, privacy, and safety concerns. As part of the broad goals and objectives of the 2021 Cybersecurity Executive Order (EO), NIST was directed to initiate labeling programs for devices such as consumer IoT products. NIST has published insights into what the labeling program would look like, such as their âRecommended Criteria for Cybersecurity Labeling of Consumer IoT Productsâ.
Simply determining the scope of what counts as an IoT product can be a challenge, as there are millions of devices now integrating software, connectivity, and digital features. According to NISTâs publication, an IoT product is defined as âcomputing equipment with at least one transducer and at least one network interface,â
Given that IoT devices often exist in a broader architecture and ecosystem, NIST notes that IoT products often have many components other than the device itself that are potential attack vectors. For clarity, NIST identifies three categories of components that should also be secure:
- Specialty networking and gateway hardware (a hub within the system where IoT devices are used)
- Companion application software (such as an accompanying mobile application)
- Backends (such as cloud services to store or process data from the device)
As defined, these devices have the ability to communicate network traffic and are often managed by associated applications and software and integrated into broader backend architectures such as cloud environments that process or store data from the IoT device.
As NIST points out in the context of their labeling recommendations, an IoT product is defined as âan IoT device and any additional product components that are necessary to use the IoT device beyond basic operational features.â This means that not just the physical device is in the scope of their labeling purview and objectives but also the associated aspects discussed above, such as networking/gateways, companion application software and backends within the architecture. This makes sense, given all these aspects of the IoTâs architecture and operations are a core part of its security, privacy and safety for consumers and part of the attack surface for malicious actors.
Here are some of the baseline product criteria as defined by NIST when it comes to the cybersecurity outcomes of the IoT devices and developers as part of the product labeling program. These criteria apply both to the device and in some cases the device supplier. NIST mentions that each of these product criteria may not be applicable to every IoT device and suppliers have the flexibility to determine supporting evidence for the various areas of criteria. The official NIST document goes into significant depth for each area of criteria, but we will briefly touch on them below.
This means the supplier can uniquely identify the product and provide an inventory of all of its components. This inventory should be kept up to date and this is useful from the cyber perspective to help identify which IoT products and components are needed for activities such as asset management, digital forensics, and incident response.
Product configurations can introduce vulnerabilities; therefore, the ability to make changes should be restricted to authorized entities. From a security perspective, this can help customers tailor products to their needs and avoid specific threats based on their unique risk appetite. Worth calling out here is the broader push for the adoption of secure-by-design/default weâre seeing from CISA and others toward product suppliers. This means products should be secure by default and hardened, with customers able to make modifications as they see fit, versus needing to harden insecure products they receive.
The IoT device and its components must protect data stored and transmitted from unauthorized access, disclosure, and modification.
The IoT product and its components must restrict logical access to local and network interfaces to authorized individuals, services, and IoT product components.
Software updates have availability and security implications, so it is no surprise to see NIST state that updates should only be able to be conducted by authorized entities.
Suppliers need to be able to detect cybersecurity incidents impacting the IoT products and their components, as well as the data they store and transmit. This involves capturing logs, records, and relevant data.
NIST states that product developers must create, gather, and store information relevant to the cybersecurity of the IoT product and its components prior to customer consumption and throughout a product’s entire lifecycle.
IoT product suppliers must be able to receive information relevant to the cybersecurity of their products, such as bug reporting and vulnerabilities. They also must be able to receive inquiries from customers and consumers and respond regarding the cybersecurity of their products.
Inversely, IoT product suppliers also must be able to disseminate information related to their products, either to the public or directly to customers regarding the cybersecurity of the device and other relevant information such as end-of-life support, new vulnerabilities and needed maintenance.
NIST states that IoT product developers must create awareness and education to customers and the broader IoT product community regarding cyber-related information, such as considerations, threats and features to products and components.
Given that IoT product vulnerabilities and misconfigurations are what primarily lead to security incidents, NIST provides a comprehensive list of example vulnerabilities and incidents as well as relevant tactics and techniques that were involved as well as related baseline criteria categories outlined above that could have mitigated risk.
The information and potential product vulnerabilities are too vast to list, but examples cited include unauthorized access to baby monitors, Mirai malware variants, unauthorized access and publication of fitness tracker data, as well as unauthorized access to home security systems and data.
Given the vast array of IoT devices per the scope of the definition and the incredibly diverse and expansive consumer customer base the labeling scheme is intended to support, it is clear that it is an ambitious goal. Some key guiding principles emphasized by NIST include:
- Labels being available to consumers before and at the time of purchase as well as afterwards, supporting both digital and physical formats.
- Labels should be accompanied by a robust consumer education campaign.
- Consumers should have online access to additional information such as the labelsâ intent, scope, and product criteria.
While the labeling scheme is a massive undertaking, it is absolutely critical to help suppliers take more responsibility for the security outcomes of customers and consumers (a key theme from CISAâs latest âSecure-by-Design/Defaultâ guidance), and help consumers make risk-informed decisions around purchases and consumption, which will help address longstanding cybersecurity market failures, incentivizing suppliers to truly address cybersecurity of their IoT products. The Cyber Trust Mark program is still in its early stages, but the recent addition of international support from the EU demonstrates that the program is poised to have a broad impact on the software-driven consumer goods market around the world.
Go to Source