Cybersecurity Labeling for IoT

IoT devices cybersecurity needs to be better

The number of Internet of things (IoT) devices in the world is big
and on the rise.
By July 2023,
it was 15.14 billion.
And it is estimated that,
by the start of the new decade,
they will be about 29.42 billion.
Basically,
their amount seems to almost double every five years.
Right now,
large corporate networks may have millions
of such smart devices connected to them.
That could be up to 30% of all the connected devices.

Organizations use IoT devices
for several reasons.
Some,
such as those in the healthcare sector,
find them useful for tracking equipment and tools remotely via sensors
or offering remote support to practitioners in augmented reality.
Others,
like those in the retail sector,
may use IoT devices to boost the efficiency of their logistics
(e.g., monitoring that inventory is
where the inventory system claims it should be).

IoT devices are, however, known to be insecure,
as they generally come with default,
guessable usernames and/or passwords,
use outdated software components,
do not encrypt data,
and do not get regular software updates,
or these are not always successful.
Possibly a part of the fault lies in manufacturers’ eagerness
to deploy their devices massively and quickly,
which outweighs any importance given to security tests during development.
Another contributing factor may be the lack of strict government regulations
on the cybersecurity of such devices.

The fact is
that the lack of compliance with security requirements in IoT devices
represents an important risk.
By the start of 2023,
organizations globally received a mean of 59.7 attack attempts weekly
targeting those devices.
Insecure gadgets,
making up a big chunk of the organizations’ attack surfaces,
are then the focus of a lot of activity by malicious hackers.
Indeed,
e.g., highly skilled groups of cybercriminals
who have enough resources to attack their targets repeatedly,
aka advanced persistent threats (APTs),
are leveraging zero-day security vulnerabilities
in smart home cameras,
connected car systems,
wearable devices, etc.,
to do surveillance and carry out espionage campaigns.

Cybersecurity labeling program in the United States

The above has motivated nations to include in their cybersecurity strategies
an item regarding actions to increase cybersecurity on smart devices
to protect consumers.
Accordingly,
in the U.S.,
the White House and the Federal Communications Commission (FCC)
created a program,
named U.S. Cyber Trust Mark,
that aims to certify and label Internet-enabled devices as secure
and will possibly be ready to start in late 2024.

The program is part of
the United States National Cybersecurity Strategy Implementation.
It is in the process of establishing guidelines for manufacturers
to follow voluntarily in the products they develop and deploy.
These products include smart televisions,
microwaves,
refrigerators,
fitness trackers,
climate control systems, and more.
The guidelines shall be based on recommended cybersecurity criteria
published by National Institute of Standards and Technology (NIST).
Further,
the program proposes
that complying products get a cybersecurity label
“in the form of a distinct shield logo” (see here the proposed logo).
This label would help consumers easily choose smart devices
that may be less vulnerable to cyberattacks than those without the label.
And to help choice even more,
and also promote transparency and competition,
the FCC plans to use a QR code
that consumers can scan
to access a national registry listing the products
with their security information,
which can then be used by the consumer to establish comparisons.

Although NIST is still working
to define the requirements for consumer-grade routers,
and other agencies are undertaking research
to develop requirements for other smart devices,
we can still summarize,
in our own words,
the recommended criteria that NIST has already made public.

The source we refer to is the white paper from February 4, 2022,
titled “Recommended Criteria for Cybersecurity Labeling
for Consumer Internet of Things (IoT) Products.”
It is a response to the Executive Order 14028,
“Improving the Nation’s Cybersecurity,”
which tasks NIST with,
among other things,
formulating cybersecurity criteria and labeling approaches for IoT.
Most of this agency’s criteria can be satisfied
by the IoT product’s software and/or hardware,
and some apply to the developer.
We present them briefly as follows:

• Asset identification: The product has a unique identifier
  and inventories all of its connected components.

• Product configuration: The product’s default setting is secure,
  and authorized users, services or components can change settings
  and also revert them to default.

• Data protection: The product and its components protect the data
  they store and transmit
  from unauthorized access, disclosure and modification.

• Interface access control:
  The product and its components restrict logical access
  to local and network interfaces
  to only the authorized users, services or components.

• Software update: There is a secure and configurable mechanism
  to update the software of the product’s components
  (even non-executable software data).

• Cybersecurity state awareness:
  The product detects cybersecurity incidents
  affecting or effected by its components and the data they store and transmit.

• Documentation:
  The developer creates exhaustive documentation on the product
  that consumers can read before purchase
  and mentions information such as the product’s intended use,
  compliance and noncompliance with requirements,
  components,
  security tests passed,
  as well as the vendor’s methods of receiving reports of vulnerabilities,
  processes for recording reported vulnerabilities,
  policy for responding to such reports,
  policy for disclosing verified vulnerabilities,
  and processes for receiving news from component suppliers
  about changes in the latter’s products.

• Information and query reception: The developer receives information
  relevant to the cybersecurity of the product
  and responds to queries about it.

• Information dissemination: The developer discloses through a channel
  information and events throughout the product’s support lifecycle,
  including updates to terms of support,
  needed maintenance,
  new vulnerabilities,
  data breaches,
  as well as other cybersecurity relevant information,
  like steps for vulnerability remediation
  and the developer’s security practices and certifications
  related to such practices.

• Product education and awareness: The developer educates users
  and creates awareness on the product’s cybersecurity related information,
  such as that regarding configuration and patch management to mitigate risks.

This sounds like it’s going to be a gigantic step
for IoT devices cybersecurity.
Remarkably,
the White House’s statement
about the program
mentions the manufacturers and retailers
that have announced their support and commitment to the program,
and these include big names.
These are the participants mentioned:
Amazon, Best Buy, Carnegie Mellon University, Cisco Systems,
Connectivity Standards Alliance, Consumer Reports,
Consumer Technology Association, CyLab, Google, Infineon,
the Information Technology Industry Council, IoXT, KeySight,
LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm,
Samsung Electronics, UL Solutions, Yale and August U.S.

Cybersecurity labeling programs already running in Europe

By the way,
other nations have already introduced their own labeling programs.
Finland was the pioneer
and then Germany followed.
And this is crucial,
since Europe has been reported
as the region whose IoT devices have been targeted the most in early 2023
(about 70 attacks per organization every week).
Let’s take Germany’s case of cybersecurity labeling as an example.
The country’s Federal Office for Information Security (BSI in German)
started the program by the end of 2021
with routers and email services
and now also validates and labels IoT devices
(e.g., Xiaomi’s smart cameras and vacuums).
The developers who want to participate voluntarily
need to comply with the BSI’s criteria.
These are based on the European standard
“Cyber Security for Consumer Internet of Things: Baseline Requirements”
(the same source for Finland’s program),
which is a 2020 document
whose provisions have lots in common with those we described above,
published by NIST years later.
If the product earns the label with the BSI,
valid for at least two years,
it will be visible for consumers,
who will access the security information
by entering the URL in the label or scanning the added QR code.
Just in November this year the BSI launched a nationwide advertising campaign
for consumers to be aware of the label.

This effort in Europe is significant
and can prepare developers for what’s looming over them:
The European Union’s Cyber Resilience Act (CRA)
is expected to take effect next year.
All digital products destined for the European market will need to comply
with cybersecurity requirements throughout their lifecycles.
Fines for infringement,
which includes acts like deception and noncompliance,
will go from about €5M to €15M
(we expand on this regulation in our dedicated blog post).

IoT is just the beginning

While in the U.S. the labeling program will start with IoT,
we see that in Germany their own has been addressing other software products
as well.
The U.S. may follow these steps soon, though,
since NIST has also the task
to identify “secure software development practices or criteria
for a consumer software labeling program.”
Their public 2022 white paper
already mentions technical criteria
as claims that developers can make about their product.
In a nutshell,
a group of the criteria reads
that the vendor adheres to accepted secure software development practices
throughout the software development lifecycle (SDLC).

How about being ahead of the curve by securing your software now?
In our Continuous Hacking solution,
we use several security testing techniques by default
to verify your application’s compliance
with several secure development guidelines and cybersecurity standards.
You can see all results when you log in on our platform
and swiftly manage all vulnerabilities throughout the SDLC.
As we provide you with fix recommendations through several options
(including AI-generated, step-by-step guidance,
and, in our flagship plan, advice from our hacking team),
you can take action fast to fulfill the security requirements needed.
Start your free trial now.