Understanding The Proposed Cybersecurity Labeling Program

Internet of Things

The White House and the FCC recently put a new program into effect concerning security standards for Internet of Things (IoT) devices.In its current state, the IoT includes a massive range of device types from smart baby monitors, garage doors, home refrigerators, and anything and everything in between.

By its nature, the IoT is difficult to regulate, monitor, and standardize.

However, with current cybersecurity risk levels, more lot users can be compelled to take IoT security more seriously.

That is why the new standard has come in the form of a cybersecurity labeling program.

It is intended to normalize a higher standard of security for IoT devices and the ocean of data they exist in.

Before we get into what the cybersecurity labeling program is, let's take a closer look at the need it addresses.

Risk Factors Associated with Internet of Things Devices 

"Smart device, dumb security," has become a buzz phrase in the loT space.

This is because IoT-capable devices connect to the Internet in surprising ways, offering a plethora of useful data access.

However, IoT devices also leak this information dramatically since the protections associated with standard computing devices are absent.

These weaknesses come in a range of forms, including but not limited to: 

  • A lack of physical protection 
  • Data storage and transfer insecurity 
  • An absence of device visibility and management 
  • Botnet data theft 
  • Weak passwords 
  • Insecure interfaces 
  • Al attack vulnerability 
  • Greater attack surface area 

Understanding the Cybersecurity Labeling Program 

The CLP provides, if nothing else, the hope that businesses will begin to think about security as they leverage, sell, and otherwise deal with IoT devices.

We estimate that there are no fewer than 15 billion IoT devices currently up and running.

There may be even more than this that are not accounted for, running silently in storerooms, warehouses, closets, etc. that could be leaking data unchecked. 

Also known as a "cyber trust mark," cybersecurity labels represent a proposed effort to simplify the massive topic of loT security.

The program is expected to begin in December of this year or January 2024.

On the surface, they are simple labels with a shield and microchip that come in one of five colors and read "U.S. CYBER TRUST MARK."

These are meant to indicate that the devices they are placed on will have encrypted transmissions, storage, and software updates, and show the level of control over passwords and data storage that the end buyer will have by default. 

The initiative was announced in October 2022, but organizations are starting to take notice.

This is because those who adopt it will enjoy greater security than those who don't.

This means those who adopt it will be more competitive since they and their customers will enjoy greater resistance to current and anticipated attacks.

It also means that customer satisfaction will be greater for adopters since they too will suffer fewer data compromise events. 

The good news is that the standards for the cybersecurity labeling program are the same standards recommended by the National Institute of Standards and Technology (NIST).

This means that the standards have a well-understood and repeatable history of use.

It probably also means that there is already a wealth of free information out there on how, why, and when to use the new best practices. 

At this point, it's all looking like a too-little, too-late situation.

In reality, these and similar security standards should have been in place a decade ago.

However, we haven't yet seen the full reality of the CLP.

At present, the White House says consumer-grade routers are the most vulnerable target for bad actors looking to exploit IoT devices.

The Department of Energy has plans to design a labeling system for power inverters and smart meters. 

Despite all this, the movement to adopt CLP has been slow and inconsistent.

The FCC's comments on IoT security claim that more than 1.5 billion loT devices were successfully attacked in early 2021.

One of the most interesting attacks was directed against a bank via a vending machine.

The attack bypassed massive network fortifications and accessed institutional and private account data. 

If there's one thing we know about any successful cyber attack, it's that bad actors will be clamoring to duplicate it.

So, if companies don't start taking IoT security a heck of a lot more seriously, they will regret it.

But what does it mean for an IoT device to be secure? Fortunately, we are not in the dark on this account.

What IoT Security Looks Like 

At this point, the full meaning of the colors on any given CLP label is not entirely known.

Certainly, devices used by different organizations and purposes will have different standards.

For example, that bank vending machine would certainly have different security requirements compared to a hobbyist's camera drone.

But the issues that will likely be addressed by the labeling program should look, in part, like the following:

  1. Secured from leaks within or through other IoT-connected devices like routers. 
  2. Components within a given device that are also Internet-capable are also labeled and protected. 
  3. Products updated with new features no longer reflected on the packaging should be inspected and re-labeled accordingly. 
  4. New weaknesses in formerly safe devices have been assessed and covered. 
  5. Devices with a given standard that have been brought into a network with higher standards are to be brought up to the higher standard. 
  6. Considerations for the overlap of privacy and security are considered for a labeled device. 
  7. The stated commitment of a given company to IoT security may be reflected in the logos.

As you can see, the technology and business worlds both have a lot of thinking to do when it comes to what the cybersecurity labeling program will entail.

If this list makes one thing apparent, it's that there is potentially an unlimited number of issues the system needs to address.

But for now, it should at least get us off to a much-needed start on securing IoT devices. 

Hopefully, we will see a significant difference in outcomes between organizations that use it and those that don't.

Once that data is understood, we expect companies will make CLP compliance mandatory. 

Sources:

New Call-to-action

Read On