A big part of the discussion around cybersecurity in the last several years has centered on the need for further transparency, to help address what many consider to be a market failure of cybersecurity. 

On the enterprise software supply chain security front, we’ve seen efforts such as SBOM’s and self-attestations of suppliers following a secure software development lifecycle, such as NIST’s Secure Software Development Framework (SSDF). 

On the consumer end, there generally isn’t much to help consumers make informed purchasing decisions utilizing security as a criterion for how they spend their money. This is changing on the IoT front, with the introduction in 2023 of the U.S. “Cyber Trust Mark” program, which was announced out of The White House in July. The announcement framed the program as a voluntary measure which will be embraced by smart device and IoT manufacturers to help consumers choose products which are safer and less prone to cybersecurity attacks.

The program has continued to gain momentum when it was recently announced at CES that the E.U. and U.S. have agreed to pursue a “joint roadmap” for cybersecurity labels. Anne Neuberger, who is the White House’s Deputy National Security Advisor for Cyber and Emerging Technologies was quoted as saying “we want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere”.

This line of thinking likely comes as a breath of fresh air from industry who often voice concerns over the disparate cybersecurity policy and regulatory landscape, often leading to duplicative, costly and cumbersome requirements on technology suppliers. 

“Energy Star for Cyber”

If you’ve ever purchased products such as appliances and electronics, you may have noticed “Energy Star” ratings, which is a program led by the EPA and Department of Energy to help consumers understand the energy efficiency of products. 

Currently, despite software being pervasive in exponentially more consumer goods over time, there is no universally accepted labeling scheme similar for cybersecurity, to help consumers understand the security and safety of products, such as IoT or smart devices. 

In modern society it isn’t just enterprises and businesses that are powered by software, but our homes and personal lives as well. Appliances, electronics, wireless communication devices and more, are all powered by software. This makes consumers increasingly exposed to cybersecurity, privacy and safety concerns. 

As part of the broad goals and objectives of the 2021 Cybersecurity Executive Order (EO), NIST was directed to initiative labeling programs for devices such as consumer IoT products. NIST has published insights into what the labeling program may look like, such as their “Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products”. 

Scope of an IoT Device

Let’s take a look at some of the specifics published by NIST to understand the scope and criteria for the proposed and emerging Cyber Trust Mark labeling program. 

Simply determining the scope of what counts as an “IoT Product” can be a challenge, as there are millions of devices now integrating software, connectivity and digital features. Per NIST’s publication, an IoT product is defined as “computing equipment with at least one transducer and at least one network interface”. Given IoT devices often exist in a broader architecture and ecosystem, NIST specifies that IoT products often have three other components which are:

• Speciality networking and gateway hardware (a hub within the system where IoT devices are used)

• Companion application software (such as an accompanying mobile application)

• Backends (such as cloud services to store or process data from the device)

Essentially these devices are those which have the ability to communicate network traffic, often are managed by associated applications and software and integrate into broader backend architectures such as cloud environments that process or store data from the IoT device.

Worth emphasizing is that NIST points out, in the context of their labeling recommendations, an IoT product is defined as “an IoT device and any additional product components that are necessary to use the IoT device beyond basic operational features”. 

This means that not just the physical device is in scope of their labeling purview and objectives but also the associated aspects discussed above, such as networking/gateways, companion application software and backends within the architecture. This makes sense, given all of these aspects of the IoT’s architecture and operations are a core part of its security, privacy and safety for consumers and part of the attack surface for malicious actors. 

Recommended Baseline Product Criteria

Let’s take a look at some of the baseline product criteria NIST defines when it comes to the cybersecurity outcomes of the IoT devices and developers as part of the product labeling program. These criteria apply both to the device and in some cases the device supplier. 

NIST mentions that each of these product criteria may not be applicable to every IoT device and suppliers have flexibility to determine supporting evidence for the various areas of criteria. The official NIST document goes into significant depth for each area of criteria, but we will briefly touch on them below. 

Asset Identification

This means the supplier can uniquely identify the product and inventory all of its components. This inventory should be kept up to date and this is useful from the cyber perspective to help identify which IoT products and components are needed for activities such as asset management, digital forensics and incident response.

Product Configuration

Product configurations can introduce vulnerabilities therefore changes should be only able to be performed by authorized entities. From a security perspective it can help customers tailor their products to their needs and to avoid specific threats based on their unique risk appetite. Something worth calling out here is the broader push for Secure-by-Design/Default adoption we’re seeing from CISA and others towards product suppliers. This means products should be secure by default, and hardened, with customers able to make modifications as they see fit, versus needing to harden insecure products they receive. 

Data Protection

The IoT device and its components must protect data stored and transmitted from unauthorized access, disclosure and modification. 

Interface Access Control

The IoT product and its components must restrict logical access to local and network interfaces to authorized individuals, services and IoT product components.

Software Update

Software updates have availability and security implications, so it is no surprise to see NIST state that updates should only be able to be conducted by authorized entities.

Cybersecurity State Awareness

Suppliers need to be able to detect cybersecurity incidents impacting the IoT products and their components, as well as the data they store and transmit.This involves capturing logs, records and relevant data.

Documentation

Every developer's favorite activity, documentation. NIST states product developers must create, gather and store information relevant to the cybersecurity of the IoT product and its components prior to customer consumption and throughout the product's entire lifecycle. 

Information and Query Reception

IoT product suppliers must be able to receive information relevant to the cybersecurity of their products, such as bug reporting and vulnerabilities. They also must be able to receive inquiries from customers and consumers and respond regarding the cybersecurity of their products.

Information Dissemination

Inversely, IoT product suppliers also must be able to disseminate information related to their products, either to the public or directly to customers regarding the cybersecurity of the device and other relevant information such as end of life support, new vulnerabilities and needed maintenance.

Product Education and Awareness

NIST states that IoT product developers must create awareness and education to customers and the broader IotT product community regarding cyber-related information, such as considerations, threats and features to products and components.

IoT Product Vulnerabilities

Given IoT product vulnerabilities and misconfigurations are what primarily leads to security incidents, NIST provides a comprehensive list of example vulnerabilities and incidents as well as relevant tactics and techniques that were involved and related baseline criteria categories we discussed above that could have mitigated risk.

The information and potential product vulnerabilities is too vast to list in this article, but examples cited include unauthorized access to baby monitors, Mirai malware variants, and unauthorized access and publication of fitness tracker data, as well as unauthorized access to home security systems and data. 

Recommended Approach for Labeling Success

Given the vast array of IoT devices per the scope of the definition and the incredibly diverse and expansive consumer customer base the labeling scheme is intended to support, it is clear that it is an ambitious goal. Some key guiding principles are emphasized by NIST, which we will touch on below. They include: 

• Labels being available to consumers before and at the time of purchase as well as afterwards, supporting both digital and physical formats

• Labels should be accompanied by a robust consumer education campaign

• Consumers should have online access to additional information such as the labels intent, scope and products criteria

While the labeling scheme is a massive undertaking, it is absolutely critical to help suppliers take more responsibility for the security outcomes of customers and consumers (a key theme from CISA’s latest “Secure-by-Design/Default” guidance), and helping consumers make risk-informed decisions around purchases and consumption, which will help address longstanding cybersecurity market failures, incentivizing suppliers to truly address cybersecurity of their IoT products. 

The Cyber Trust Mark program is still in its early stages, but the recent addition of international support with the E.U. demonstrates that the program is poised to have a broad impact on the software driven consumer goods market around the world.