Cybersecurity Labeling for IoT

The number of Internet of things (IoT) devices in the world is big and on the rise. By July 2023, it was 15.14 billion. And it is estimated that, by the start of the new decade, they will be about 29.42 billion. Basically, their amount seems to almost double every five years. Right now, large corporate networks may have millions of such smart devices connected to them. That could be up to 30% of all the connected devices.

Organizations use IoT devices for several reasons. Some, such as those in the healthcare sector, find them useful for tracking equipment and tools remotely via sensors or offering remote support to practitioners in augmented reality. Others, like those in the retail sector, may use IoT devices to boost the efficiency of their logistics (e.g., monitoring that inventory is where the inventory system claims it should be).

IoT devices are, however, known to be insecure, as they generally come with default, guessable usernames and/or passwords, use outdated software components, do not encrypt data, and do not get regular software updates, or these are not always successful. Possibly a part of the fault lies in manufacturers' eagerness to deploy their devices massively and quickly, which outweighs any importance given to security tests during development. Another contributing factor may be the lack of strict government regulations on the cybersecurity of such devices.

The fact is that the lack of compliance with security requirements in IoT devices represents an important risk. By the start of 2023, organizations globally received a mean of 59.7 attack attempts weekly targeting those devices. Insecure gadgets, making up a big chunk of the organizations' attack surfaces, are then the focus of a lot of activity by malicious hackers. Indeed, e.g., highly skilled groups of cybercriminals who have enough resources to attack their targets repeatedly, aka advanced persistent threats (APTs), are leveraging zero-day security vulnerabilities in smart home cameras, connected car systems, wearable devices, etc., to do surveillance and carry out espionage campaigns.

The above has motivated nations to include in their cybersecurity strategies an item regarding actions to increase cybersecurity on smart devices to protect consumers. Accordingly, in the U.S., the White House and the Federal Communications Commission (FCC) created a program, named U.S. Cyber Trust Mark, that aims to certify and label Internet-enabled devices as secure and will possibly be ready to start in late 2024.

The program is part of the United States National Cybersecurity Strategy Implementation. It is in the process of establishing guidelines for manufacturers to follow voluntarily in the products they develop and deploy. These products include smart televisions, microwaves, refrigerators, fitness trackers, climate control systems, and more. The guidelines shall be based on recommended cybersecurity criteria published by National Institute of Standards and Technology (NIST). Further, the program proposes that complying products get a cybersecurity label "in the form of a distinct shield logo" (see here the proposed logo). This label would help consumers easily choose smart devices that may be less vulnerable to cyberattacks than those without the label. And to help choice even more, and also promote transparency and competition, the FCC plans to use a QR code that consumers can scan to access a national registry listing the products with their security information, which can then be used by the consumer to establish comparisons.

The source we refer to is the white paper from February 4, 2022, titled "Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products." It is a response to the Executive Order 14028, "Improving the Nation's Cybersecurity," which tasks NIST with, among other things, formulating cybersecurity criteria and labeling approaches for IoT. Most of this agency's criteria can be satisfied by the IoT product's software and/or hardware, and some apply to the developer. We present them briefly as follows:

This sounds like it's going to be a gigantic step for IoT devices cybersecurity. Remarkably, the White House's statement about the program mentions the manufacturers and retailers that have announced their support and commitment to the program, and these include big names. These are the participants mentioned: Amazon, Best Buy, Carnegie Mellon University, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, CyLab, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.

By the way, other nations have already introduced their own labeling programs. Finland was the pioneer and then Germany followed. And this is crucial, since Europe has been reported as the region whose IoT devices have been targeted the most in early 2023 (about 70 attacks per organization every week). Let's take Germany's case of cybersecurity labeling as an example. The country's Federal Office for Information Security (BSI in German) started the program by the end of 2021 with routers and email services and now also validates and labels IoT devices (e.g., Xiaomi's smart cameras and vacuums). The developers who want to participate voluntarily need to comply with the BSI's criteria. These are based on the European standard "Cyber Security for Consumer Internet of Things: Baseline Requirements" (the same source for Finland's program), which is a 2020 document whose provisions have lots in common with those we described above, published by NIST years later. If the product earns the label with the BSI, valid for at least two years, it will be visible for consumers, who will access the security information by entering the URL in the label or scanning the added QR code. Just in November this year the BSI launched a nationwide advertising campaign for consumers to be aware of the label.

This effort in Europe is significant and can prepare developers for what's looming over them: The European Union's Cyber Resilience Act (CRA) is expected to take effect next year. All digital products destined for the European market will need to comply with cybersecurity requirements throughout their lifecycles. Fines for infringement, which includes acts like deception and noncompliance, will go from about €5M to €15M (we expand on this regulation in our dedicated blog post).

While in the U.S. the labeling program will start with IoT, we see that in Germany their own has been addressing other software products as well. The U.S. may follow these steps soon, though, since NIST has also the task to identify "secure software development practices or criteria for a consumer software labeling program." Their public 2022 white paper already mentions technical criteria as claims that developers can make about their product. In a nutshell, a group of the criteria reads that the vendor adheres to accepted secure software development practices throughout the software development lifecycle (SDLC).

How about being ahead of the curve by securing your software now? In our Continuous Hacking solution, we use several security testing techniques by default to verify your application's compliance with several secure development guidelines and cybersecurity standards. You can see all results when you log in on our platform and swiftly manage all vulnerabilities throughout the SDLC. As we provide you with fix recommendations through several options (including AI-generated, step-by-step guidance, and, in our flagship plan, advice from our hacking team), you can take action fast to fulfill the security requirements needed. Start your free trial now.