The USA has taken the executive decision to issue a cybersecurity label for smart devices, an important step in IoT standardization.
In a press briefing, the American Federal Communications Commission (FCC) announced the introduction of the US Cyber Trust Mark, a cybersecurity label for smart devices.
The new label will indicate that products meet stringent security standards outlined in a report by the National Institute of Standards and Technology (NIST).
The voluntary program is scheduled to be implemented in 2024, with the labels expected to appear on devices shortly thereafter.
Cybersecurity Label for Smart Devices, The US Cyber Trust Mark and IoT standardization
According to the White House press briefing, the cybersecurity certification and labeling program will “help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks”.
The Cyber Trust Mark initiative aims to address the growing concern over the security of IoT (Internet of Things) devices commonly found in homes, including smart refrigerators, microwaves, televisions, and climate control systems.
Notably, “smart fitness trackers” are also listed as eligible devices for the certification and labeling program, signaling the broader scope of the initiative beyond traditional smart home automation products.
Government claims to have participation supporting the program from major tech companies like Amazon, Google, Samsung, and Logitech, as well as electronics manufacturers such as LG Electronics U.S.A. and appliance retailers like Best Buy.
The Connectivity Standards Alliance, which governs the Matter smart home standard, is also among the backers.
The Cyber Trust label consists of two components: a distinctive logo displayed on product packaging and a QR code for verification.
The government plans the label to convey crucial details, such as the data collected by the device, data sharing practices, authentication methods, and how security updates are implemented.
The QR code is intended to provide additional information on a smartphone, including the expected duration of security updates.
“NIST will also immediately undertake an effort to define cybersecurity requirements for consumer-grade routers—a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks,” said the announcement.
“NIST will complete this work by the end of 2023, to permit the Commission to consider use of these requirements to expand the labeling program to cover consumer grade routers.”
The fine print behind the US Cyber Trust Mark
The FCC is exploring the possibility of annual recertifications for devices, but specific intervals have not been determined yet.
Third-party labs, like the Connectivity Standards Alliance and the Consumer Technology Association, will be responsible for handling certifications.
This move aims to push companies to prioritize secure product design, as the Cyber Trust label could potentially boost consumer confidence and justify the higher costs of robust security measures.
Anne Neuberger, Deputy National Security Advisor, emphasized the label’s accountability aspect in the press briefing that followed the official announcement.
Manufacturers will be required to issue timely security patches to maintain their Cyber Trust label, ensuring that devices remain secure amid evolving cyber threats.
The definition of “IoT product” under the Cyber Trust labeling program is based on the NIST report, encompassing network-connected devices with sensors or actuators.
Additionally, the associated app, cloud backend, and hubs specific to the device will be considered part of the IoT product.
The NIST is also prioritizing the cybersecurity requirements of consumer-grade routers and aims to complete its work by the end of 2023 for inclusion in the labeling program.
If executed as intended, the Cyber Trust Mark will prove to be a significant step in enhancing the security of IoT devices in the US market.
However, a standardization of device rating is a far cry from IoT standardization.
What is IoT Standardization?
IoT standardization refers to the process of developing and implementing common, widely accepted guidelines, protocols, and frameworks for Internet of Things (IoT) devices, networks, and applications.
As the IoT ecosystem continues to expand, numerous devices, platforms, and communication technologies emerge from various manufacturers and developers.
“While IoT devices offer great convenience, having large numbers in a small space increases complexity in device design, test, performance, and security,” said a study on standardization by Keysight Technologies.
“Testing these devices is one of the biggest challenges for design engineers and device manufacturers. The crowded RF environments are why it is critical to address compliance testing.”
Without standardized practices, interoperability, security, and scalability issues can arise, hindering the widespread adoption and success of IoT technologies.
The primary objectives of IoT standardization are as follows:
Interoperability: IoT devices and systems often come from different manufacturers and use diverse communication protocols.
IIT Kharagpur defines interoperability as the ability of two or more devices, systems, platforms or networks to work in conjunction.
“Interoperability enables communication between heterogeneous devices or system in order to achieve a common goal. However, the current devices and systems are fragmented with respect to the communication technologies, protocols, and data formats,” a paper explained.
“This diversity makes it difficult for devices and systems in the IoT network to communicate and share their data with one another. The utility of IoT network is limited by the lack of interoperability.”
Security: With the proliferation of IoT devices and their connection to critical systems and personal data, ensuring robust security measures is crucial.
IoT standardization helps establish best practices and security protocols to safeguard IoT devices and networks from potential cyber threats.
“Vendor lock-in, rivaling standards, proprietary devices and private networks make it that hard to incept a standard security protocol for devices,” said an assessment report by online education service Intellipaat.
“IoT hackers will be successful when there are varying standards, connectivity patterns and there will be increased security against them if IoT devices employ common standards.”
Scalability: IoT systems can vary significantly in size, from small-scale deployments to large-scale industrial applications. Standardization aids in designing scalable architectures and solutions that can adapt and expand as needed.
“All architectures and solutions must be capable of deployment for medium-sized instances and then must seamlessly scale up or down, as needed,” said a report by Cisco.
“This includes network, storage, analytics, and security, as required.”
Reliability: IoT devices and networks need to function reliably in various environments and conditions.
Standardization can help define performance benchmarks and quality assurance measures to ensure consistent and dependable operation.
Data management: Standardization addresses data formats, data storage, and data transmission protocols, making it easier to collect, process, and analyze data from diverse IoT sources.
Regulatory compliance: Standardization can align IoT practices with industry regulations and government standards, ensuring that IoT deployments adhere to legal requirements and guidelines.
Standardization: Industrial and administrative efforts
Various organizations, both governmental and industry-driven, play essential roles in developing IoT standards. For instance:
The Internet Engineering Task Force (IETF) develops and maintains many of the core protocols and standards that underpin the Internet, which are also relevant to IoT.
The Institute of Electrical and Electronics Engineers (IEEE) has several working groups dedicated to IoT standardization.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) work on standardization efforts related to IoT, including security and interoperability.
The Open Connectivity Foundation (OCF) focuses on creating standards for secure and interoperable IoT device connectivity.
The Industrial Internet Consortium (IIC) concentrates on IoT standardization in industrial settings and the integration of IoT technologies with industrial processes.
Overall, IoT standardization plays a vital role in fostering a more cohesive and robust IoT ecosystem, enabling widespread adoption and unlocking the full potential of IoT technologies.
Many countries have established standards for IoT devices to address various aspects such as security, interoperability, privacy, and data protection.
These standards are typically known by different names and are often developed by national or regional standards organizations. Here are some examples of countries and the names of their IoT-related standards:
United States:
NIST (National Institute of Standards and Technology) has published several guidelines and standards related to IoT security and cybersecurity. For instance, NIST Special Publication 800-53 includes security and privacy controls for federal information systems and organizations, which are applicable to IoT devices used by government agencies.
United Kingdom:
The British Standards Institution (BSI) has developed standards related to IoT, including security and privacy considerations. For example, BS EN 303 645 outlines security requirements for consumer IoT devices.
Germany:
The German Institute for Standardization (DIN) has been involved in IoT standardization efforts, particularly in the areas of industrial IoT and Industry 4.0. DIN SPEC 27072 provides guidelines for data protection and data security for IoT services.
China:
The Standardization Administration of China (SAC) has been active in setting standards for IoT devices and applications. Some of their standards address areas like IoT reference architecture, network communication protocols, and security.
South Korea:
The Korean Agency for Technology and Standards (KATS) has been working on IoT standardization in various domains, including smart cities and smart homes.
European Union (EU):
The EU has taken initiatives to develop standards and guidelines for IoT applications and devices. The European Telecommunications Standards Institute (ETSI) is one of the prominent organizations involved in IoT standardization efforts within the EU.
Japan:
The Japanese Industrial Standards (JIS) has developed standards relevant to IoT devices and systems, particularly in industrial settings.
Australia:
Standards Australia has worked on IoT standards, addressing areas such as data privacy, security, and IoT device management.