A new cybersecurity certification and labeling program called U.S. Cyber Trust Mark is being shaped to help U.S. consumers choose connected devices that are more secure and resilient to hacker attacks.
A proposal from the Federal Communications Commission, the program is expected to roll out next year with smart device vendors committing to it voluntarily.
Major vendors and makers in the U.S. have already announced their participation. Among them Amazon, Google, Best Buy , LG Electronics U.S.A., Logitech, and Samsung Electronics.
NIST-level security for IoT
The U.S. Cyber Trust Mark program aims to recognize smart products that meet cybersecurity criteria from the National Institute of Standards and Technology (NIST), which include the use of unique and strong default passwords, data protection, software updates, and incident detection capabilities.
Participating makers would label their products with a “distinct shield logo” signaling a NIST-approved set of security features.
The labeling is intended for common smart devices for consumers, ranging from refrigerators, microwave ovens, television sets, climate control systems, to fitness trackers, reads the announcement from the Biden-Harris Administration.
“Acting under its authorities to regulate wireless communication devices, the FCC is expected to seek public comment on rolling out the proposed voluntary cybersecurity labeling program, which is expected to be up and running in 2024” – White House
Until the program launches, the Biden-Harris Administration and the Cybersecurity and Infrastructure Security Agency (CISA) would support the FCC’s effort to educate consumers to look for the Cyber Trust Mark on the products they decide to purchase.
To improve transparency and stimulate competition, certified devices would be listed into a national registry that consumers could consult via a QR code to compare the security information present in multiple products.
“Working with other regulators and the U.S. Department of Justice, the Commission plans to establish oversight and enforcement safeguards to maintain trust and confidence in the program.”
Another important step refers to NIST defining by the end of the year a set of security requirements for consumer-grade routers, which are typical targets for cybercriminals since they are the door to other devices on the local network that could either serve an attacker.
The program also aims to include smart meters and power inverters that are at the basis of the clean, smart grid of the future. However, research is necessary to develop appropriate cybersecurity labeling for these devices.
Efforts define baseline security in IoT devices have existed for more than five years, with proposals and for a standard firmware update mechanism being among the first recommendations from cybersecurity experts and published by the Internet Engineering Task Force (IETF).
A similar initiative was in 2017 from the U.S. Commerce Department, through its National Telecommunications and Information Administration (NTIA), which aimed to develop guidance for IoT makers to brief customers about a product’s update options.
That same year, the European Union Agency for Network and Information Security (ENISA) published the report Baseline security recommendations for IoT. A clear summary is available here.
In 2020, the California IoT Act took effect, requiring device makers to include “reasonable security features” into their products but failing to provide a clear standard.