The United States has officially launched its much-anticipated cybersecurity labelling program Cyber Trust for Internet of Things (IoT) devices. This initiative aims to safeguard Americans from the various security threats that come with using internet-connected devices.
The establishment of the “U.S. Cyber Trust Mark” program aims to ensure that internet-connected devices purchased by Americans possess strong cybersecurity features that can effectively protect them from cyber-attacks.
The Internet of Things (IoT) comprises a wide range of gadgets, such as fitness trackers, routers, baby monitors, and smart refrigerators. Unfortunately, these IoT devices have been identified as a weak spot in cybersecurity. These devices often come with predictable default passwords and do not receive frequent security updates, putting consumers at risk of being hacked.
The Biden administration has announced their plan to implement a new labelling system for internet-connected devices. Energy Star will influence this system and provide consumers with important information about the cybersecurity of the products they purchase. Only devices meeting the established cybersecurity standards will be marked with the U.S. Cyber Trust Mark, a recognizable shield logo.
The National Institute of Standards and Technology (NIST) has set a new standard that mandates devices to have strong and unique default passwords, safeguard stored and transmitted data, provide regular security updates, and come with incident detection capabilities.
The standards list is not yet finalized. However, the White House has made it clear that NIST will define cybersecurity standards for consumer-grade routers at a higher risk of being targeted by attackers. This will prevent password theft and the creation of botnets for launching distributed denial-of-service (DDoS) attacks. This task must be completed by the end of 2023, and the initiative is expected to cover these devices when it is launched in 2024.
As per a report, the White House has confirmed that the Cyber Trust Mark will soon feature a QR code. This code will be linked to a national registry of certified devices, providing users with up-to-date information.
“We knew that we didn’t want to create a label that said this product had been certified and secured and then stayed secure forever,” a senior administration official said. “The QR code will give you up-to-date information on the ongoing adherence to cyber security standards.”
There are several IoT conformity assessment activities that could be leveraged to demonstrate that consumer IoT devices conform to technical requirements, either exclusively or in combination. These include:
• Supplier’s declaration of conformity (self-attestation) where the declaration of conformity is performed by the organization that provides the consumer IoT device. This is a self-attestation against a defined set of criteria.
• Third-party testing or inspection where there is determination or examination, respectively, of the consumer IoT device based on defined criteria.
• Third-party certification of the consumer IoT device where a statement is issued based on a comprehensive review that an IoT product has fulfilled defined criteria.