The U.S. government this week announced a national IoT security label that manufacturers and retailers can opt to use to assure consumers that their smart connected IoT devices meet a certain level of cyber-safety and hence less vulnerable to cyberattacks.
The new “U.S. Cyber Trust Mark” program proposed by Federal Communications Commission (FCC) chairwoman Jessica Rosenworcel would raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more. Several major electronics, appliance, and consumer product manufacturers, retailers, and trade associations have made voluntary commitments to increase cybersecurity for the products they sell.
The new label supports the IoT security requirements under NISTIR 8425, which resulted from an Executive Order to improve the nation’s cybersecurity. This label will recognize products that meet these requirements by permitting them to display a U.S. government label and be listed in a registry indicating that these products meet U.S. cybersecurity standards. Under the proposed new program, consumers would see the newly created “U.S. Cyber Trust Mark” in the form of a distinct shield logo applied to products meeting established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.
Acting under its authorities to regulate wireless communication devices, the FCC is expected to seek public comment on rolling out the proposed voluntary cybersecurity labeling program, which is expected to be up and running in 2024. As proposed, the program would leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology (NIST) that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.
National registry of certified devices
The FCC has applied to register a national trademark with the U.S. Patent and Trademark Office that would be applied to products meeting the established cybersecurity criteria. The FCC intends the use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about smart products. NIST will also immediately undertake an effort to define cybersecurity requirements for consumer-grade routers. It will complete this work by the end of 2023, to permit the Commission to consider use of these requirements to expand the labeling program to cover consumer grade routers.
The U.S. Department of Energy also announced a collaborative initiative with national labs and industry partners to research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.
Internationally, the U.S. Department of State aims to support the FCC to engage allies and partners toward harmonizing standards and pursuing mutual recognition of similar labeling efforts.
Participants in labeling program
Participants in the announcement of the security certification and labeling program include: Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.
Licensor of the national label
The ioXt Alliance said it is working closely with the Consumer Technology Association (CTA), the FCC, NIST and other stakeholders to help shape the national label program. Due to the ioXt Alliance’s many contributions to the development of NISTIR 8425 and its alignment with the goals of the U.S. national label program for IoT devices, ioXt is expected to be one of the first scheme owners to license the National Label to its members and stakeholders.
The ioXt Alliance’s CEO and founder, Gary Jabara, said, “As the global standard for IoT security, the ioXt Alliance is committed to facilitating work that is in alignment with the U.S. national label program for IoT devices. We believe that our certification program can play a significant role in supporting the success of this program by providing a baseline level of security for connected devices. We are proud to contribute to this important initiative and are committed to ensuring that IoT devices meet industry-recognized security standards.”
Infineon’s first product to seek national label
Infineon Technologies’ president of connected secure systems, Thomas Rosteck, said, “Infineon welcomes the step the U.S. government has made and fully supports programs to boost cybersecurity for the Internet of Things. The U.S. label is a significant milestone towards strong global cybersecurity standards. We believe the implementation of this program will empower consumers and further boost the adoption of IoT products in the U.S. and beyond.” Infineon’s IoT development kit (CY8CKIT-062S2-43012) will seek to obtain the U.S. national label. Certification of this development kit will help its customers to create IoT products that are compliant with the U.S. national label.
Infineon was involved in the development of the IoT label program through its participation as a member of the Connectivity Standards Alliance (CSA). The U.S. cybersecurity guidelines are closely aligned with several CSA standards, including the Matter standard. Matter provides device manufacturers with a secured communication standard for a wide range of smart home applications and thus improves connectivity between smart devices from different manufacturers. CSA’s Product Security effort (chaired by Infineon) will certify that IoT devices meet global security requirements, including those used by the U.S. national label. Infineon said that ‘together, these standards move the IoT to a higher level of interoperability and security.
News Source: embedded