U.S. Cyber Trust Mark - Cybersecurity Labeling Program for Smart Devices
A look at the U.S. Trust Mark - Enabling Consumer Cybersecurity Assurance for IoT and Smart Devices
A big part of the discussion around cybersecurity in the last several years has centered on the need for further transparency, to help address what many consider to be a market failure of cybersecurity.
On the enterprise software supply chain security front, we’ve seen efforts such as SBOM’s and self-attestations of suppliers following a secure software development lifecycle, such as NIST’s Secure Software Development Framework (SSDF).
On the consumer end, there generally isn’t much to help consumers make informed purchasing decisions utilizing security as a criterion for how they spend their money. This is changing on the IoT front, with the introduction in 2023 of the U.S. “Cyber Trust Mark” program, which was announced out of The White House in July. The announcement framed the program as a voluntary measure which will be embraced by smart device and IoT manufacturers to help consumers choose products which are safer and less prone to cybersecurity attacks.
The program has continued to gain momentum when it was recently announced at CES that the E.U. and U.S. have agreed to pursue a “joint roadmap” for cybersecurity labels. Anne Neuberger, who is the White House’s Deputy National Security Advisor for Cyber and Emerging Technologies was quoted as saying “we want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere”.
This line of thinking likely comes as a breath of fresh air from industry who often voice concerns over the disparate cybersecurity policy and regulatory landscape, often leading to duplicative, costly and cumbersome requirements on technology suppliers.
“Energy Star for Cyber”
If you’ve ever purchased products such as appliances and electronics, you may have noticed “Energy Star” ratings, which is a program led by the EPA and Department of Energy to help consumers understand the energy efficiency of products.
Currently, despite software being pervasive in exponentially more consumer goods over time, there is no universally accepted labeling scheme similar for cybersecurity, to help consumers understand the security and safety of products, such as IoT or smart devices.
In modern society it isn’t just enterprises and businesses that are powered by software, but our homes and personal lives as well. Appliances, electronics, wireless communication devices and more, are all powered by software. This makes consumers increasingly exposed to cybersecurity, privacy and safety concerns.
As part of the broad goals and objectives of the 2021 Cybersecurity Executive Order (EO), NIST was directed to initiative labeling programs for devices such as consumer IoT products. NIST has published insights into what the labeling program may look like, such as their “Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products”.
Scope of an IoT Device
Let’s take a look at some of the specifics published by NIST to understand the scope and criteria for the proposed and emerging Cyber Trust Mark labeling program.
Simply determining the scope of what counts as an “IoT Product” can be a challenge, as there are millions of devices now integrating software, connectivity and digital features. Per NIST’s publication, an IoT product is defined as “computing equipment with at least one transducer and at least one network interface”. Given IoT devices often exist in a broader architecture and ecosystem, NIST specifies that IoT products often have three other components which are:
Speciality networking and gateway hardware (a hub within the system where IoT devices are used)
Companion application software (such as an accompanying mobile application)
Backends (such as cloud services to store or process data from the device)
Essentially these devices are those which have the ability to communicate network traffic, often are managed by associated applications and software and integrate into broader backend architectures such as cloud environments that process or store data from the IoT device.
Worth emphasizing is that NIST points out, in the context of their labeling recommendations, an IoT product is defined as “an IoT device and any additional product components that are necessary to use the IoT device beyond basic operational features”.
This means that not just the physical device is in scope of their labeling purview and objectives but also the associated aspects discussed above, such as networking/gateways, companion application software and backends within the architecture. This makes sense, given all of these aspects of the IoT’s architecture and operations are a core part of its security, privacy and safety for consumers and part of the attack surface for malicious actors.
Recommended Baseline Product Criteria
Let’s take a look at some of the baseline product criteria NIST defines when it comes to the cybersecurity outcomes of the IoT devices and developers as part of the product labeling program. These criteria apply both to the device and in some cases the device supplier.
NIST mentions that each of these product criteria may not be applicable to every IoT device and suppliers have flexibility to determine supporting evidence for the various areas of criteria. The official NIST document goes into significant depth for each area of criteria, but we will briefly touch on them below.
Asset Identification
This means the supplier can uniquely identify the product and inventory all of its components. This inventory should be kept up to date and this is useful from the cyber perspective to help identify which IoT products and components are needed for activities such as asset management, digital forensics and incident response.
Product Configuration
Product configurations can introduce vulnerabilities therefore changes should be only able to be performed by authorized entities. From a security perspective it can help customers tailor their products to their needs and to avoid specific threats based on their unique risk appetite. Something worth calling out here is the broader push for Secure-by-Design/Default adoption we’re seeing from CISA and others towards product suppliers. This means products should be secure by default, and hardened, with customers able to make modifications as they see fit, versus needing to harden insecure products they receive.
Data Protection
The IoT device and its components must protect data stored and transmitted from unauthorized access, disclosure and modification.
Interface Access Control
The IoT product and its components must restrict logical access to local and network interfaces to authorized individuals, services and IoT product components.
Software Update
Software updates have availability and security implications, so it is no surprise to see NIST state that updates should only be able to be conducted by authorized entities.
Cybersecurity State Awareness
Suppliers need to be able to detect cybersecurity incidents impacting the IoT products and their components, as well as the data they store and transmit.This involves capturing logs, records and relevant data.
Documentation
Every developer's favorite activity, documentation. NIST states product developers must create, gather and store information relevant to the cybersecurity of the IoT product and its components prior to customer consumption and throughout the product's entire lifecycle.
Information and Query Reception
IoT product suppliers must be able to receive information relevant to the cybersecurity of their products, such as bug reporting and vulnerabilities. They also must be able to receive inquiries from customers and consumers and respond regarding the cybersecurity of their products.
Information Dissemination
Inversely, IoT product suppliers also must be able to disseminate information related to their products, either to the public or directly to customers regarding the cybersecurity of the device and other relevant information such as end of life support, new vulnerabilities and needed maintenance.
Product Education and Awareness
NIST states that IoT product developers must create awareness and education to customers and the broader IotT product community regarding cyber-related information, such as considerations, threats and features to products and components.
IoT Product Vulnerabilities
Given IoT product vulnerabilities and misconfigurations are what primarily leads to security incidents, NIST provides a comprehensive list of example vulnerabilities and incidents as well as relevant tactics and techniques that were involved and related baseline criteria categories we discussed above that could have mitigated risk.
The information and potential product vulnerabilities is too vast to list in this article, but examples cited include unauthorized access to baby monitors, Mirai malware variants, and unauthorized access and publication of fitness tracker data, as well as unauthorized access to home security systems and data.
Recommended Approach for Labeling Success
Given the vast array of IoT devices per the scope of the definition and the incredibly diverse and expansive consumer customer base the labeling scheme is intended to support, it is clear that it is an ambitious goal. Some key guiding principles are emphasized by NIST, which we will touch on below. They include:
Labels being available to consumers before and at the time of purchase as well as afterwards, supporting both digital and physical formats
Labels should be accompanied by a robust consumer education campaign
Consumers should have online access to additional information such as the labels intent, scope and products criteria
While the labeling scheme is a massive undertaking, it is absolutely critical to help suppliers take more responsibility for the security outcomes of customers and consumers (a key theme from CISA’s latest “Secure-by-Design/Default” guidance), and helping consumers make risk-informed decisions around purchases and consumption, which will help address longstanding cybersecurity market failures, incentivizing suppliers to truly address cybersecurity of their IoT products.
The Cyber Trust Mark program is still in its early stages, but the recent addition of international support with the E.U. demonstrates that the program is poised to have a broad impact on the software driven consumer goods market around the world.
Chris, what happened between the document you linked to and NIST.IR.8425 is that NIST decided that they weren't going to try to specify what the program should look like (which they were never mandated to do by the EO), and would just concentrate on having good criteria on which the actual program could be based. You're right that 8425 looks a lot like the previous document, but it doesn't have any of the programmatic elements in that document - just the cybersecurity criteria.
The White House announced last May http://bit.ly/3tUfyO0 that the FCC would develop and run the program and it would be based on criteria developed by NIST. FCC's NOPR was issued in August https://bit.ly/428uyo3 It laid out the FCC's initial ideas for the program and said the criteria for the label would be those in 8425 (which was a good decision, IMO). But nothing is set in stone yet on the program, although the next document the FCC releases should bring more clarity.
I think this program has a good chance to affect device security in general for the better, not just for "consumer" devices. When NIST released 8425, they stated that these would be good criteria for all devices, not just consumer ones. But they said they might release additional criteria for diferent types of commerical and industrial devices in the future. So I suspect that a lot of commercial and industrial device makers will also want to get the label. I think this is really the right way to "regulate" devices - with positive incentives rather than penalties. https://bit.ly/3S37y4Y
Good post, Chris. However, the document you're referring to was a preliminary one (there were at leat a couple others), before released NIST.IR 8425 https://csrc.nist.gov/pubs/ir/8425/final later in 2022. Meanwhile, the White House decided that the device labeling program, which had been delegated to NIST to develop in EO 14028, should be designed and run by the FCC, but based on 8425. The FCC released a Notice of Proposed Rulemaking (including a request for comments) for the labeling program last July; another document from the FCC on this is due soon. The program is targeted to be up and running by the end of this year, although that's perhaps too ambitious.
Meanwhile, the EU doesn't have a device labeling program, either (Germany has a program which is entirely advisory. Singapore and Finland both have active programs), and the CRA doesn't include anything like that. So I wouldn't look for anything from the EU (especially not a joint labeling program with the US) for years.
The FCC effort may well set the standard for other countries, but their program is very much in the discussion phase now. There will also be a program (whether or not it's "labeling") for consumer routers, but that will be run separately (also by the FCC).