The surge of connectivity brought by the Internet of Things (IoT) has transformed our everyday lives, making it more convenient, efficient, and, often, more enjoyable. However, this wave of technological innovation has come with its challenges. A crucial concern arising from this transformation is the question of cybersecurity for consumers.

As more of our daily interactions become mediated through IoT devices, ensuring the security of these devices and the personal data they manage has become increasingly pressing. This necessitates formulating a comprehensive cybersecurity strategy to protect consumers and their data from potential threats.

In response to this, the National Institute of Standards and Technology (NIST), under the directive of Executive Order 14028, “Improving the Nation’s Cybersecurity,” initiated the development of criteria for a cybersecurity labeling program, the U.S. Cyber Trust Mark, specifically designed for consumer IoT products that are expected to be running by late 2024.

The U.S. Cyber Trust Mark consumer IoT labeling program is built on the existing NIST 8425, NISTIR 8259A, and NISTIR 8259B publications.

This voluntary labeling program is designed to provide consumers with clear and understandable information about the security of IoT products, allowing them to make informed decisions. In addition to helping consumers, the program aims to incentivize manufacturers to prioritize the development of cyber-secure products (secure by design).

NIST has created a recommended baseline product criteria for this labeling scheme based on its existing work in IoT cybersecurity, international standards, and a thorough review of recent IoT product vulnerabilities. However, it should be noted that NIST is not creating its own scheme but is instead identifying key elements of a potential labeling scheme that another organization could implement.

The responsibility of managing the labeling scheme (including tailoring product criteria, developing the label and associated information, and overseeing its application) falls to the scheme owner. The ultimate goal is to create an IoT unified labeling program that reduces confusion among consumers and promotes the widespread adoption of rigorous security practices in the IoT sector.

The security of consumer IoT products, and by extension, the trust consumers place in them, heavily relies on stringent and robust cybersecurity measures. The National Institute of Standards and Technology (NIST) has recommended a set of baseline product criteria to define the cybersecurity outcomes expected of IoT products and their developers.

A consumer IoT product often encompasses a complex system of components, from the endpoint devices to backend servers and companion applications, each of which contributes to the product’s overall functionality. However, these components also present potential avenues of vulnerability and cyber-attack. Therefore, it is paramount that the entire IoT product, including all auxiliary components, is secured and safeguarded against cyber threats.

NIST’s recommended criteria cater to this wide array of components and their potential vulnerabilities. For instance, each IoT product should have the ability to be uniquely identified and maintain an updated inventory of all its constituent components. Furthermore, the IoT product’s configuration should be changeable, with a secure default setting that can be restored when needed, and only authorized individuals should be able to effect these changes.

In the data context, NIST emphasizes that all stored and transmitted data should be protected from unauthorized access, disclosure, and modification. This includes data within individual IoT components and data transmitted between or outside the product. Moreover, the IoT product should restrict logical access to local and network interfaces and protocols and services used by those interfaces to only authorized individuals, services, and other IoT product components.

A labeling program highlights the importance of regularly updating the software across all IoT product components, using secure and configurable mechanisms. To aid in detecting cybersecurity incidents, it’s vital that IoT products not only maintain constant cybersecurity awareness but also systematically log relevant information regarding the status and activities of their components.

In addition to the product-focused criteria, some recommendations apply to IoT development engineers. Developers should maintain extensive documentation about the cybersecurity aspects of the IoT product and should be able to receive and respond to queries about the cybersecurity of the product. In the same vein, developers should disseminate and broadcast relevant cybersecurity information and work to educate customers about the cybersecurity features of their IoT products.

These recommended criteria outline a comprehensive approach to ensuring the cybersecurity of consumer IoT products, thereby enhancing consumer trust and promoting a secure IoT landscape. These guidelines encourage IoT developers to critically assess their products, identifying potential vulnerabilities and working to address them, aiming to create safer, more secure IoT devices.

The problem of hackers exploiting vulnerabilities in IoT devices lies in the multilayered nature of these vulnerabilities. Each vulnerability opens a window for a different type of attack technique or tactic, creating a complex landscape of risks. For instance, weak authentication can allow unauthorized access, poor configuration can facilitate the execution of malicious scripts, and improper data protection measures can lead to data breaches.

Given this diversity of vulnerabilities and corresponding attack tactics, there is no one-size-fits-all solution. Hence, the baseline criteria proposed by the IoT product labeling program are designed to mitigate certain risks associated with each vulnerability. These criteria are not prescriptive in terms of how the mitigations are achieved. Instead, they offer flexible guidelines for securing IoT devices while allowing for innovation and context-based customization.

Vulnerability factors have been associated with hacking practices (tactics and techniques) that create incidents and related security criteria to prevent them. They are supported by standards and conformity assessments for achieving recommended outcomes with flexibility considering contexts and types of products. IoT developers determine the applicability of criteria once they have evaluated the risks and mitigation strategies. The following are examples of baseline criteria:

• Product Configuration
• Interface Access Control
• Product Education and Awareness
• Cybersecurity State Awareness
• Data Protection
• Asset Identification
• Information Dissemination
• Software Update
• Documentation
• Information and Query Reception

By analyzing vulnerabilities, associated attack tactics, and related baseline criteria of many use cases, we can learn and work to develop secure IoT products.

For instance, use cases of unauthorized access, exposure to the internet, and unencrypted sensitive data vulnerabilities led to the exploitation tactics such as privilege escalation, credential access, and data collection. Relevant baseline criteria to mitigate these risks include product configuration, interface access control, product education and awareness, and cybersecurity state awareness.

Similarly, an attack demonstrating weak authentication and lack of internal configuration controls led hackers to use techniques like initial access through valid accounts, execution through command and scripting interpreter, and privilege escalation. The related baseline criteria could be asset identification, interface access control, information dissemination, software update, and cybersecurity state awareness.

The unauthorized access and publication of mobile app data with vulnerabilities in web application security, unsecured data storage, and weak de-identification methods with corresponding attack tactics (Initial Access through exploit public-facing application, persistence through code injection, and privilege escalation) and criteria to mitigate vulnerabilities (product configuration, cybersecurity state awareness, data protection, and documentation)

Looking at these patterns, the importance of the relationship between various vulnerabilities, attack techniques, and baseline criteria becomes evident. This interplay forms the core of understanding how to secure your devices and IoT ecosystems. It also emphasizes the importance of focusing on technological solutions and user awareness and education to ensure the cybersecurity of IoT devices.

The U.S. Cyber Trust Mark aims to establish flexible, adaptable, and outcome-oriented cybersecurity criteria for labeling Internet of Things (IoT) products. This system accommodates IoT products and components’ vast diversity, uses, and associated risks. It is designed with flexible criteria that can be met through various means, fostering a dynamic, robust cybersecurity ecosystem capable of adapting to emerging technologies and risks over time.

It’s vital that these criteria directly address the risks they are meant to mitigate, effectively guiding developers or assessors in their application to specific products or components.

In the context of an IoT security labeling program, a scheme refers to a structured plan or program that outlines certain standards or requirements. It is developed to guide the implementation of a consumer IoT product labeling program. This includes aspects such as the desired outcomes of product criteria, labeling, and conformity assessment considerations. The scheme recognizes that there’s no “one size fits all” solution; hence it allows for multiple strategies to be offered by label providers.

The scheme owner is the organization or entity responsible for managing and overseeing this scheme. This could be either a public or private sector organization. The scheme owner plays a pivotal role in deciding the scheme’s structure and management, ensuring its operations are aligned with its objectives.

While there’s flexibility in applying the IoT baseline criteria to various product ranges and deciding the appropriate conformity assessments, the scheme owner must also avoid creating too many variations of labels or labeling approaches, as it could confuse consumers and hinder the scheme’s effectiveness.

A scheme owner plays an important role in ensuring that any IoT product meets the expected outcomes. When designing a consumer IoT labeling program, the scheme owner should consider risks related to the product, its components, the customer, and the community.

Additionally, they must contemplate appropriate risk mitigations and their implementation across product components. Tiers in product criteria can also be introduced, driven by the unique risks and needs associated with different IoT products and their components.

The scheme owner will be responsible for balancing these considerations to determine how best to apply the baseline criteria. Furthermore, the criteria for higher cybersecurity tiers could be defined by the inherent risk of the device type or its expected use case and by additional requirements and testing tools. To justify the product’s label, scheme owners must ensure there is enough evidence of conformity to the criteria.

The owner of an IoT labeling scheme can use any existing standard or program, align it with global IoT labeling programs, and employ it to fulfill specific product goals and criteria.

A consumer IoT product labeling program operates within a dynamic ecosystem of IoT conformity assessment schemes, necessitating considerations of harmonization. Such alignment can benefit IoT developers and consumers, whereas fragmentation with other IoT schemes, domestically or internationally, can pose challenges. Existing conformity assessment programs for individual IoT product components should be harmonized to avoid fragmentation.

It’s crucial to carefully scope and harmonize the IoT product labeling program with others to prevent confusion, especially for IoT components like mobile apps. Harmonization provides clear direction for adopting cybersecurity and predictability across products, while fragmentation can lead to complications and potential confusion due to divergent requirements.

However, given the diverse nature of the consumer IoT market, complete harmonization may not always be feasible. Thus, when considering the degree of harmonization, a scheme owner should weigh the benefits of harmonization against fragmentation challenges.

An IoT security labeling program is crucial to inform and educate consumers about IoT product cybersecurity, thereby fostering trust and managing risk. Labels should be designed for clarity and accessibility to diverse consumers, with rigorous testing to ensure usability.

The label’s influence on purchasing decisions depends on factors like time pressure, product functionality, availability of non-connected products, and cost. A good labeling program can educate consumers on the cybersecurity aspects of their IoT purchases.

Recommended labeling practices include:

• Using a binary labeling approach (Layered Binary Label) (a single label showing the product meets a standard) coupled with a layered approach (additional details accessible via URL or QR code). Consumers can obtain via QR code updated security information about their devices.
• Making the label available before, during, and after the point of purchase ensures its flexibility in physical and digital formats.
• Regular consumer testing assesses initial perceptions and purchases intent, and periodic testing after program implementation to gauge consumer behavior, label appropriateness, and brand recognition growth.

Note this does not cover specific design elements of the label but emphasizes the importance of its usability and understandability and regular consumer testing to avoid bias and ensure statistical relevance.

Comprehensive consumer education about binary labels for Internet of Things (IoT) products is necessary. Educational campaigns enhance label recognition and program transparency, fostering communication among stakeholders represented by the labels.

The responsibility for distributing information may fall on various parties, such as the label program administrator, IoT developers, retailers, manufacturers, security groups, academia, and the government, contingent upon the final structure of the labeling program.

Additionally, understanding the kinds of products eligible for labeling, changes in labeling due to emerging cybersecurity threats, considerations for end-of-life IoT products, consumer responsibilities in software security, and contact details for complaints are also vital.

Careful attention to messaging and framing is key in formulating consumer education materials. A layered approach that provides basic information upfront, supplemented by more detailed information upon request, is recommended to cater to different levels of consumer engagement and understanding.

Conformity assessment is a process to confirm that certain predefined requirements are met. It employs various strategies depending on the defined requirements, non-compliance risk, and the objectives set. The procedures and rules constituting a conformity assessment scheme detail the objects under evaluation (like a consumer IoT product), the specific requirements, and activities involved in performing the assessment (like testing, inspection, certification, self-declaration of conformity), and clarifies the roles and types of organizations responsible for each role.

This scheme outlines how conformity assessment tasks, roles, and outcomes are structured and managed. Whether a public or private entity, the scheme’s owner oversees its management and consistency with the overall objectives.

Given the diverse nature of consumer IoT products and the relative lack of applicable international standards, more than one conformity assessment approach is required. For consumers who struggle to evaluate the cybersecurity of an IoT device, conformity assessment plays a crucial role in providing them with understandable and actionable information about the product.

Different IoT activities can be employed to show that devices comply with technical requirements. These can include the supplier’s self-attestation, where the provider of the IoT device declares its conformity against a predefined set of criteria.

Alternatively, third-party testing or inspection can be used to examine the IoT device based on defined criteria. A third-party certification, based on an in-depth review, could also affirm that the IoT product meets specific criteria. The choice of activity, or combination of activities, depends on the product and the conformity requirements.

With the introduction of the IoT security label program and its support from private companies, the Connectivity Standards Alliance (CSA), Consumer Technology Association, and testing and certification entities, the IoT market is expected to grow with consolidated and harmonized ecosystems that will bring mainstream adoption by consumers.

Beyond the introduction of the Matter Certification by The Connectivity Standards Alliance (CSA) last October, the alliance has been working with governments and private companies on harmonizing and aligning leading standards and a certification model to provide coverage in their scheme.

The Connectivity Standards Alliance (CSA) has formed a Product Security Working Group, with 130+ companies (with strong support) is developing a global program for consumer IoT product security certification that aligns with government standards and regulations (NISTIR 8425 in North America, ETSI EN 303 645 in Europe, and ISO 27402),  including the US Cybersecurity Label and other national certification schemes, to assure consumers worldwide of product security, prevent the need for duplicative testing and certification in different countries, and foster a strong security baseline for all devices.

Krasamo is an IoT development company based in Dallas with over a decade of experience creating IoT products and supporting cybersecurity outcomes, related components, and data. Our expertise includes IoT systems integrations, companion applications such as mobile apps, firmware development, IoT architectures, backends, and networking expertise.

Our team of IoT engineers supports clients in adapting their products to IoT cybersecurity standards and certification schemes (requirements) and certification programs (process to verify a product meets requirements), harmonization efforts, and regulations.