The Federal Communications Commission (FCC) will be rolling out a voluntary cybersecurity labeling program for Internet of Things (IoT) products for consumers
At its public meeting today, the Commission unanimously voted to approve the program, which will allow IoT manufacturers to slap US Cyber Trust Certification Marks onto products that meet certain minimum criteria defined by the National Institute for Standards and Technology (NIST).
The marks — plus associated QR codes, linking to product registries with more detailed security information about compliant products — will enable customers to make more informed purchases, and companies to distinguish their products from the competition.
“With the proliferation of products available, it is challenging even for the most informed consumer to confidently identify the cybersecurity capabilities of any given device,” FCC Commissioner Geoffrey Starks said at the open meeting, assuring that “Help is on the way, starting today.”
What Manufacturers Need to Know
The technical criteria necessary to obtain a good job sticker are defined in NIST’s Internal Report 8425.
Approved devices will need to have a unique identification and an inventory of all its components.
They’ll need to have flexible configurations, the ability to restore to a secure factory setting, and mechanisms to ensure that settings can be changed only by authorized individuals, services, or components.
They’ll need thorough protections for data storage and transmission, and the ability to erase sensitive personal information.
They’ll need to implement strict access controls, and mechanisms for secure, prompt updates to software.
And, finally, they’ll need to be able to capture and record information that can be used to detect cybersecurity incidents affecting their components, as well as the data they store and transmit.
Will the Sticker Have an Impact?
While the program is entirely optional, a number of major technology companies — including Amazon, Best Buy, Google, LG, Logitech, and Samsung — already expressed their support back when it was first announced in 2023.
Only time will tell, though, whether consumers will sufficiently incentivize companies to obtain the badge by voting with their pockets. With somewhere north of 10 billion IoT products expected to leave shelves globally over the coming few years, they’ll certainly have the opportunity to do so.
“A lot of it will probably come down to cost,” says Patrick Gillespie, OT Lead at GuidePoint Security. “To comply, companies will have to build out policies and procedures, they’ll need to adhere to each control and then they’ll also probably need to get a third-party company to test to make sure that the administrative controls functions are working as intended, and also that any communications to and from the device are encrypted and not accessed by anybody on the wireless network.”
“So, for a pretty cheap IoT device — let’s say 100 bucks — if this increases the cost by 10%, consumers will probably pay $110 for that extra security,” he guesses. “Now, if it doubles the price to $200…”