With the recent announcement of the U.S. Cyber Trust Mark program, a national label for consumer internet-of-things device security, shoppers now have an objective way to find products with security designed in. As a result, potential buyers can be much more confident in buying and using products that have a verified baseline level of security based on the criteria defined in NIST IR 8425 (IoT Core Baseline for Consumer Products).
This is crucial because cybersecurity is a necessary precondition for the IoT. Without it, the IoT cannot develop as predicted. According to research from the consultancy Omdia, consumers care deeply about security when shopping for IoT devices.
However, today’s challenge for the consumer is to understand the level of security with which a device comes.
Because security has always been an issue for products connected to the internet, how did this advancement in security finally happen now?
The process the U.S. government used to define the basis for the U.S. Cyber Trust Mark provides a great example of how the government can work in coordination with industry to solve a problem that has concerned people for years but has not been effectively addressed.
It involves six identified steps. The first step is well established as “recognize and identify the problem.” In this case, it is simply “provide improved security for IoT-connected devices.” Table 1 shows the other five steps, the activity and the specific solution for securing IoT devices.
Step 2 is often interchanged with Step 1, as industry experts have already worked together and formed an organization to address the specific or a similar, related problem.
In this case, interested parties formed the Connectivity Standards Alliance (CSA) to create, evolve and manage IoT interoperability. The result was the Matter standard, which was announced last October. CSA also formed the Product Security Working Group (PSWG) to address the identified need for improved security for IoT devices.
Based on the efforts of more than 130 companies actively working within the PSWG, the group developed a framework for a single, global certification program (Step 3) for consumer IoT product security certification that meets the requirements of emerging standards and regulations around the world.
Because more than 130 companies supported the development of the program, Google, Logitech and many other companies have already committed to its support (Step 4). Others, including Infineon Technologies, have committed to providing components supporting the development of conformant products.
With this broad support and the fact that the global certification program is a superset of the requirements for cybersecurity for consumer IoT that includes the regulations from NIST, the European standard (ETSI EN 303 645) and the Singapore Cybersecurity labeling scheme, the U.S. government recognized that consumers in the U.S. would benefit from the introduction and announcement of a national labeling program (Step 5).
Transparency growing
The announcement of the consumer label marks a trend toward more transparency for the customer regarding IoT security.
Governments in other countries may follow the U.S. government’s lead, which can result in a reliable global cybersecurity standard baseline.
As this trend grows, consumers worldwide can select from various certified products with confidence. At the same time, manufacturers will benefit from a certification program that demonstrates conformance, avoiding the need for duplicative testing and certification in each country.
A global label may not be in reach yet, but mutual recognition of different national or regional labels is a huge step toward a more secure and reliable IoT.
With the U.S. announcement, PSWG is now at Step 6—the execution step.
Execution relies on supporting companies to develop products and systems and certify them through the new Product Security standard, thus qualifying them to obtain official labels from various countries and regions. Certifying a product once gives labels from many markets.
During the execution of the program, more unidentified steps will inevitably be required—because more steps are always required with cybersecurity.
However, that’s where CSA and its members’ commitment to continually expand safety and security in the IoT ecosystem comes into play. Like Infineon Technologies, these companies are committed to the PSWG standard and global label programs because their future business depends upon this established security. They expect that the single PSWG security program will provide the security that consumers desire and require in their internet-connected products at a reasonable cost.