SAN FRANCISCO — Regulators have zeroed-in on securing the device infrastructure, such as the FDA's efforts to enforce cyber requirements for manufacturers. Industry leaders hinted at the RSA Conference on April 25 that the White House will formally announce its plan for developing the national cybersecurity labeling program in May.
“We are experiencing an interesting moment in security. We are seeing the convergence of OT and IoT, and the physical and cybersecurity,” Amit Elazari, head of cybersecurity policy at Intel. “This convergence is forcing, not just the standards — it's also the regulations.”
“There is an urgent need to create a culture of up-leveling and raising the baseline culture when it comes to design, security and transparency of the processes that promote security, like processes that support qualified disclosure,” she added.
The Biden administration first announced its plans to work with the private sector, federal agencies and academic institutions on advancing a national cybersecurity labeling program for IoT devices in November, noting it was a priority for its ongoing critical infrastructure security plans.
Given the prevalence of the devices and growth of the market, a labeling program would assure consumers these devices are safe and incentivize manufacturers to meet higher cybersecurity standards.
Click here for all of SC Media's coverage from the RSA Conference 2023
The recent executive order directs the National Institute of Standards and Technology (NIST) to pilot and label consumer-facing IoT cybersecurity products, explained Katerina Megas, NIST’s cybersecurity for IoT program manager. So the team has been working to build on the core baseline, which is designed to apply across the board for all IoT devices irrespective of market sector.
Very early on, the project leaders found a consistent theme of fragmentation within the IoT market itself. NIST has since started to build on the common core baseline to tailor it to specific risk profiles, working with industry stakeholders and inviting public comments to better understand the appropriate baseline for consumer-facing devices.
The effort has received positive feedback from the industry.
“Samsung is here to support a voluntary IoT cyber labeling program here in the United States that's globally harmonized and incentivizes manufacturers for adoption,” said Eric Tamarkin, senior director and public policy counsel of US Public Affairs for Samsung Electronics America.
“We've been working with our industry partners on this, and we hope for a successful launch,” he added.
Labels refer to the requirements and other aspects of a security program, much like an offensive declaration for a consumer IoT product, anchored to NIST criteria. The ongoing focus for consumer device labeling is a common market screening or padlock for these devices.
The existing label program has criteria for use of the market license, the program, the scheme, and who takes ownership of these issues within the business to manage business processes with manufacturers, signed contracts, sublicense support from the oversight structure, the program owner, and federal aid.
It should be clear, however, that this “is not a single structure,” Michael Bergman, vice president of technology and standards for the Consumer Technology Association. “IoT is too broad and too fast and too varied to use a single scheme.”
For example, “drones are different from doorbell cameras: drones fly over the horizon, mobile cameras to the cloud,” he continued, adding that what’s needed is multiple schemes licensed to issue the mark. “At the end of the day, we need some kind of oversight structure.”
Currently, the government is working to understand the trust mechanisms that must be built into the program.
These security conversations are not just about right now, it’s about planning for the future, Elazari explained. Device labeling should be thought about within the context of a broader conversation “on both baseline security measures, as well as the importance of connecting or securing all connected devices.”
So far, the NIST project has made key determinations. For one, the scope of IoT in general is too broad for a standard set of criteria able to apply to both drones and doorbells.
“The optimal way to approach this would be to articulate requirements as cybersecurity outcomes and to get very specific into how we expect those cybersecurity outcomes to be achieved,” said Megas. In the end, there will be a “program owner ultimately responsible, and NIST’s role is to provide those recommendations.”
“It will be ultimately up to the programmer to determine how they will apply those recommendations, how they will enforce them, and accept them,” she added. “Our role will be to be there to advise the program owner on all of the recommendations and also to help advise on formative assessment programs.”
And that’s where being proactive will enable device manufacturers to keep pace during the ongoing regulatory shift.
