In an effort to improve cybersecurity in the United States, the National Institute of Standards and Technology (NIST), Federal Trade Commission (FTC) and other federal government agencies are initiating an Information of Things (IoT) product labeling program for consumer devices. This action is being taken as part of Executive Order (EO) 14028 to improve the nation’s cybersecurity.
Defining Consumer IoT
As defined by NIST, an IoT device is a computing device with at least one sensor or actuator that has access to a network interface. These devices are usually components of systems that may have multiple backends or companion applications. Because system components have access to IoT devices and data they are vulnerable to cyber attacks on systems, local networks, or the internet.
Consumer internet of things cybersecurity is a growing issue of concern as their marketplace presence continues to increase. Consumer IoT products include smart home devices, health monitoring devices, home security systems, fitness trackers, and transportation equipment.
Beyond the consumer realm IoT are highly utilized in industrial controls technology, agriculture, military, and critical infrastructure applications. There have been many incidents where these devices have been attacked in recent years, rendering industries inoperable such as recent water treatment facility hacks.
Baseline Criteria for Product Labeling
NIST is recommending the following baseline criteria for IoT product systems and devices:
- Asset Identification: IoT products should be uniquely identifiable and a system should be capable of maintaining an inventory of all components. This ability is required to support asset management as related to a cybersecurity system’s ability to update, protect data, and perform digital forensics for incident response.
- Product Configuration: There should be a method to restore system configurations to secure default settings. Additionally, these configuration changes should only be allowable to authorized individuals, services, and other IoT components. This allows for secure system tailoring as defined by the user.
- Data Protection: This requirement involves the protection of sensitive information stored and transmitted by all connected devices. This supports the Confidentiality, Integrity, and Availability (CIA) requirement for cybersecurity information security.
- Interface Access Control: Systems and components access should be restricted to local network interfaces and to protocols and services used by those interfaces. Furthermore access should be limited to authorized individuals, services, and IoT system components. This acts to preserve confidentiality, integrity, and availability by preventing unauthorized access and modification.
- Software Update: All system devices should be capable of receiving software updates to address vulnerabilities discovered after a product has been sold.
- Cybersecurity State Awareness: All products should capture and store data that can be used to detect cybersecurity incidents.
- Documentation: The product developer is responsible for the creating, gathering, and storing cybersecurity information about the product prior to release and throughout the life cycle of the IOT device or system.
- Information and Query Reception: The product developer must receive cybersecurity information relevant to a product from customers and other sources.
- Information Dissemination: The product developer must alert the public and customers of collected cybersecurity information.
- Product Education and Awareness: Customers should be informed on best practices to securely use the IoT product.
Product Developer Risk Management
It is necessary for product developers to make assessments based on the specific risks of a product. This is because of the diversity of IoT products and their ability to be tailored in numerous ways. This will allow for flexibility in supporting products and technologies and risk change. It also allows the developer or assessor to base their judgements on desirable mitigations.
Use of Existing Resources Moving Forward
Implementation of the IoT product labeling program will utilize existing standards and programs. This would include the use of international standards such as CTA 2088 or ETSI 303 645. Harmonization of conformity assessment schemes will benefit developers, customers, and assessors. NIST recommends that periodic testing with a large variety of customers be performed regularly to assess the usability of the label program.
NIST has recommended that a consumer education campaign be conducted to raise awareness of the IoT product labeling program and the significance of proper cybersecurity protocols. This will benefit both the consumer and the marketplace and ensure greater protection of data.
CVG Strategy Cybersecurity
CVG Strategy consultants provide training to make your entire team aware of cyberattacks and how to employ processes to prevent these threats. We can assist with reviews of policies, risk assessment approaches, and best practices to build management systems capable of handling complex cybersecurity requirements.
Our ISMS consulting services help organizations plan, create, upgrade, and certify a robust and effective Information Security Management System (ISMS). Our team of experts bring extensive experience and deep information security process control expertise (including certifications as Exemplar Global Lead Auditor ISO/IEC 27001:2013 Lead Auditor) to ensure that you achieve ISO 27001 certification—on time and on budget.
CVG Strategy is also committed to the goals of CMMC in securing our defense manufacturing supply chain’s information secure. As industry leaders in cybersecurity, ITAR, and risk based management systems. We have experience with companies of all sizes and understand the importance of innovating flexible approaches to meeting the requirements CMMC, establishing effective programs, and achieving certification.