The Federal Communications Commission (FCC) will launch a voluntary cybersecurity labeling program for consumer Internet of Things (IoT) products
TO his public meeting todaythe Commission voted unanimously in favor of the program, which will allow IoT manufacturers to slap on the wrist US Cyber Trust certification marks on products that meet certain minimum criteria defined by the National Institute for Standards and Technology (NIST).
The brands, as well as associated QR codes, which link to product registries with more detailed safety information on compliant products, will allow customers to make more informed purchases and companies to distinguish their products from the competition.
“With the proliferation of products available, it is difficult for even the most informed consumer to confidently identify them cybersecurity capabilities of any device“said FCC Commissioner Geoffrey Starks during the open meeting, assuring that “help is on the way, starting today.”
What manufacturers need to know
The technical criteria necessary to obtain a good work mark are defined in the art NIST Internal Report 8425.
Approved devices will need to have a unique identification and a inventory of all its components.
They should have flexible configurations, the ability to reset to secure factory settings, and mechanisms to ensure that settings can only be changed by authorized persons, services, or components.
They will need thorough protections for data storage and transmission and the ability to delete sensitive personal information.
They will need to implement strict access controls and mechanisms for secure and timely updates to the software.
And finally, they will need to be able to capture and record information that can be used to detect cybersecurity incidents affecting their components, as well as the data they store and transmit.
Will the sticker have an impact?
While the program is entirely optional, several major tech companies, including Amazon, Best Buy, Google, LG, Logitech, and Samsung, have already expressed their support when it was adopted. first announced in 2023.
Only time will tell, however, whether consumers will be able to sufficiently incentivize companies to obtain the badge by voting with their pockets. With somewhere north of 10 billion IoT products which are expected to leave shelves around the world in the next few years, will certainly have the opportunity to do so.
“It will most likely come down to cost,” says Patrick Gillespie, OT Lead at GuidePoint Security. “To comply, companies will need to develop policies and procedures, will need to adhere to each control, and will likely also need to have a third-party company test to ensure that administrative control functions are working as intended, and also that all communications to and from the device are encrypted and cannot be accessed by anyone on the wireless network.”
“So for a fairly cheap IoT device – say $100 – if that increases the cost by 10%, consumers will probably pay $110 for that extra security,” he hypothesizes. “Now, if you double the price to $200…”