The White House recently announced the U.S. Cyber Trust Mark program, a cybersecurity certification and labeling initiative to help consumers identify less vulnerable smart devices, effectively raising the bar for Internet of Things, or IoT, cybersecurity standards.
This initiative underscores the importance of public and private sector collaboration to effectively capitalize on cutting-edge technologies without compromising on safety and compliance.
IoT devices can include mundane items like home appliances and fitness trackers as well as more complex machines such as connected vehicles and medical devices. Consumer IoT devices may store personal, financial, or sensitive health information.
To effectively shore up defenses for all IoT, the Federal Communications Commission is seeking public comments on the proposed cybersecurity labeling program, which is expected to launch in 2024.
The FCC’s Fact Sheet on Securing Smart Devices states that “According to one third-party estimate, there were more than 1.5 billion attacks against smart devices in the first six months of 2021 alone. Meanwhile the number of smart devices is skyrocketing, with some estimating that there will be more than 25 billion connected devices in operation by 2030.”
As proposed, the program would use criteria developed by NIST to certify products, such as strong default passwords, data protection, software updates and incident detection capabilities.
While security is paramount, the data-driven insights generated by IoT devices have boundless potential to transform society for the better. Therefore, as security protocols are bolstered, organizations must strive to balance security and functionality.
Security by design
Building secure-by-design connected devices is no small task. Manufacturers will require significant guidance and assistance to create products with resilient security features, as well as to earn security accreditation outlined by the U.S. Cyber Trust Mark program.
Weak built-in security features are a primary IoT device security challenge. IoT devices are rarely designed by cybersecurity professionals leading to insufficient defense mechanisms. Moreover, many of these devices cannot be easily patched since software updates may change the functionality of the device or require regulatory review and assessment. Some IoT devices even come with legacy or proprietary operating systems that can be difficult to upgrade or secure.
Given the potential consequences of an IoT cyberattack, it’s imperative to hold manufacturers accountable for hardening their products and providing security guidance and support to consumers. Collaboration between IT professionals, manufacturers and public sector regulators is necessary to develop a security program that can respond to evolving security threats, develop patches, and support patch delivery.
Best practices for scalable IoT security
As identified by NIST, account and access takeover are prevalent risks to many IoT devices. Luckily, these risks can be mitigated with appropriate password management practices, including changing the default password, adequately managing the network configuration and password, and instituting proper access control protocols.
Other best practices include segmenting networks and devices to limit lateral movement, removing extraneous services to minimize potential threat vectors, and continually patching emergent security issues.
Powerful tools to protect the data transmitted by IoT devices include encryption and authentication methods. Perhaps most importantly, manufacturers should provide a “kill switch” in the device that allows for the manual shutdown of the entire system in case of an emergency.
Security is not a static issue — while a product may be secure today, it could easily become vulnerable in the future as hacking tactics advance. With continual collaboration between the public and private sectors, such as sharing threat intelligence and risk management best practices, all parties can securely benefit from the transformative potential of IoT.
Once security is strengthened, users can begin to reap the many benefits of smart devices such as convenience, efficiency, automation, situational awareness, and self-service. When used optimally, IoT devices can leverage cloud computing for effective data analytics and log processing. Artificial intelligence and machine learning solutions can even be implemented to identify risks, predict outcomes, improve decision making and enhance customer experiences.
Collaboration between the public and private sectors is key to a successful IoT cybersecurity labeling program such as the U.S. Cyber Trust Mark. The private sector needs policy guidance, technical support, and credible accreditation for making products. On the other hand, the government needs the private sector’s input on innovations and product development to ensure it’s more effective in addressing emerging risks.
Insights from leaders in both sectors will allow the nation to rise to meet the urgent need for enhanced IoT security.
Gary Wang is Chief Technology Officer at DMI, a supplier of cybersecurity, cloud migration and other services to companies and governments.