US government launches cyber security labelling scheme for smart devices
On July 18th, 2023, the US Government announced a cybersecurity certification and labelling program for connected devices. This “US Cyber Trust Mark” will allow consumers to make an informed decision about choosing consumer devices that they intend to buy and use. Resillion supports the development of global testing and certification schemes that will enable manufacturers to demonstrate they meet those requirements.
IoT is on the increase
In recent years, common consumer devices like refrigerators, vacuum cleaners, baby cameras and alarm systems have transformed into smart devices that have a wired or wireless connection to the internet.
With the number of such smart devices growing rapidly, there is an increasing need for making sure that these devices meet a baseline level of security. In the past, connected devices with a poor security level have been targeted by attackers, resulting in malfunctioning or theft of privacy sensitive data of its users. The global increase in flexible working has expanded this potential attack surface, with poorly secured devices on home or public networks presenting an even greater risk to companies and their employees. Attackers may also compromise these devices on a large scale and subsequently use them to stage wide scale denial of service attacks against other internet-connected resources.
Research shows that the vast majority of consumers find the cyber security level of devices an important consideration when making a purchasing decision. However, it is difficult for consumers to make conscious decisions when it comes to buying these devices, as there is currently no way to tell how secure a product is based on its packaging.
How do you know your product is secure?
Labelling schemes that inform consumers on the safety, usability, and environmental impact of devices have become commonplace. They allow consumers to make conscious decisions in these fields when it comes to buying and using these devices. However, until now, no such label was present for demonstrating the cyber security of a product.
The new US Cyber Trust Mark launched by the US government on July 18th aims to fill this gap by introducing the same principle of informed choice in the field of cyber security. By labelling a device with the trust mark, consumers will be able to identify that the device meets a certain cyber security level and is thus safe to use. The FCC is expected to roll out the voluntary labelling program and it is expected to be up and running in 2024.
In order to apply the distinct shield logo of the Trust Mark, devices will have to demonstrate that they meet the requirements of the harmonised specification. These requirements will have to make sure that devices, for example, can be securely updated throughout their supported lifecycle, use strong and unique passwords, secure sensitive data at rest and in transit and protect the privacy of users.
IoT product security certification
The Connectivity Standards Alliance (CSA) is creating a global program for consumer IoT product security certification. This work is supported by 130 CSA member companies from around the world and includes manufacturers, certification bodies, universities, and cyber security testing companies. Resillion is an active CSA member, an Authorised Test Lab for existing CSA certification schemes, and is supporting the creation of this product security certification program.
The product certification program will be suitable for meeting the requirements of emerging standards and regulations around the world, including the US Cyber Trust Mark. The certification standard will initially be based on the existing NIST IR 8245, ETSI EN 303 634 and Singapore Cyber Security Labelling scheme standards.
Resillion’s own in-house developed IoT security testing methodology is based around these same standards, and we offer a Secure Connected Device scheme for products tested using this methodology. Read more about Resillion’s Secure Connected Device Assurance Scheme here.
Additionally, this test methodology is also used in some of our additional IoT testing services, including our European Radio Equipment Directive (RED) testing and consultancy.
Through our own cyber security testing services, and our support for schemes such as the CSA certification scheme and the US Cyber Trust Mark, Resillion demonstrates its active involvement in helping improve the security level of connect devices around the world.