We need labels. Personally, the presence of labels is absolutely crucial for my health. I need them to understand the nutritional content of the food I eat and determine how much insulin to take, says Mike Nelson, VP of digital trust, DigiCert.
We might not notice it but product labeling is often crucial to our personal safety. It’s what shows us the nutritional content of our food, it’s what allows us to know the efficiency of our electrical goods and the safety of the tools and products that we use in our home.
Labels are what allow us to fundamentally understand what we’re buying and, in turn, hold vendors to account with our consumption choices. In the US, IoT devices will soon be subject to the same requirements. In fact, the White House’s National Security Council will soon be rolling out new labeling requirements for IoT products.
This follows a 2021 Executive Order from the White House which directs the US National Institute of Standards and Technology (NIST) to create a IoT labeling programme.
The rollout of these new requirements is expected in the coming months but there have still been precious few details forthcoming about what this IoT labeling programme might require.
Why it matters
The scope of the IoT’s potential is massive applicable use cases range from city-transforming sensor arrays to autonomous vehicles to talking children’s toys. As a result, global device numbers are booming. In fact, according to IHS Markit, the number of devices will reach 125 billion by 2030.
The unfortunate reality of the explosion of IoT devices is that they’re often highly insecure. Vulnerabilities and insecure design decisions have dogged the field from the beginning and, despite growing awareness of its risks, many of its weaknesses stubbornly reproduce themselves in new devices.
These problems have been largely opaque to users, who have been acquiring IoT devices blindly and bringing them into their homes, unaware of their potential risks.
This is why labels could be such an important step towards making the IoT more secure – it’s a fundamental extension of digital trust into the consumer space. Labels allow us to understand what we’re engaging with, without the necessary technical knowledge or ability to assess them ourselves.
Concrete details about the labeling scheme still have yet to be released. However, NIST published their recommendations around the minimum security requirements in February 2022.
Crucially, they view IoT devices as part of a system to which any labeling considerations must extend. These include the IoT device itself but also its components and the systems that the device requires for operations, such as mobile apps or specialty networking hardware.
The recommendations go on to point out a number of baseline criteria that should be used for qualification. The first among them is “Asset Identification,” that devices can be uniquely identified by the customer and the relevant authorities. This could be achieved through assigning Device Identity during the manufacturing stage with digital certificates. It adds that the IoT product must identify each IoT product component and maintain an up-to-date inventory.
Then NIST recommends that IoT devices and the applicable components be configurable, such as the ability to restore to a default secure setting by an authorised individual such as the customer. This will help users tailor security settings to their own needs.
Data Protection is another key recommendation. NIST’s report declares that IoT products and its components protect stored and transmitted data from unauthorised access. This can be done with digital certificates to maintain the confidentiality, integrity and availability of that data.
The report goes on to recommend, among other things, that devices must be able to receive, verify and apply software updates using a secure and configurable mechanism. This can be achieved through code signing certificates which can help authenticate valid updates and stop malicious packages masquerading as updates, a key vector for attacks on IoT devices.
IoT products must also record information on the security state of the devices and the components therein, so that customers can be alerted when security risks emerge.
These are important steps to take to make IoT devices secure however there are still a number of unanswered questions about how the US’ new labeling scheme will proceed.
What will the label indicate?
NIST has discussed the possibility of labels being handed out on a binary basis meaning that devices will receive the label based on whether they qualify. However, the US is only the latest of a few countries to initiate IoT labeling.
For its own IoT labeling programme, Singapore has established four tiers of grading for the devices under its labeling system. The first and lowest signifies that the device has met baseline requirements for the ETSI EN 303 645 standard. The second shows that the product contains secure lifecycle features and adheres to Secure-By-Design features. The third indicates that the device has undergone Software Binary Analysis by a third party lab and is free from known common software vulnerabilities. The final and highest standard within Singapore’s system shows that the device has undergone further penetration testing to demonstrate its resistance to common cyber-attacks.
Static vs. adaptive labels
Good cybersecurity is a constantly moving target. As such, a static label will likely not accommodate that fast pace as new threats and vulnerabilities emerge. An adaptive label that can accommodate that fast will likely be the best way forward. That could come in the form of a QR code, which users can scan to access a web page which could easily explain the security risks and be updated as required.
Accommodating IoT diversity
The IoT spans a huge variety of use cases from smart kettles to smart cities those two use cases alone will come with their own considerations and requirements. A labeling standard will have to accommodate that diversity of device types and use cases, and be flexible enough to offer different solutions for different devices.
What about the supply chain?
The private sector has devised their own labeling standards, which may offer clues as to the final result of the US scheme. Matter was developed between the Connectivity Standards Alliance (CSA) and a range of silicon valley giants, aiming to introduce interoperability and secure communications between smart home devices.
To qualify for a Matter label, developers will need to design devices with a layered approach to security and a certain level of crypto agility. However, what gives Matter a real edge is its use of PKI and digital certificates in the IoT supply chain.
Many of the IoT’s various security problems spring up in its multifaceted and complex supply chain. The various manufacturers, developers and vendors may not come from a security background and thus many may use insecure components and design practices or overlook much of the best practice that would otherwise keep devices secure. Qualifying for the Matter label demands that IoT devices be embedded with a device identity through a certificate which can then be verified all along the supply chain and into consumers’ hands. Problems in the supply chain are a key cause of IoT insecurity and the US government’s plans should set out their requirements accordingly.
While many of the details of the US government’s IoT labeling programmes are still unclear, the decision to introduce IoT labeling into the world’s largest consumer market should be broadly welcomed. Consumers have been buying IoT products for years now, and often without any knowledge about the inherent risks. When consumers can make decisions on that basis, they’ll not only be able to create market incentives for good security, but digital trust can become a key requirement for IoT products.
The author is Mike Nelson, VP of digital trust, DigiCert.