NIST’s Cybersecurity Consumer labels for IoT. Will it happen?
Appliances have their Energy Star labels. Buildings have their LEED certifications. And packaged foodstuffs have their Nutrition Facts labels. All are designed to help consumers make wise, informed buying decisions. Soon, there may be something similar for the cybersecurity standards among Internet of Things (IoT) products.
IoT products contain sensors, software or other technologies to share data with other devices via the Internet, or communications networks. If we look at IoT, around 29 billion connected devices are forecast by 2022 year-end, of which around 18 billion will be related to IoT. 5G will enable organizations to move into new markets and build new revenue streams with radically new business models and use cases. Some estimate there will be 152,200 IoT devices connecting to the internet per minute.
. Examples of IoT devices include your home security camera, baby monitor, smart appliances, and wearable health trackers. These items are, for many reasons, significantly less secure than your smartphone. So when NIST released their new Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things Products on February 4th, a big first step was taken to protect people from IoT cyberattacks.
The addition of standardized labels could help address a troubling history of digital security among IoT products. Instead of establishing its standardized labeling program, however, NIST is leaving it for “non-governmental label providers” to create and implement. Add to that there’s no testing mandate, and the order has no teeth. The goals can only be met if companies get behind them.
Cyber hardening IoT devices is a challenge.
Every connected thing with an IP address is vulnerable to attacks. And IoT devices are everywhere. This point is not missed on defense contractors.
“For many of BAE Systems’ customers, there’s an increased focus on more specialized computing platforms with respect to cybersecurity,” McNeill says. “IoT is becoming pervasive and impacts infrastructure used by the government. The DoD’s IoT devices rely on limited resources – CPU, memory, connectivity – and are often difficult to update. This requires a more surgical cybersecurity approach, so we’re encouraging them to augment existing practices with automation and analytics. We’re also working on cyber models to support this and to enable governance of IoT networks and devices.”
Security standards are still largely in the works for IoT devices, and they must be “followed as we already do within IT environments,” points out Raytheon’s Brian Stites. “Raytheon has analytics and visualization tools to create knowledge and better controls from the massive amounts of information generated by IoT data. Another technique we use is to remove software glitches from open-source operating systems Linux and Android – to essentially create newer and more secure versions of those systems to use in all manner of devices.”
If you don’t build it, will they come?
We have probably all invented the “micro cooler” in our minds at one time—it’s like a microwave, but for chilling instead of heating. Brilliant concept. Million-dollar idea. But it will never come to pass if would-be inventors don’t make it happen.
NIST’s new IoT labeling recommendations provide an excellent technical basis for testing and thoughtful requirements for clear, consistent labeling, but they have left others to establish a program. And NIST is stepping back using the logic that they can define a standard, but it’s no good unless it is widely adopted in the industry. In other words, they have passed the buck. They have the idea for the micro-cooler but not the initiative to make it real.
The Executive Order on Improving the Nation’s Cybersecurity outlined some helpful criteria for cybersecurity labeling within the consumer internet of things. But it’s an initiative that will cost manufacturers time, money, and manpower to establish automation assets and a future of continuous monitoring to maintain.
Cyber hardening IP-enabled devices will reduce vulnerabilities throughout the network. And that is a task we definitely shouldn’t wait for consumer labeling of IoT products to do. Instead, we think NIST should step up and lead the program because leaving it to the industry at large is unlikely to yield the results everyone wants.