US cybersecurity labeling program for IoT devices
As part of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, last year, the administration turned their focus to connected devices: announcing plans for a new cybersecurity labeling program for consumer IoT devices starting this year.
We’ve seen increasing regulation on consumer privacy with GDPR and the UK introducing the Product Security and Telecommunications Infrastructure Bill in 2021 to better protect consumers’ IoT devices from hackers. With more than 14 billion connected IoT devices, the focus on IoT devices is a natural next step as there are a number of new security vulnerabilities both device manufacturers and consumers must be aware of. Much like the EnergyStar ratings, the goal of this new program is to equip devices with easily-recognizable labels to better inform consumers about the cybersecurity of the devices they use. As part of this labeling program, NIST was required to identify IoT cybersecurity criteria and secure software development criteria.
While increasing transparency and awareness could be a great step in protecting consumers, the mere presence of criteria or a labeling program does not immediately guarantee that devices are secure or cannot be hacked/misused.
There are some security best practices that are well-understood and widely adopted that IoT manufacturers should already follow, but the hope is that, through labeling, consumers will be able to make wiser purchasing decisions and compare devices across known risk categories. Consumers would ideally know answers to questions like:
- Are protections used for personal data that is transmitted?
- Does this device support software updates?
- Can I reset/restore the device to a known-secure default state?
- Are unnecessary management interfaces off by default?
Unfortunately, there are always bad actors, and it’s important that individuals are aware of types of threats and understand what’s needed to protect themselves.
Cybersecurity best practices continue to evolve
In addition to NIST’s criteria, there are several organizations that historically publish security best practices and common vulnerabilities. The OWASP Foundation shares the top ten most critical web security risks, for example. The OWASP Top Ten list is a helpful baseline to use when developing software or anything connected to the Internet. It covers common vulnerabilities such as violations of the Principle of Least Privilege, lack of web security headers to enforce minimum communication security, and lack of centralized logging.
We’ve seen cybersecurity labeling before; web browsers warn consumers of known risks, like unsafe plugins, the risks of installing extensions, and the risks of sending sensitive information over unencrypted channels (i.e., HTTP instead of HTTPS).
Labels on connected devices could validate that certain security best practices have been adopted and could increase consumer confidence. Taking labeling one step further, if labels provide consumers with context on what types of information is exchanged when using the product, consumers could be more informed. Another way labeling could possibly be extended in the future is to include assumptions, warnings, and responsibilities related to the role of the consumer to help ensure security and privacy. Regardless of a label requirement, manufacturers should adopt best practices to secure connected devices — protecting their devices and the consumers who use them.
Cellular connectivity for IoT security
In addition to securing IoT devices and the protocols they use to send data over a network, it can be useful to get IoT devices on a purpose-built network for IoT. Using a network designed for IoT can reduce the risk of an IoT device being used as an attack vector (to attack other devices). For example, a hacker was able to obtain customer credit card data from a major retailer’s connected cash registers after first tapping into connected HVAC equipment. By leveraging a purpose-built network, you isolate IoT devices and enhance security based on the device specifications.
Purpose-built cellular networks offer additional layers of protection and span many geographies. They can be used by devices that are mobile and without a fixed location, but also fixed devices so that devices don’t need to connect to an on-premises network. They also streamline the device/network authentication process by utilizing a Subscriber Identity Module (SIM).
Securely connect your devices with Hologram
Hologram places a high value on security. Leveraging purpose-built cellular networks and building security features in the Hologram Dashboard, we’re focused on protecting our customers’ devices and data.