US to introduce voluntary Cyber Trust Mark for IoT security – updates
Leading electronics and appliance manufacturers and retailers have joined a voluntary US government scheme to increase cybersecurity on smart devices.
The “US Cyber Trust Mark” was unveiled at the White House this morning with support from Keysight, Infineon, Qorvo, LG Electronics, Amazon, and Samsung Electronics to be rolled out in 2024.
The cybersecurity certification and labelling program aims to help consumers more easily choose smart devices such as smart refrigerators, smart microwaves, smart televisions, smart climate control systems and smart fitness trackers, that are safer and less vulnerable to cyberattacks.
The US Department of Energy has also announced a collaboration with National Labs and industry partners to research and develop cybersecurity labelling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.
“This is a significant step in levelling up the security of the Internet of Things,” said Johannes Lintzen, Managing Director at Cryptomathic in Denmark.
“Many end-users enjoy the convenience of increasingly connected smart devices, but few are aware of the potential security risks they could be exposed to as a result. Let’s take the example of energy smart meters, which are now in millions of homes: they use two-way communication to function, but unless the data protection and encryption meets the highest levels of assurance, they are at risk to manipulation from rogue elements. This could take the form of disconnecting homes from the grid – and imagine the impact if this was done at scale – as well as spying on the habits of users to sell new commercial services or to determine when they are likely to be away from home, or even simply to hack into their electric vehicle charging and disable it.”
- Major cyber threats facing consumers in 2023
- Report highlights major industrial cybersecurity risks
- Infineon crypto algorithm chosen as standard for IoT .
The National Institute of Standards and Technology (NIST) is now starting a project to define cybersecurity requirements for consumer-grade routers. If these are compromised they can be used to eavesdrop, steal passwords, and attack other devices and high value networks. NIST will complete this work by the end of 2023, to permit the Commission to consider use of these requirements to expand the labelling program to cover consumer grade routers.
Eric Creviston, senior vice president and president of Qorvo’s Connectivity and Sensors Group, participated in an executive roundtable and said, “Qorvo is honored to participate in this important program launch. We are actively involved with industry alliances that define global standards and prioritize IoT device security, enabling us to design our products with full compliance to the latest and most rigorous requirements. Qorvo solutions are embedded across a broad spectrum of IoT applications, and we implement advanced security in these areas to protect the integrity of the network and the end devices.”
“The internet of things is enormous and getting cybersecurity at scale will be crucial,” said Michael Bergman, Vice President, Technology & Standards, Consumer Technology Association. “Automated cybersecurity validation for consumer IoT has huge potential for companies to make their compliance uniform and repeatable.”
“As more devices become interconnected, consumers need complete assurance from device manufacturers and service providers that a high level of security has been implemented and maintained. The U.S. Cyber Trust Mark, supported by NIST, is a positive move to establish greater resilience and trust in IoT technologies,” said Lintzen.
Qorvo works closely with the CSA to define the latest standards for Matter, Bluetooth Low Energy, Zigbee and Thread. As a member of the FiRa Consortium and Car Connectivity Consortium, Qorvo applies Ultra-Wideband (UWB) location capabilities for secure transactions and secure automotive digital key applications, respectively. Qorvo’s connectivity solutions are compliant with the security requirements of automotive digital key/connected car, building/home access, secure transactions and other IoT applications.
Keysight provides a turnkey cybersecurity certification platform that enables automated validation through a point-and-click interface, allowing device makers to quickly bring new IoT products to market without hiring a large team of cybersecurity experts.
Unlike disparate solutions, which require users to assemble and separately manage multiple tools, Keysight’s IoT Security Assessment combines traditional vulnerability assessment with a patented protocol fuzzing engine to provide a comprehensive report on discovered security flaws. Reports include information regarding Open Web Application Security Project (OWASP) vulnerabilities such as weak authentication and encryption, expired certificates, Android vulnerabilities and ADB exposures, known CVEs, and embedded flaws in protocol stacks, such as Bluetooth Low Energy attacks such as Sweyntooth and Braktooth.
- Open source AI model for cybersecurity
- NXP helps NIST with post-quantum cryptography standard
- Algorithms agreed for post-quantum security standard
“The US Cyber Trust Mark will give consumers a way to know if the smart devices they’re purchasing are secure, and give companies a label to show their products meet cybersecurity standards. Together with our industry partners, we are making our homes, classrooms, and workplaces safer and less vulnerable to cyberattacks,” said Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies.
Ram Periakaruppan, Vice President and General Manager, Network Test & Security Solutions at Keysight, said: “The cybersecurity landscape is constantly shifting, with a nonstop stream of new threats and vulnerabilities. By using the Keysight IoT Security Assessment, device designers and manufacturers can mitigate potential security issues. The solution automates the testing and validation process to reduce costs while speeding time-to-market.”
“Connected devices of all types are reshaping the world around us – from healthcare and connected cars to consumer electronics and industrial controls. As a leader in IoT, 6G, and other new technologies, Keysight strongly supports the new IoT cybersecurity labeling standards introduced by the White House. We are pleased to share our expertise and tools to help enable device makers to quickly meet these critical new standards to safeguard consumers and manufacturers,” said Satish Dhanasekaran, President and CEO of Keysight.
The Federal Communications Commission (FCC) is looking to seek public comments on rolling out the proposed voluntary cybersecurity labelling program, which is expected to be up and running in 2024. This would certify and label products based on specific cybersecurity criteria published by the NIST that, for example, requires unique and strong default passwords, data protection, software updates, and incident detection capabilities.
The FCC is applying to register a national trademark with the U.S. Patent and Trademark Office that would be applied to products meeting the established cybersecurity criteria. It plans to use a QR code linking to a national registry of certified devices to provide consumers with specific and comparable security information about these smart products.
The Cyber Trust Mark will have international implications as the US Department of State aims to engage allies and partners toward harmonizing standards and pursuing mutual recognition of similar labelling efforts.
Other participants in the security announcement include CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, the Information Technology Industry Council, IoXT, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, UL Solutions, Yale and August US.
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
