A new cybersecurity certification and labeling program called the US Cyber ​​Trust Mark is being developed to help US consumers choose connected devices that are more secure and resistant to hacker attacks.

A proposal from the Federal Communications Commission, the program is expected to roll out next year with the voluntary commitment of smart device vendors.

Major suppliers and manufacturers in the United States have already announced their participation. Among them, Amazon, Google, Best Buy, LG Electronics USA, Logitech and Samsung Electronics.

NIST-level security for the IoT

The U.S. Cyber ​​Trust Mark program aims to recognize smart products that meet National Institute of Standards and Technology (NIST) cybersecurity criteria, which include the use of unique and strong default passwords, data protection, software updates, and incident detection capabilities.

Participating manufacturers would label their products with a “distinct shield logo” signaling a set of NIST-approved security features.

The labeling is for common consumer smart devices ranging from refrigerators, microwave ovens, televisions, air conditioning systems, to fitness trackers, reads the announcement of the Biden-Harris administration.

Until the program launches, the Biden-Harris administration and the Cybersecurity and Infrastructure Security Agency (CISA) would support FCC efforts to educate consumers to look for the Cyber ​​Trust mark on the products they decide to buy.

To improve transparency and stimulate competition, certified devices would be listed in a national registry that consumers could consult via a QR code to compare the safety information present in several products.

Another milestone involves NIST defining by the end of the year a set of security requirements for consumer routers, which are typical targets for cybercriminals as they are the gateway to other devices on the local network that could be used by an attacker.

The program also aims to include smart meters and inverters which are the basis of the clean and smart grid of the future. However, research is needed to develop appropriate cybersecurity labeling for these devices.

Efforts to define baseline security in IoT devices have been around for more than five years, with proposals and for a standard firmware update mechanism part of the first recommendations of cybersecurity experts and published by the Internet Engineering Task Force (IETF).

A similar initiative was launched in 2017 by the US Department of Commerce, through its National Telecommunications and Information Administration (NTIA), which aimed to develop guidance for IoT manufacturers to inform customers of a product update options.

That same year, the European Union Agency for Network and Information Security (ENISA) published the report Basic security recommendations for the IoT. A clear the summary is available here.

In 2020, the California IoT Act came into force, forcing device makers to include “reasonable security features” in their products, but without providing a clear standard.