The planned smart device security labeling program spearheaded by the US government will be introduced next year, although official details about its implementation are not yet available. From home routers to smart cameras, various connected devices are set to get cybersecurity labels similar to the Energy Star labels used on appliances.
The question is this: Can labels really help address the IoT security challenges associated with smart devices? Some compare this IoT cybersecurity labeling plan to the compulsory “nutrition facts” on food products, which does not appear to inspire optimism. The nutrition information on junk food and sugar-rich food products has not discouraged people from consuming unhealthy products.
Will the same happen to the US government’s device labeling plan? Can cybersecurity labels drive consumers towards highly secure gadgets, or will they just go on with their usual buying habits, wherein product availability and prices are usually the most important purchase decision-driving factors?
The answers to these questions can be explained more intuitively by discussing smart device and IoT security challenges and presenting the proposed or expected benefits of the cybersecurity labeling program.
Challenge 1: Lack of visibility
More often than not, Internet of Things (IoT) manufacturers do not have any system for monitoring their products. Once their devices move to the hands of customers, they no longer exert any effort to check if their products require security updates or patches to address malfunctions and security vulnerabilities. They do not have a system to keep track of changes or product activity histories that can be used to determine the root cause of issues and provide the necessary remedies.
This lack of visibility suggests that products are unlikely to be secure. It is an important fact that should be taken into account when examining the cyber threat readiness of certain smart devices, something that can be reflected in the proposed IoT labeling program.
Challenge 2: Reactive approach to zero-day threats
A big majority of IoT and smart device manufacturers do not include the anticipation of zero-day threats as part of their product security strategy. Primarily reactive, their sole solution to threats is security patching, which is useless against zero-day threats. It takes time to develop and release a security patch in response to newly discovered vulnerabilities. It takes even longer for the patches to be applied by the device owners.
Before the security patch is installed, it is likely that threat actors have already managed to exploit an unpatched vulnerability and inflicted damage that could have been preventable. IoT makers need to consider employing cybersecurity solutions that are proactive instead of reactive. Examples of these are simplified network access controls (NAC), web application firewalls (WAF), and extended detection and response (XDR).
This does not mean that security patching is no longer necessary. It is still an important part of securing smart devices, but there have to be ways to address zero-day or newly emerging unidentified threats.
IoT cybersecurity labeling can be used to indicate if specific IoT devices or smart gadgets have proactive security versus zero-day threats. Regulators will be obliged to examine the protection systems baked into devices or their ability to integrate with the proactive cyber defense solutions employed by organizations.
Challenge 3: Open source and third-party vulnerability exposure
Many IoT device makers do not develop from scratch their own firmware or the basic software installed in their devices. This is particularly true for mass-produced generic devices that flood the low-cost electronics retail industry. These unknown brands or generic devices rely on open-source or third-party software libraries for their authentication, communication, encryption, and other fundamental functions.
One report indicates that around 84 percent of codebases have components that contain known security vulnerabilities. This figure should alarm those that patronize cheap IoT and smart devices for various purposes. A significant number of “successful” cyber attacks on IoT devices are attributed to open-source and third-party. This makes cyber attacks easier for cybercriminals, as the knowledge of the specific devices used by an organization could be all they need to come up with an efficient attack strategy against specific businesses or organizations.
Cybersecurity labeling for IoT devices can help address this problem by alerting prospective smart device buyers about the possible security flaws or defects of the software in the products they are considering. Regulators can keep a comprehensive and growing guide on all open-source and third-party software security flaws.
Challenge 4: Performance over security
IoT devices inherently have limited resources, particularly their CPU, RAM, and ROM. As such, they cannot pack advanced security software tools, which are generally resource-intensive. It would be difficult to bring together security and performance with all the limitations of IoT products.
Many IoT device manufacturers admit that they purposely take out or cut corners on their security features to ensure that their devices can run relatively smoothly. This results in vulnerabilities that make IoT gadgets even less capable of resisting attacks, especially sophisticated tactics.
The planned nonprofit/nongovernmental organization that will be established to oversee the national cybersecurity certification and labeling activities can evaluate devices to ascertain their cybersecurity readiness. Too many security compromises will be indicated in the cybersecurity label or reflected in the overall score/rank written on the label.
Challenge 5: Outdated or obsolete security tools and methods
Some smart device makers demonstrate some inclination to make their devices safe and secure. However, the tools they install or the approaches they undertake may no longer be applicable to the current threat ecosystem. They could be using outdated static analysis and vulnerability discovery solutions, which do not help improve the security of their products. There are also those that employ perimeter defense and network segmentation solutions that have notably limited capabilities in detecting and stopping IoT device assaults.
These facts need to be indicated in the proposed IoT cybersecurity label to encourage device makers to update the security solutions they use. If manufacturers refuse to update their security features, customers will know that they will likely be endangering their IT assets or resources by allowing such devices to connect to their network.
Guide, not a silver bullet
Will a cybersecurity labeling system be enough to address the challenges that mire IoT and connected smart devices? It can certainly help, but it is not going to be the be-all and end-all solution. There is and will never be a foolproof solution. However, labels can guide customers in making smart choices. If customers still choose devices with low cybersecurity ratings/scores and various caveats, the risk is theirs to take.
Nevertheless, authorities may use the labels in setting thresholds for the cybersecurity level acceptability of devices that will be allowed in certain settings. By doing this, they can subtly enforce a policy of only using proven secure devices in businesses and government offices.
- Access:7 Supply Chain Flaws Impact ATMs, Medical, IoT devices
- IoT Devices Can Be Hacked to Install Ransomware on OT Networks
- Millions of IoT devices, baby monitors open to audio, video snooping
- Vulnerable Smartphones, IoT Devices: 400% increase in infection rate
- Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai