IoT Devices in the US to Get Cybersecurity Certification

The Biden administration in the US and the Federal Communications Commission have proposed a new label to designate which secure smart home devices meet standards. This rule, which is expected to take effect in 2024 after a comment period, follows President Biden’s 2021 executive order on improving the nation’s cybersecurity. The executive order came in response to an increase in cyberattacks on industry via Internet of Things (IoT) devices and called for criteria to establish a cybersecurity labeling program.

The new standard will be called the U.S. Cyber Trust Mark, and like the ENERGY STAR certification, it will be visible on devices, with the idea of showing consumers that devices that carry the mark are more secure than devices that don’t. This should hopefully make IoT-related cyberattacks—such as a 2017 attack when hackers gained access to a casino’s database of gamblers via its internet-connected fish tank—more difficult.

Industry Is In

While the certification will be optional, at least initially, a number of large and influential platforms have signed on. Amazon, Google, LG, and Samsung are in, representing device makers, as are Qualcomm and Best Buy. Another group that’s joined the initiative is the Connectivity Standards Alliance, which is responsible for the Matter smart home standard.

Support from most of the big names already present in the smart home is a good first step, considering the label won’t be mandatory. The danger of a voluntary certification is that if consumers don’t understand it, they won’t buy the certified devices. Potentially more damaging would be if manufacturers and retailers decided to apply a price premium to certified devices, driving consumers to just buy the cheaper, noncertified versions. However, a retailer like Best Buy could choose to sell only certified devices, which would boost the profile of the certification.

Certification Will Come to Smart Inverters and Meters Eventually

Of course, smart home devices are just the first step, and in many ways the lowest hanging fruit. The National Institute of Standards and Technology is expected to start defining standards for consumer routers, which are more ubiquitous and therefore represent a larger attack vector. They’re also higher risk, as breaching a router’s security would give attackers access to everything on a consumer’s network, including social media passwords, conversations, and even access to other devices.

Additionally, the Department of Energy and its National Labs and industry partners will be researching and developing similar labeling requirements for smart meters and smart inverters. This further initiative will be key for securing smart grids as renewable technology and edge computing for utilities grow more widespread.

Necessary, but Is It Sufficient?

We may be past the Wild West days of the smart home, when a device could be whipped up in a garage in Austin or Palo Alto and cybersecurity only added as an afterthought, but manufacturers keep getting caught sliding on their privacy protections. The certification may spur device makers to close their vulnerabilities in a timelier fashion, especially if it becomes a selling point for other devices. But the millions of existing, noncertified smart devices in use will continue to present a risk for a long time to come.

The blunt truth is that a cybersecurity certification will always be a moving target. In contrast to ENERGY STAR, which can show how energy efficient a device is compared with competitors, a Cyber Trust device will be able to show it’s more secure only for as long as hackers don’t find a way in. Cybersecurity is a constant arms race between hackers and IT departments, which means these standards will probably need to be time-stamped and reviewed at least every year or so. That said, if the certification drives customers toward buying more secure devices, that will be a good thing—especially considering that the weakest part of any network is always the people using it.