The NIST issued draft recommendations for IoT labeling criteria in response to President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity. These recommendations outline cybersecurity criteria for an IoT product labeling program that would include label criteria and design considerations for user education and conformity assessment.
The program would provide a clear indication of whether an IoT product or software package has met a set of specified cybersecurity requirements. NIST also recommends a scannable, accessible URL or QR code for additional information about the cybersecurity status of an IoT product or software. This information could help users and the federal government make informed decisions about their vendors and devices.
These recommendations contain few specific cybersecurity demands, they are broad and designed to be outcome-based, not burdensome. Recognizing that a one size fits all approach is not realistic, NIST established baseline criteria that include:
- Uniquely identifiable products with asset identification
- Changeable product configuration
- Data protection
- Interface access control for restricted access
- Updatable software
- Cybersecurity state awareness to detect cybersecurity incidents
- Product information documentation
- Information and query reception
- Information dissemination
- Product education and awareness
While NIST labeling recommendations do not guarantee security, they certify that the process by which an IoT tool was built and developed considers security and follows industry-leading best practices.
Companies must understand that the list of affected products may be broad and unexpected.
- An insecure camera or television connected to a corporate network could provide an entry point for an attacker to infiltrate and obtain sensitive information.
- An IoT toothbrush that helps consumers improve brushing habits can pose a cybersecurity risk once connected to a local wireless network, where the toothbrush can become an entry or pivot point for attackers to breach a network.
This labeling will bring some clarity to IoT cybersecurity, especially for non-technical users. Businesses will benefit from having clearer cybersecurity expectations about IoT tools before connecting devices to their networks.
Security leaders who implement applicable NIST recommendations proactively over time can see lower implementation costs and a stronger competitive posture. Those who wait until the last minute and are forced to implement quickly will likely experience greater costs and business disruption. It is essential to consult with experts who assist businesses in understanding the requirements and their associated impact whether from damaging impact to brand reputation when things go wrong or from rewards that come from proactive implementation.