What the FCC’s Cybersecurity Labeling Program Means for Business

The Federal Communications Commission (FCC) approved a new cybersecurity labeling program for smart products earlier this week, designed to give customers greater insight into the security of devices on the market.

IoT World Today spoke to industry experts about what this new program aims to achieve and what additional steps businesses can take to maintain security standards in an age of increasing risk. 

Hollie Hennessy, Senior IoT Cybersecurity Analyst, Omdia 

At the moment, the program is still in its planning stages and what will be included is still under discussion. However, it’s worth noting that voluntary schemes have varying success. 

Manufacturers haven’t had the best track record at designing IoT devices securely – which is why there’s so much insecure IoT out there. How the FCC collaborates and partners will be key.

The U.S. is missing a national legislation for consumer IoT – the UK has legislation passed and soon to be enforced, the EU will have the Cyber Resilience Act. The labeling scheme is voluntary so there’s no actual requirement for any of these measures, but manufacturers wanting to sell on a global basis will need to take cybersecurity more seriously.

It’s also worth noting that schemes like this seek to raise the bar, show that manufacturers are taking device security seriously, are becoming certified, showcasing that to consumers etc. it doesn’t necessarily mean ‘this device is secure’, it’s more that it has met certain cybersecurity requirements or standards – that needs to be clearly communicated to consumers.

Related:FCC Approves Cybersecurity Labeling Program for Smart Products

Chris Pierson, CEO, BlackCloak
Publishing a trust program for IoT devices/manufacturers to provide information on the cybersecurity protections is a positive step if the requirements are robust, consumers are educated on what the options mean, the risk options are robust and specific and consumers actually choose to review the data.

As the program is voluntary, its usefulness will depend on user education about the trust seals, what they mean, what the choices mean and how to make buying decisions based on the data.  

Given that many IoT devices are purchased online, the awareness and efficacy of the trust seals may lag behind other programs launched to enable better consumer awareness around differences in products (e.g. Energy Star ratings on large appliances).

While the program focuses on cybersecurity by reporting on whether the devices are automated patched and the length of support for the device, there is little mention of the collection, use

and onward use (or sale) of the data that might be collected by IoT devices. This is a pretty big hole to not include both cybersecurity and privacy awareness in the trust seal initiative.

Ellen Boehm, Senior Vice President of IoT Strategy and Operations, Keyfactor

With the FCC’s approval of the U.S. Cyber Trust Mark labeling program, we’re taking a big step as an industry in helping Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. 

While there are still some concerns about the scope and implementation of the new program, it is a step in the right direction. We’re acknowledging that there is a gap in cybersecurity awareness and we need to make consumers more aware of risks.  

As consumers, when we make a purchase, we expect a certain level of quality and safety in our products. This consumer expectation also holds true for the security protocols embedded inside the smart home tech and connected devices they choose to use. As with any new program there will be iterations, but the launch provides a starting point for this very important conversation to happen, which will in turn start to drive more awareness of the security of our smart devices on a national level for U.S. consumers.

Patrick Gillespie, OT Lead, GuidePoint Security 

Time will tell if consumers adopt and trust the new U.S. Cyber Trust Mark. Performing software updates is a part of the IoT cybersecurity program. Manufacturers that participate in the voluntary program will have to install software updates for vulnerabilities discovered after the IoT product has been deployed.

The best way to create secure devices is to follow secure development guidelines for hardware and software. No device or code is perfect. 

Part of creating secure devices is extensive testing, strong authentication, strong encryption on all communications and continuous monitoring even after the IoT devices are in production.  

Sonu Shankar, Chief Strategy Officer, Phosphorus

With the proliferation of IP-connected devices in various sectors such as health care, manufacturing, energy, retail, hospitality and financial services, emphasizing fundamental security hygiene for devices should be a paramount consideration in any regulatory

proposal aimed at securing IoT, including IoMT, ICS, OT, IIoT and more. 

From a threat modeling standpoint, three primary areas of significance in IoT are passwords, configuration and firmware. 

Device misconfigurations and a general lack of adherence to best practices continue to leave large critical infrastructure environments at risk. Lastly, echoing the concerns raised by Commissioner Simington, it is worth noting that IoT firmware patching remains a challenging issue, with the practice often not deemed essential in many critical environments across the United States today.

The ubiquity of IoT now necessitates immediate attention and underscores the urgency for a similar model of “shared responsibility” with regards to IoT security. While there must be requirements directed at device manufacturers, operators need to understand that they, too, have a role to play when it comes to securing IoT.

Any regulation aimed at device manufacturers should, therefore, also highlight the importance of device manufacturers clearly communicating the operator's responsibility in adhering to fundamental security hygiene activities.