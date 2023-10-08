Sign In Register
Security

FCC pitches voluntary security labeling program for IoT devices

News Analysis

In the wake of new requirements for US ISPs to provide nutrition-style labels regarding broadband prices and speeds, the FCC is now proposing a voluntary program focused on cybersecurity labeling for Internet of Things (IoT) devices.

The idea behind the proposal is to provide consumers with clear information about the security of their IoT devices. Qualifying products, determined in part by baseline criteria recommended by the National Institute of Standards and Technology (NIST), would bear a new shield-shaped "US Cyber Trust Mark" that consumers could refer to when making IoT purchasing decisions. That proposed logo would appear on packaging alongside a QR code that would link consumers to more info.

(Source: Marcos Alvarado/Alamy Stock Photo)
(Source: Marcos Alvarado/Alamy Stock Photo)

The mark would also "differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards," the FCC reasoned in an FAQ (PDF) about the proposed program.

Like the Energy Star program

While some people might be inclined to link the new security labeling program to the FCC's broadband labeling program, the Commission compares it to Energy Star, a program that helps consumers identify energy-efficient products and incentivizes companies to build them.

The FCC said it's stepping in with this Notice of Proposed Rulemaking (NPRM) as IoT devices such as home security cameras, medical devices, lights, garage door openers and baby monitors continue to proliferate and consumer adoption of such devices expands the risk of cybercriminals launching denial of service attacks and other malicious acts.

"There are now so many new devices – from smart televisions and thermostats to home security cameras, baby monitors, and fitness trackers – that are connected to the internet," FCC Chairwoman Jessica Rosenworcel said in a statement. "But this increased interconnection brings more than just convenience; it brings increased security risk."

The FCC is seeking comment in multiple areas, including the scope of devices that should be included in the program (for example, Wi-Fi gateways), who should oversee and manage the program, how security standards might apply to different types of IoT products, how to demonstrate compliance with those standards, and how to protect against unauthorized use of the cybersecurity label.

The FCC is also proposing a public-private partnership to oversee the IoT labeling program and is exploring the use of accredited third-parties for security and compliance testing. For the purpose of the proposal, the FCC is referring to such parties as Cybersecurity Labeling Authorization Bodies, or CyberLABs.

Following the comment and reply period and an FCC vote in favor, the program could be up and running by late 2024, the Commission said.

Industry focus on IoT security

Device makers and service providers in the private sector have already launched products and technologies designed to keep IoT devices protected and to alert users on how to blunt a cybersecurity attack.

As one example, Comcast's XFi Advanced Security platform uses a blend of machine learning and artificial intelligence (AI) techniques to spot malware intrusions and hacked IoT devices, and directs customers how to resolve them. Comcast Technology Solutions recently launched DataBee, a cybersecurity offering focused on enterprise customers.

Colorado-based CableLabs has done work on Micronets, a framework for home IoT security that aims to re-architect the home network into smaller segments that can be managed individually and dynamically should a cybersecurity threat emerge.

Among other industry examples, the Consumer Technology Association has created an IoT working group that includes a focus on security.

Related posts:

— Jeff Baumgartner, Senior Editor, Light Reading

