Cyber Trust mark to tackle IoT/IIoT cybersecurity threats

31 July 2023

The new Cyber Trust mark is intended to mitigate IoT cybersecurity threats.

• IoT devices are extremely prone to cybersecurity threats.
• The FCC has announced a Cyber Trust mark to set standards for IoT cyber-resilience.
• Many leading players in the industry have already signed up.

Safety, efficiency, and process certification marks are nothing new – from the Energy Star on your washing machine or refrigerator to the USDA Organic mark on your family’s carrots, to the R rating on the movies you don’t show your kids, they’re an understood reality: marks that prove that X product has met Y standards before being sold to the public. But there is, now, a new kid on this old block, and it’s one that aims to tackle the cybersecurity threats that attack consumers in their homes and lives.

The Biden administration, through the auspices of the Federal Communications Commission (FCC), announced the launch of the “Cyber Trust” mark in July, 2023, and it’s expected to come into force in 2024. Companies will be able to voluntarily sign up for the Cyber Trust mark, and, assuming their products pass the tests – being resilient against cybersecurity threats – will be able to display the mark on those products to show that not only are their products resilient, but that the company “cares” about the cyber-resilience of the products they sell to their customers.

Certification marks have a habit of evolving into de facto “rules,” with the entire buying chain abandoning individual assessment of risks and ratings – if a product has the “mark” on it, it’s usually judged to be good enough, at the bare minimum, for use without worry.

In the case of the Cyber Trust mark, there’s an interesting add-on, compared to most previous certification marks, though. Because cybersecurity threats, and cybersecurity resilience, can change over time, evolving to attack devices that were previously safe, or overwhelming previous patches, the Cyber Trust mark will come in two parts.

Tackling cybersecurity threats on purchase and afterward.

Firstly, as with the Energy Star or the USDA Organic certification, there will be a mark stamped on products that a certificate-issuing authority (in this case the FCC) is satisfied that when it was sold, the product met the necessary standards and achieves the required cyber-resilience to qualify for certification.

But because the IoT and IIoT market – and the nature of cybersecurity threats – is distinctly different from, for instance, the market for makers of Energy Star products, there will be a second part to the Cyber Trust mark. The second part will be a scannable QR code, which will allow users to check whether their product is still cyber-resilient at a later date, potentially prompting users to download the latest available security patches.

While the Cyber trust mark itself will most likely come with a range of cybersecurity threat-resilience information for the particular product to which it’s attached, the QR code will allow buyers to access significantly more information, like what kind of data is collected by the device, where and how it’s stored, and even the manufacturer’s policy on sharing any collected data. That could allow for a relative data practice meritocracy to emerge in the IoT and IIoT markets over time.

Keeping your connected devices safe from cybersecurity threats.

In the first place, almost everything these days can be a connected device – from your toothbrush to your washing machine, your refrigerator to your meat thermometer, your smartphone to your medication monitor to your “share control” butt plug.

The connected home network is full of cybersecurity threats.

A home network can have a lot of vulnerability points.

Anything that’s a connected device on your domestic network can be a point of entry for would-be hackers, who can use that weak point in the system to move laterally and take control of other parts of the system, such as your data-rich laptop.

Such cybersecurity threats in a home network might take some time to die out as the Cyber Trust mark becomes a more significant part of day-to-day reality, but ultimately, having an industry standard on cybersecurity threats and resilience in smart devices can only be a positive development.

But if nothing else, having devices stamped with the Cyber Trust mark might well work to educate the wider public about the volume and nature of cybersecurity threats to which they have been, and could be vulnerable through the omnipresent world of connected devices in which they live.

Cybersecurity threats can come through the most anodyne devices.

The machines won’t rise up and kill us – but they may well be vulnerable to hacking by people who’d drain us dry.

The potential for expansion.

While in its current form, the Cyber Trust mark is intended to cover only domestic connected devices (with an already existing option to expand to cover fitness trackers, which commonly connect to multiple networks, rather than only the domestic one), the idea could at least theoretically be expanded over time to IIoT devices in commercial supply chains.

Every warehouse, every office building, every place of work in the developed world is guaranteed to be filled with IIoT devices, and just like the unsecured toothbrush in a domestic setting, any one of them could be a weak point in the security of a whole network.

The idea of whole supply chains, and whole industries suddenly having the capacity to choose only Cyber Trust marked IIoT devices is likely to create a similar circle of virtue as companies strive to not only protect their own systems, but gain the ability to show other players in their supply chain that they take cybersecurity threats seriously.

Assuming the Cyber Trust mark proves effective in reducing the number and/or effectiveness of cybersecurity threats in the domestic world of connected devices, there’s no reason beyond the sheer logistical challenge of the move why a commercial version shouldn’t be rolled out eventually.

Some of the connected device industry’s biggest players have already voluntarily signed up to the Cyber Trust mark initiative, including Google, Samsung, Logitech, Amazon, Best Buy, and the Connectivity Standards Alliance.

Cybersecurity threats are tackled by a Cyber Trust mark.

It’s new, and it will probably work – but will it narrow the market?

In fact, that’s the single issue that makes the Cyber Trust mark potentially controversial. While it’s arguable that the imposition of a standard to combat cybersecurity threats in IoT devices can only make the industry and those who use its products safer and better, there’s also an argument to be made that such a mark will tend to concentrate the market into a relative monopoly, with only the more prolific players able to afford the testing, hardware and software upgrades to meet potential annual recertification requirements.

The sheer force of numbers of IoT and IIoT devices in the world (approximately 15.4 billion in 2023, just over twice the number of human beings) means the likelihood is that significant change due to the development of the Cyber Trust mark will be slow.

But as a move in a more conscious direction towards protecting individuals and households – and eventually, potentially whole supply chains and industries from cybersecurity threats, it probably has to be applauded, monopoly concerns or not.