The rapid increase in Internet of Things (IoT) products has created a cybersecurity challenge for manufacturers and consumers. Manufacturers build products with semiconductor chips that allow devices to connect and communicate with internal and external network applications. These connected and smart devices can create an unintended weak link, allowing threat actors to breach your network security. Once threat actors are in, they can crawl your systems in search of higher-value targets like personal information and software administration accounts.
When considering cybersecurity, you may not think of traditionally nontech products like washing machines or light bulbs. But anything connected to the internet, including devices using Wi-Fi, Bluetooth, near-field communication, or cellular or next-generation networks, is a cyber risk.
In response to this growing risk, the Biden-Harris Administration has announced a cybersecurity certification and labeling program initiative, the U.S. Cyber Trust Mark. The Cyber Trust Mark helps consumers choose devices less vulnerable to cyberattacks.
Cyber Trust Mark program rollout
The Federal Communications Commission (FCC) will lead the voluntary program using cybersecurity criteria published by the National Institute of Standards and Technology (NIST). The mark is like other consumer labeling programs, such as Energy Star. (Energy Star indicates energy-efficient certified products.)
Manufacturers participating in the program may begin displaying the Cyber Trust Mark on their internet-connected products in 2024. Look for the Cyber Trust Mark shield logo on things like:
- Streaming devices
- Gaming consoles
- Smart plugs
- Home security systems
- Climate control systems
- Baby monitors
- Fitness trackers
- Water dispenser and filtration systems
- Beverage makers
- Coffee and tea makers
The Cyber Trust Mark is an ongoing initiative
The Cyber Trust Mark initiative will help consumers make informed choices and understand the security implications of their products. Until now, the onus of deciphering cybersecurity has been on consumers. Consumers often have to rely on marketing claims, as opposed to evidence and transparency.
The Cybersecurity and Infrastructure Security Agency (CISA) will be part of the ongoing standards initiative. According to CISA, “marketing teams often claim ‘military grade encryption’ when in reality, military grade encryption is no different from standard encryption, but how could a hospital system, a water treatment facility, or a school district know this?”
The 2023 White House statement said more security initiatives would accompany the Cyber Trust Mark labeling program:
- The FCC will create a national registry of certified devices for consumers to compare cybersecurity information.
- NIST will work on defining cybersecurity requirements for consumer-grade routers. These routers are high risk because hackers use them to eavesdrop, steal passwords, attack connected devices and infiltrate other networks. (Consumer-grade routers are inexpensive routers purchased at big box retailers.)
- The Department of Energy intends to research and develop cybersecurity labeling requirements for smart meters and power inverters (components that make up future-forward energy grids).
- The Department of State stated it would support the FCC in engaging allies and partners to harmonize cybersecurity standards internationally.
NIST also recommended a robust consumer education program on cybersecurity concepts and the meaning of the Cyber Trust Mark.
Securing your IoT devices
Beyond looking for products with the Cyber Trust Mark, you can take these steps to secure your devices:
Change passwords. Choose devices that have default passwords you can change. Avoid manufacturer passwords you can’t change; hackers know and exploit these passwords.
Create strong passwords. Use secure passwords to foil password-cracking software. Strong passwords include uppercase and lowercase letters, numbers and special characters. Avoid reusing the same passwords across your network.
Apply updates. Stay on top of software updates and patches. The semiconductor chips embedded in your IoT devices need updating to perform well and protect against criminal attacks.
Research your product manufacturer. Choose a manufacturer that takes cybersecurity seriously and applies updates often to combat evolving malware threats.
Disconnect or restart devices. Disconnect IoT devices like webcams when you’re not using them. Always-on devices can be vulnerable to malware stored in their memory. Periodically powering down always-on products (like thermostats) can reset the memory and may erase the stored malware during the power cycle.
Retire your insecure devices. If you know your device isn’t up to cybersecurity standards, replace it.
Segment and secure your network. Create multiple networks or subnets and assign your devices to different internal network addresses. Change your router passwords periodically. And hide some of your network segments so outsiders can’t find them. For example, section off your guest Wi-Fi account and make it discoverable, but conceal your main account.