Growing cybersecurity threats pose a real danger to networks of all types including IoT, with users concerned about protecting their hardware and valuable data from hackers. Several years of government and industry efforts have resulted in a new label for IoT consumer products validating that meet ad acceptable level of cybersecurity protection.
Speaking in an interview with Design News, Steve Hanna, Distinguished Engineer for Infineon and active in helping to develop the labeling certification, says the label can be thought of an Energy Star compliance for cybersecurity. Hanna is active in the CSA (Connectivity Standards Alliance), an industry group formerly know as the Zigbee Alliance that was active in helping to support the labeling concept. CSA member companies include major IoT players such as Amazon, Google, Apple, Huawei, LG Electronics USA, Logitech, NXP Semiconductors, Schlage, and Yale, and Comcast.
As detailed in a White Paper from Hanna, mounting concerns over IoT cybersecurity have prompted both industry and government to take action. In May 2021, the Executive Order on Improving the Nation’s Cybersecurity mandated several changes to improve cybersecurity, which included NIST (National Institute of Standards and Technology) developing NISTIR 8425, a set of IoT cybersecurity standards for consumer IoT devices. In addition, NIST would develop a recommended set of criteria for cybersecurity labeling of consumer IoT devices.
Following NIST
The result is a National Label for Cybersecurity that will reward products meeting the requirements of NISTIR 8425, by permitting them to display a U.S. government label and be listed in a U.S. government registry indicating that their cybersecurity has been tested and certified as compliant with U.S. government standards.
Hanna said that the label will be optional for U.S. products. But there are efforts abroad to make such a certification mandatory. For instance, in the EU, a revision to the Radio Equipment Directive (RED) will require all devices with a radio to comply with certain IoT cybersecurity requirements in order to be sold in that region. The effective date for these requirements is now set at 2024 or 2025.
According to Hanna, the compliance testing to obtain the government label will be done by independent testing organizations selected by the government. While Hanna said no one has been selected yet, it is possible that testing labs now used to certify product compliance will get involved.
Outside of achieving official compliance, semiconductor and electronic suppliers have been bolstering the cybersecurity protection in their parts to make them less susceptible to hacking. Besides encryption, manufacturers such as Infineon offer hardware security devices that make it easier to implement security in IoT devices.
Hanna also noted that because of constantly changing cybersecurity standards and an increase in threats, the label that products receive will have a QR code that users can scan to determine if the IoT cybersecurity compliance is still valid for a particular product.
Spencer Chin is a Senior Editor for Design News covering the electronics beat. He has many years of experience covering developments in components, semiconductors, subsystems, power, and other facets of electronics from both a business/supply-chain and technology perspective. He can be reached at [email protected]
