On September 9, the U.S. IoT Security Labeling Program officially came into effect.
The regulation aims to improve the privacy security of consumer IoT devices, enhance consumer confidence in the security of IoT devices, and provide consumers with more transparent product safety information. Previously, the FCC issued the "IoT Cybersecurity Labeling Report and Order" (Order) on March 15, 2024, which established the framework of the consumer IoT labeling program.
Image source: FCC
According to public disclosure, the main features of the program include:
Wireless consumer IoT products that meet the program's cybersecurity standards will display labels including the "U.S. Cyber Trust Mark" to help consumers make informed purchasing decisions, distinguish trustworthy products on the market, and incentivize manufacturers to meet higher cybersecurity standards.
The label will be accompanied by a QR code that consumers can scan to get easy-to-understand details about the product's security, such as how long the product is supported and whether software patches and security updates are automatic.
Image source: FCC
The voluntary program will rely on a public-private partnership, with the FCC providing oversight and approved third-party label stewards managing activities such as evaluating product applications, authorizing the use of labels, and consumer education.
Compliance testing will be handled by accredited laboratories.
Examples of eligible products may include home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers, and baby monitors.
The establishment of the U.S. IoT Security Label and the official activation of the U.S. Cybersecurity Trust Mark are expected to significantly increase the transparency and security of IoT devices. As these rules take effect, all interested parties must become familiar with the new requirements and ensure compliance. The FCC's commitment to cybersecurity through this program marks a key step toward ensuring that IoT devices are protected from growing cyber threats.
What is the impact of the implementation of the US IoT security labeling program?
The industry believes that for the US IoT security labeling program, it is necessary to focus on wireless, Internet-connected consumer IoT products, including IoT devices and other components required for the network, such as network/gateway hardware, including application software and backend. It is worth noting that the FCC may expand the types and scope of IoT products in the future.
In addition, the FCC has also proposed a "National Security Declaration" rule for the IoT labeling program, which puts forward special requirements for devices involving national security. If the hardware, software or data in the device is related to certain high-risk countries (such as China, Cuba, Iran, North Korea, Russia and Venezuela), the manufacturer needs to disclose and ensure that its products do not contain any hidden vulnerabilities from these countries, and the data collected by the product will not be stored in these countries, nor will it be remotely controlled by servers in these countries.
The introduction of this rule may have a certain impact on overseas companies, especially those that export equipment to the United States. Manufacturers are required to pay more attention to the network security design of products and incorporate this plan requirements into product security design in advance, such as paying special attention to the standard content of NIST.
Consumers will also pay more attention to the safety performance of products when making purchasing decisions. As IoT devices become more prevalent and cyber threats increase, the legislation is seen as an important milestone in strengthening consumer privacy protections and improving device security.
Leading manufacturers have expressed support
Although the White House and FCC have made it clear that manufacturers and retailers can voluntarily choose to join the US Cybersecurity Labeling Program, at the same time as the program was released, leading manufacturers related to the home Internet of Things have basically announced their support.
According to a White House press release, the participating organizations on the day of the press conference included Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco, CSA, Consumer Reports, Consumer Technology Association, Google, Infineon, Information Technology Industry Council, IoXT, Keysight Technologies, LG Electronics USA, Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL, Yale University and August U.S., covering all links of the entire consumer Internet of Things industry chain, including manufacturers, retail platforms, monitoring and certification agencies, alliance organizations and universities, and are expected to push the program to a "quasi-mandatory" requirement that is widely accepted by the market.
Internationally, the US government will support the FCC to coordinate standards with allies and partners and seek mutual recognition of similar labeling work. For example, the United States has proposed to promote cooperation with the European Union to unify standards and has begun to contact Singapore's cybersecurity labeling program.
In January 2024, Anne Neuberger, the U.S. Deputy National Security Advisor for Cybersecurity and Emerging Technologies, announced that the United States had signed a cooperation agreement with the European Union on a "Joint Roadmap for Consumer Labeling Programs" to promote international mutual recognition of consumer IoT device security labeling programs, opening up the application and recognition of IoT security labeling programs on a larger scale around the world.
Cybersecurity labeling programs in other countries
According to Statista, by 2030, there will be more than 29 billion IoT devices in operation worldwide, which has attracted the attention of governments around the world to the security of smart devices. In addition to the United States, the European Union, the United Kingdom, Singapore, Germany and other places have introduced cybersecurity labeling programs for IoT products.
European Union
The European Union Cyber Resilience Act (CRA) applies to all digital products that are directly or indirectly connected to another device or network, including hardware, devices, software, applications, etc. The key requirements of CRA include:
Manufacturers must ensure that their products meet cybersecurity requirements throughout their life cycle from design to obsolescence.
Products must be able to receive security updates and effectively handle vulnerabilities for up to 5 years or the product life cycle (whichever is shorter).
Manufacturers need to provide clear product information and instructions to ensure that users can safely install, operate and use the product.
Manufacturers are obliged to report to the European Union Cybersecurity Agency (ENISA) within 24 hours of discovering actively exploited vulnerabilities in their products or any incidents that affect product security.
The CRA also provides for the classification of products at different risk levels, and important and critical products will be included in different lists, which will be proposed and updated by the European Commission. These lists will help determine which products require more stringent conformity assessment procedures.
The penalties for violating the CRA regulations can be very severe, including high fines. For example, violations of cybersecurity requirements and manufacturer obligations may be subject to fines of up to €15 million or 2.5% of global annual turnover in the previous fiscal year, whichever is higher.
The CRA is expected to take effect in the second half of 2024, and manufacturers will need to ensure that their products comply with the regulations and enter the EU market by 2027.
In addition, the EU's "Common Standard Cybersecurity Certification Scheme" launched in February this year marks that cybersecurity capabilities have become a key product strength and "market pass" for all digital products in the EU.
United Kingdom
The UK's "Product Security and Telecommunications Infrastructure Act" (PSTI) received royal assent in December 2022 and will officially come into effect on April 29, 2024. Key requirements include:
The use of common default passwords is prohibited.
Manufacturers are required to set up a public contact point for consumers to report security vulnerabilities.
Manufacturers must clearly state to consumers the minimum time frame for security updates.
Companies that violate the provisions of the PSTI Act may face significant penalties, including fines of up to £10 million or 4% of their global turnover, and additional fines of £20,000 per day for continued violations.
The Act applies to all manufacturers, importers and distributors that supply IoT products to UK consumers, requiring them to ensure that their products meet new cybersecurity standards. This includes smart homes/voice assistants, smartphones, webcams, wearable devices, IoT base stations and hubs, home automation devices, smart doorbells and alarm systems, etc.
Singapore
The IoT security labeling scheme launched in Singapore is called the "Cybersecurity Labelling Scheme (CLS)". It was initiated by the Cyber Security Agency of Singapore (CSA) and is the first cybersecurity standard scheme for smart home devices in the Asia-Pacific region.
The scheme includes four different security levels, distinguished by the number of stars:
Tier 1 – Basic security requirements, which developers can demonstrate through a declaration of conformity.
Tier 2 – In addition to the requirements of Tier 1, it also includes security requirements for the product lifecycle, which can also be demonstrated through the developer's Declaration of Conformity.
Tier 3 – In addition to meeting the requirements of Tier 1 and Tier 2, the developer must perform a software binary analysis of the product by a CLS-approved third-party laboratory (such as UL) to check for known vulnerabilities and common software weaknesses.
Tier 4 – To achieve the highest level, the product must undergo a thorough security assessment by a CLS-approved third-party laboratory, which will verify that the product complies with the requirements of ETSI EN 303 645 and conduct additional (mandatory) penetration testing activities.
Image source: CSA
The validity of the CLS label is related to the security update support period of the device, which can be up to 3 years. The program initially covered Wi-Fi routers and smart home centers because these products are more widely used and security issues have a greater impact on users.
In addition, Singapore has signed a mutual recognition agreement (MoU) with Finland and Germany to mutually recognize the cybersecurity labels issued by each other. This means that consumer IoT products that meet the cybersecurity label requirements of Finland or Germany will also be considered to meet the corresponding level requirements of Singapore's CLS.
Finland
Finland’s IoT cybersecurity labeling program is called “Cybersecurity Label” and is a voluntary labeling program initiated by the National Cybersecurity Center Finland (NCSC-FI) under the Finnish Transport and Communications Agency (Traficom).
The Cybersecurity Label is mainly aimed at consumer smart devices, such as smart TVs, smart bracelets and home routers. The label is awarded to connected smart devices or services that meet the information security requirements set by Traficom, including secure access control, default settings, transmission and storage of personal data, and secure ecosystem interfaces.
The Cybersecurity Label is based on the European Telecommunications Standards Institute (ETSI) EN 303 645 standard, which provides baseline requirements for information security requirements for consumer IoT devices.
Germany
Germany’s IoT cybersecurity labeling program is called “IT-Security Label” and is implemented by the German Federal Office for Information Security (BSI). It is also based on the ETSI EN 303 645 standard, a European standard for information security requirements for consumer IoT devices.
The labeling program requires product suppliers to make self-declarations and does not arrange for third-party certification, which may raise concerns about the authenticity of security information. However, the German market supervision department will check the security feature information declared by the manufacturer of the IoT product after the product is launched to ensure that the information on the label is consistent with the actual situation of the product. If the inspection finds discrepancies, the label will be revoked and the brand and product image will be damaged, which largely avoids the risk of manufacturer fraud.
China IoT Security Label Action Plan Officially Released
On April 18-19, 2024, the 2024 Spark Ecological Conference hosted by the China Academy of Information and Communications Technology was successfully held in Xiamen. At the meeting, the "China IoT Security Label Action Plan" was officially released.
The IoT Security Label Action Plan is a set of action plans proposed to address the pain points of cybersecurity attacks faced by consumer-grade IoT devices in my country, and to assign unique specific security labels to devices that meet certain cybersecurity certification standards, thereby ensuring that IoT devices are safe when accessing the network.
The action plan includes: proposing a new IoT security label system architecture, establishing a security label management mechanism, building a security label laboratory, developing a security label public service platform, developing a series of security label-related standards, and creating a batch of IoT security label application demonstrations, etc., including a complete IoT security label certification system.
As the world's largest exporter of consumer electronics products, my country's launch of the IoT security label program will be of great significance to protecting my country's IoT product export trade, cross-border data security, and national network security.
This paper is from Ulink Media, Shenzhen, China, the organizer of IOTE EXPO (IoT Expo in China)
