New security standards for IoT devices are being released consistently, showing that security is no longer an afterthought in the design of embedded products. Last month, the White House launched the Cyber Trust Mark; a large move towards the security of IoT devices with a more robust concept of the “living label,” acknowledging the dynamic nature of security over time. The standard essentially requires prerequisite devices to be outfitted with a QR code that can be scanned for security information such as whether or not the device will have automatic software support such as security patches. Vendors of IoT products are now meant to partner up with an “accredited and FCC-recognized CyberLAB to ensure it meets the program’s cybersecurity requirements,” according to the FCC.
In a conversation with Silicon Labs’ Chief Security Officer Sharon Hagi, EDN learned a bit more about this new standard, its history, and the potential future security application of this new QR code labelling scheme.
IoT mania
In the IoT “boom” of the early 2000s that lasted well into the 2010s, companies were anxious to wirelessly-enable practically all devices, and when paired with the right MCU of choice, the applications seemed endless. Use cases from home automation and smart city to agritech and industrial automation were all explored, with supporting industry-specific or open protocols that could vary in spectrum (licensed or unlicensed), modulation technique, topology, transmit power, maximum payload size, broadcast schedule, number of devices, etc. With the growing hype and litany of hardware/protocol options, network security was still mostly discussed at the sidelines, leaving some pretty major holes for bad actors to exploit.
Cybersecurity history
With time and experience, it has become abundantly clear that IoT security is, in fact, pretty important. Undesirable outcomes like a Mirai botnet could lead to multiple IoT devices to be infected with malware at once allowing for larger-scale attacks such as distributed denial of service (DDoS). Moreover, a massive common vulnerability and exposure (CVE) found that lands a high score on the common vulnerability scoring system (CVSS) can potentially involve the US government’s cybersecurity and infrastructure security agency (CISA) and, if it’s not resolved, lead to fines. This is just adding insult to the reputational injury a company might experience with an exploited security issue. Sharon Hagi expands on IoT-device vulnerabilities, “these devices are in the field, so they’re subjected to different kinds of attack. There’s software-based attacks, remote attacks over the network, and physical attacks like side-channel attacks, glitching, and fault injection,” speaking towards how Silicon Labs included countermeasures for many of these attacks. The company’s initial developments in the area of security, namely centered around its “Secure Vault” technology with a dedicated security core with cryptographic functionality encapsulated within it. The core manages the root of trust (RoT) of the device, manages keys, and governs access to critical interfaces such as the ability to lock/unlock the debug port.
Hagi went on to describe the background of the US cybersecurity standards that lead to the more recent regulatory frameworks, citing the NIST 8259 specification as the foundational set of cybersecurity requirements for manufacturers to be aware of (Figure 1). Another baseline standard is the ETSI european standard (EN) 303 645 for consumer IoT devices.
Figure 1 NIST 8259A and 8259B technical capabilities and non-technical support activities for manufacturers to consider in their products. Source: NIST
Hagi expanded more on the history of the Cyber Trust Mark, “The history of the Cyber Trust Mark kind of followed right after [the establishment of NIST 8259] in 2021 during the Biden administration with Executive Order 14028,” which had to do with security measures for critical software, “and that executive order basically directed NIST to work with other federal agencies to further develop the requirements and standards around IoT cybersecurity.” He mentioned how this order specified the need for a labeling program to help consumers identify and judge the security of embedded products (Figure 2).
Figure 2 NIST labeling considerations for IoT device manufacturers where NIST recommends a binary label that is coupled with a layered approach using either a QR code or a URL that leads consumers to additional details online. Source: NIST
“After this executive order, the FCC took the lead and started implementing what we now know as the Cyber Trust Mark program,” said Hagi, mentioning that Underwriter Laboratories (UL) was the de facto certification and testing lab for compliance with the US Cyber Trust Mark program as well as the requirements of the connectivity security alliance (CSA) with its product security working group (PSWG).
Evolving security standards
In fact, the PSWG consists of over 200 companies with promoters that include tech giants like Google, Amazon, and Apple as well as OEMs such as Infineon, NXP Semiconductors, TI, STMicroelectronics, Nordic Semiconductor and Silicon Labs. The aim of the PSWG is to unite the disparate emerging regional security requirements including but not limited to the US Cyber Trust Mark, the Cyber Resilience Act (CRA) in the EU with the “CE marking”, and the Singapore Cybersecurity Label Scheme (CLS).
Many of the companies within the PSWG have formulated their own security measures within their chips, NXP, for instance, has their EdgeLock Assurance program, and ST has their STM32Trust security framework. TI has an allocated product security incident response team (PSIRT) that responds to reports of security vulnerabilities for TI products while Infineon created a Cyber Defense Center (CDC) with a corresponding Computer Security Incident Response Teams (CSIRT/CERT) and PSIRT team for the same purpose. Hagi stated that Silicon Labs set itself apart by implementing security “down to the silicon level” in product design early on in the IoT development game.
These wireless SoCs and MCUs are the keystone of the IoT system, providing the intelligent compute, connectivity, and security of the product. Using more secure SoCs will inevitably ease the process of meeting the ever-changing security compliance standards. Engineers can choose to enable features such as secure boot, secure firmware updates, digitally signed updates with strong cryptographic keys, and anti-tampering, to ultimately enhance the security of their end product.
Living label use cases
Perhaps the most interesting aspect of the interview were the potential applications of these labeling schemes and how to make them more user-friendly. “The labeling scheme could be compared to a food label,” said Hagi, “You go to the supermarket, take the product off the shelf and it shows you the ingredients and nutritional value and make a decision on whether or not this is something you want to buy.” In the future, a more objectively secure product could be a more pricey option to the more basic alternative, however it would be up to the consumer to decide. While this analogy served its purpose, its similarities ended there. While the label contains all “ingredients” of security built into the product, the Cyber Trust Mark is not meant to be static, since vulnerabilities can still be discovered well after the product is manufactured.
“You might be able to see the software bill of materials (SBOM) where maybe there is a certain open source library that the product is using and there is a vulnerability that has been reported against it. And maybe, when you get home, you need to update the product with new software to make sure that the vulnerability is patched,” said Hagi as he discussed potential use cases for the label.
The hardware BOM (HBOM) may also be very relevant in terms of security, bringing into light the entire supply chain that is involved in assembling the end product. The overall goal of the label is to incentivize companies to foster trust and accountability with transparency on both the SBOM and HBOM.
Hagi continues to go down the checklist of security measures the label might include, “What is the original and development history of the product’s security measures? Can it perform authentication? If so, what kind of authentication? What kind of cryptography does it have? Is this cryptography certified? Does the manufacturer include any guarantees? At what point will the manufacturer stop issuing security updates for the product? Does the product contain measures that would comply with people in specific jurisdictions?” These regional regulations on security do vary between, for instance, the EU’s General Data Protection Regulation (GDPR) and of course, the US Cyber Trust Mark.
ML brings on another dimension of security considerations to these devices, “The questions would then be what sort of data does the model collect? How secure are these ML models in the device? Are they locked? Are they unlocked? Can they be modified? Can they be tampered with?” The many attributes of the models bring other levels of security considerations with them and avenues of attack.
The future of the labeling scheme
Ultimately putting this amount of information on a box is impossible, even more pertinent is how users are meant to interpret the sheer amount of information. Consumers were more than likely to not really understand all the information on a robust security label, even if it was human-readable. “Another angle is providing some sort of API so that an automated system can actually interrogate this stuff,” said Hagi.
He mentioned one example of securely connecting devices from different ecosystems, “Imagine an Amazon device connecting to an Apple device, with this API, security information is fetched automatically letting users know if it is a good idea to connect the device to the ecosystem.”
As it stands, the labelling scheme is meant to protect the consumer in more of an abstract sense, however it might be difficult for the consumer to accurately understand the security measures put into the product. In order to make full use of a system like this, “it is likely that a bit of automation is necessary for consumers to make appropriate decisions just in time.” This could eventually enable consumers to make informed decisions on product purchasing, replacement, upgrades, connection to a network, and the security risks when throwing out an item that could contain private information in its memory.
Aalyia Shaukat, associate editor at EDN, has worked in design publishing industry for six years. She holds a Bachelor’s degree in electrical engineering from Rochester Institute of Technology, and has published works in major EE journals as well as trade publications.
Related Content
- Navigating IoT security in a connected world
- Understand the hardware dependencies of IoT security
- 6 core capabilities an IoT device needs for basic cybersecurity
- 7 steps to security for the Internet of Things
googletag.cmd.push(function() { googletag.display(‘div-gpt-ad-native’); });
–>
The post The future of cybersecurity and the “living label” appeared first on EDN.
