President Biden’s comprehensive cybersecurity executive order issued last May directs the National Institute of Standards and Technology (NIST) to create labeling pilot programs to educate the public about the security of Internet of Things (IoT) devices and products software they buy. . The ordinance requires NIST to produce by February 6, 2022 IoT cybersecurity criteria for a consumer labeling program and, separately, identify secure software development practices or criteria for an IoT labeling program. software.
For these purposes, NIST organized a workshop in September and solicited comments from stakeholders and experts. Based on the contributions received as part of these efforts and after releasing preliminary documents outlining various approaches, NIST released a draft Basic criteria for cybersecurity labeling of consumer software November 1 and a draft discussion on Consumer Cyber ââSecurity Labeling for IoT Products December 3.
Once NIST produces both the IoT criteria and software in February, it will begin a labeling pilot test phase. This phase will involve engaging NIST with organizations that currently offer labeling options to consumers. NIST says it may also decide to establish measures to demonstrate additional proof of concept based on the criteria it publishes.
No one size fits all for software security labels
There are many challenges in creating labels for inherently complex software products. As the most recent NIST Software Labeling Report states, “There is no single definition of cybersecurity that can be applied to all types of consumer software,” because the risks associated with everything. software are intrinsically linked to the purpose of the software. use. Cybersecurity considerations appropriate for a mobile game will differ from those applied, for example, to an online banking application or managing a multimedia station in a car.
NIST emphasizes that it is not trying to design software cybersecurity labels on its own, but rather defines a set of “desired outcomes” that enable and enable the market for software manufacturers, vendors to third-party labeling and consumers to make informed choices. Nonetheless, NIST has developed interim technical criteria for security labels on how software manufacturers should certify them and what information vendors should make available to consumers.
These draft attestations, which are discussed in detail in the latest NIST draft document, are:
- Descriptive certificates that identify who is making claims regarding the information on the label, what the label applies to, when the attestations have been made and how a consumer can obtain other supporting information required by the label
- Secure software development certificates, which primarily contain information about the recommended secure software development practices that have been used
- Critical cybersecurity attributes and certificates of capability which describe the characteristics expressed by the software resulting from the implementation of a secure software development process
- Data inventory and protection certificates that highlight how the data is stored, processed or transmitted by the software
On December 9, NIST organized a second workshop to discuss the status of its IoT and software labeling efforts. Speaking at the workshop, NIST IT specialist Michael Ogata said, âAll technical criteria certifications must be met to display the label on software. However, it does not deal with how the attestations should be represented on the label. You can think of it in terms of, if a label evolves into something that is a seal of approval, then that would spawn all the technical criteria but maybe not display them.
One problem with the plan is that these labels are voluntary, with no government requirements or recommended verifications that software vendors can save their credentials. âNIST isn’t really about to do that right now,â Ogata said.
IoT labels could be binary
Like its approach with software labels, NIST will identify the critical elements of an IoT labeling program in terms of minimum requirements and desirable attributes rather than setting up its own program. NIST plans to specify the desired outcomes that allow vendors and customers to choose the best solutions for their devices and environments.
The challenge for any IoT labeling program is that, as NIST notes in its article, âconsumers typically don’t have the expertise to distinguish between different technical or conformity assessment requirementsâ. For this reason, NIST tentatively suggests that IoT labels be âbinary,â a âseal of approvalâ label indicating that a product has met a basic standard.
The broad interim general guidelines that NIST has developed for IoT labeling criteria include:
- Product identification, which is probably necessary but can be omitted for some IoT product components if, among other things, the product component identities are not generated, managed or used by the IoT product
- Product setup, which may not be necessary if the customer’s configuration of the IoT product features does not provide any cybersecurity benefit
- Data protection, which will probably be needed on all components
- Access controls to interfaces, which will always be needed on all components
- Software update, which will likely be needed for most IoT product components in one form or another
- Awareness of the state of cybersecurity, which will be needed for all IoT products and should cover all components of the IoT product as vulnerabilities and threats can arise from any component
- Documentation, which will always be needed, but specific information may not be meaningful for all IoT products
- Receipt of information and requests, which will always be necessary given the nature of the consumer market and the need for proactive cybersecurity support from IoT product developers
- Dissemination of information, which will always be necessary given the nature of the consumer market and the need for proactive cybersecurity support from IoT product developers
- Education and awareness, which will always be needed, but specific information may not be meaningful for all IoT products
NIST is looking to establish detailed standards on the technical criteria behind IoT labels, but “keep in mind that this whole process is under construction,” said Paul Watrobski, NIST information technology specialist, during the December 9 workshop. âWe expect discussions as we develop criteria based on standards, and they can be changed when it becomes clear that certain criteria are important. “
The voluntary nature of labels allows sellers to invent their own schemes
As with the software labeling initiative, the IoT labeling program is voluntary and is not supported by government requirements. As NIST envisions the outcome of its work, it is up to third-party labeling providers to adapt the basic product criteria, define conformity assessment requirements, and develop the associated label for the information.
“As it stands, if things remain voluntary, there is no legal or financial repercussion on the supplier if they do a bad job”, Dr Andrei Costin, CEO and co-founder of the company of Binare.io IoT firmware security, says CSO.
Any third-party label âthen becomes a marketing label. It gives suppliers the freedom to invent their own labeling system which they can use for marketing. But it also creates confusion for the consumer because if it is not an apples to apples comparison [to competing label providers], that doesn’t mean anything to the consumer. A consumer will always make an uninformed decision, âexplains Costin.
âIf everything is voluntary and they can choose their own labeling, they will essentially be free to put whatever makes their product more attractive from a marketing point of view. [on their label], but in essence it won’t be any safer, âexplains Costin. âThese things certainly need political or political support, whether it’s a law or a regulation from regulatory bodies. Otherwise, it will just be another piece of standardization, which is really good but doesn’t serve the purpose.
However, after NIST meets its February deadline on labeling initiatives, it must mount pilot programs to assess these and other potential problems. Under Biden’s executive order, NIST is to submit a report by May 12, 2022 to the Assistant to the President and National Security Advisor (APNSA) that contains a review of the pilot programs. As part of this review, NIST is obligated to consult with the private sector and relevant agencies to assess the effectiveness of programs and determine what improvements can be made in the future.