IoT: How labelling is preceding legislation

Self-regulation hasn’t been as widely adopted in the Internet of Things (IoT) sector as many may have hoped.

The Secure by Design Framework unveiled some four years ago laid the foundations and helped inform ETSI’s EN303 645, the first globally-applicable industry standard for internet-connected consumer devices in 2020. But with uptake lacklustre, the UK government was forced to take action, drafting the Product Security and Telecommunications Infrastructure (PSTI) Bill, expected to come into force next year.

The problem is that mandatory regulation won’t necessarily achieve the desired result straight away. Many of those who took part in the consultation for the PSTI think it will take them up to two years to become fully compliant and a report by the Internet of Things Security Foundation found 79 percent of firms expect to fail to meet the regulations. Clearly, some mechanism was needed that would encourage vendors to get onboard prior to the formal regulations.

Assurance as the answer

The concept of product assurance through labelling is one means of achieving this. Earning a security label for your IoT product not only helps pave the way for compliance but can also help differentiate you in a crowded marketplace. It allows consumers to gauge how secure the device isand how it compares to similar devices.

It’s an attractive proposition, which is why its gained traction both here and over the pond. In October, The White House announced it had entered into a dialogue with some of the world’s top tech manufacturers on how to implement a cybersecurity labelling program. This will build on the work undertaken by the NIST which published its Criteria for Cybersecurity Labeling for Consumer IoT in February following President Biden’s Executive Order for ‘Improving the Nation’s Cybersecurity’. It has yet to be determined who will be responsible for overseeing its implementation or how it will be validated but the intention is to roll out the labelling scheme in Spring 2023.

Here in the UK, we’re already way ahead of them. The Department for Culture, Media and Sport (DCMS) put out a tender for an assurance scheme a couple of years back, leading to the IASME industry group launching its IoT Security Assured Scheme last year. This features three levels that are mapped to EN 303 645, the PSTI, and the IoTSF Security Compliance Framework.

The Basic level covers all of the security controls mandated by the PSTI, namely the ban of default passwords, the compulsion to have a vulnerability disclosure policy, and details on the length of time a product will be supported over with respect to security updates. Therefore, meeting the basic level would ensure future compliance. In contrast, the Silver level mirrors the ETSI mandatory requirements and data protection provisions while the Gold extends these still further.

Vendors looking to label their products have to self-assess by answering questions related to eight different areas covering organisation,  about the device or service, passwords and credentials, vulnerabilities and anomalies, software, secure configuration, communications and usage of data covering the 13 cyber security provisions for consumer IoT. A board member must attest these are correct before making the submission via the IASME portal at which point the application is reviewed by an independently appointed assessor. Turnaround time at this point can be as little as 24 hours if the criteria have been adequately met.

Going for gold

The cynical among us might expect vendors to plumb for the Basic level of assurance because this requires the least amount of legwork and ensures compliance with the PSTI requirements. However, that’s not what’s happening. All of the applications that we’ve seen have been for the highest spec, i.e. Gold. This suggests that the market is now being driven by a desire to achieve the highest accolade rather than to meet the mandatory requirements on the horizon.

The low cost of entry and easy access associated with the IASME scheme is also proving to be a big draw for smaller vendors, many of whom struggled to interpret and apply the Code of Practice and ETSI guidelines. They’ve been able to utilise the expertise of the assessors to help them understand and fulfil the criteria of their chosen level.

So, all in all, labelling schemes seem to be an effective way to boost the adoption of security controls. We don’t yet know how the PSTI will be enforced and by what body – a DCMS hearing on Connected Tech: Friend or Foe? held on 11 October saw the call for a formal regulator to be put in place – but we do know that the Bill doesn’t mandate product assurance. Quite simply, it doesn’t need to. Assurance is proving to be a sufficient incentive for vendors to go above and beyond the bare minimum requirements.

Harmonisation and conformity

How the NIST program will differ from that devised by IASME remains to be seen. It has mooted a baseline that will cover asset identification, product configuration, data protection, interface access control, software updates, cybersecurity state awareness, documentation, information and query reception, information dissemination, and product education and awareness. But it’s also made some interesting suggestions including the use of a scannable or accessible link or QR code which would provide more in-depth detail.

It’s also not yet known whether we will see harmonisation among the different assurance schemes and conformity testing. The White House has indicated it foresees its national program becoming a “globally recognised label”. It’s certainly highly likely that the schemes will share some of the same criteria and vendors won’t want to reinvent the wheel when it comes to labelling their device for different markets.

Such developments have boosted IoT security awareness but they’ve also revealed that having third parties who can advise on and assess device security is key. The same DCMS hearing saw calls for any appointed regulatory body to introduce independent validation of compliance with the PSTI, so we could well expect such a move ahead of the legislation. In the meantime, adopting the IASME scheme will certainly place vendors in good stead.

About the Author

David Adams is Security Consultant at Prism Infosec. Prism Infosec is a CREST-approved member and Payment Card Industry Qualified Security Assessor Company based in Cheltenham and Liverpool, UK and was founded in 2006. The Company has delivered information security consultancy and assessment services to some of the world’s largest organisations. Prism Infosec is an independent firm, so our clients can be assured that our advice is truly pragmatic and not designed to up-sell other security products and services.

Featured image: ©Green Butterfly