Consumer Cybersecurity Labeling for IoT Devices: A Q&A with NIST’s Katerina Megas
The connection of devices, including household devices, to the internet has created a raft of new potential entryways for hackers to invade your home networks and cause chaos and destruction. The proliferation of these devices has prompted calls for the creation of consumer labels to let would-be buyers know about their cybersecurity capabilities. Mark Esser of Taking Measure interviewed National Institute of Standards and Technology (NIST) Cybersecurity for Internet of Things (IoT) program manager Katerina Megas to learn more about this new labeling initiative.
In your own words, how would you define the Internet of Things?
The Internet of Things (IoT) is the convergence of internet connectivity with those “things” that used to be disconnected from the internet. These things, such as vacuum cleaners or robotic arms, have both a physical component and the ability to affect the physical world or collect information from it. While these devices used to work as standalone “things,” there are all kinds of benefits now to connecting them to the internet, such as being able to download a newly discovered recipe to your oven that presets it so you don’t have to worry about setting the timer, temperature or mode of the oven.
Why are IoT devices and software vulnerable to cyberattack? What are some of the consequences if they were to be compromised?
While connecting a household device to the internet can bring about great efficiencies and new innovations, it also makes that device susceptible to the same cyberattacks as your home computer. While laptops and servers have been dealing with these vulnerabilities for a while, these devices are new to this market and the industry is still figuring it out.
IoT devices have a number of aspects that make them vulnerable, over and above the fact that we’ve learned through experience that essentially all computers are vulnerable. First, IoT devices are often very constrained in terms of processing capacity, memory, power and other characteristics, limiting their ability to include security features such as anti-malware protection, which we’d expect to find on a more powerful device. They often have limited user interfaces (or none at all), so that their ability to raise an alarm if a security problem is detected is quite constrained. Their developers are often focused on the “smart” function of the device without significant considerations for its cybersecurity. Also, many IoT devices have been sold and deployed without any form of software update mechanism, so any flaws that exist in their initial design will persist throughout their lifetime.
If not secured, these devices could be used as a launchpad for attackers to get access to other things on your home network like your PC. Attackers could use your devices as part of some criminal activity such as a distributed denial-of-service attack that could bring down an online service like an electronic health record system. Someone could hold your devices hostage and try to extract a ransom from you if this is your front-door lock, then you might have a problem getting into your home. There are countless ways that an attacker could use these devices for malicious purposes.
What does the May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) direct NIST to do with regards to consumer labeling of IoT devices? How will this effort roll out?
Among other things, the executive order directs NIST to initiate two product-labeling programs on cybersecurity capabilities of IoT consumer devices and software development practices. We have organized our thinking about the scheme around three parts:
- What should the manufacturer do to support cybersecurity of their product?
- How do we know that they’re meeting those criteria?
- How do we communicate to the customer they’ve been met?
We released a draft white paper focused on the first of the three and recently received public comments. We also listened to input we received at a September public workshop. We will be releasing similar papers focusing on the latter two as well. We are aiming to be able to publish criteria by February and identify where there might be programs that can support those criteria either programs that already do exist that support those criteria, or programs that support a large portion of those criteria and could incorporate those that they don’t.
What benefits will consumers see with this new labeling initiative?
The goal is to provide consumers a basis for comparison regarding the security of functionally similar products when they’re in the process of making a purchase decision. As things stand today, it’s extraordinarily difficult to find even basic information about the security capabilities of an IoT product when you’re standing in the store ready to bring one home. We aim to raise consumer awareness and provide information helpful to all consumers regarding the security of these products.
What are some of the challenges and practical considerations to consumer software labeling?
A major challenge is the complexity and dynamic nature of cybersecurity. Other labeling schemes, such as EnergyStar, provide information about product characteristics that are comparatively easy to measure and generally don’t change over the life of the product. Cybersecurity is both much more complex and also inherently dynamic, as flaws can be discovered at any time after a product is brought to market and in use. So, the labeling approach has to provide information about the security of the product at the time it was evaluated AND have some means for the consumer to discover updates to that information if vulnerabilities are discovered in the future. And at the same time, if the manufacturer is responsibly fixing vulnerabilities, then we don’t want the fact that one was found and fixed to invalidate the label.
Do you use IoT devices in your own home? If so, what do you do to ensure they’re safe and secure?
I have lots of connected devices in my home. I am fortunate that I probably am not the average consumer and have the knowledge to apply some mitigation approaches, such as creating an isolated network for my vulnerable IoT devices. That being said, that is not a foolproof approach, so I still consider my risk appetite and the potential impact when installing new devices. I consider if my device were to be compromised what would I be giving a hacker access to and does it exceed my tolerance for risk? That is, at least until I have an easy way, because I don’t have the time for complicated or hard to access information, to understand what has been done to reduce the likelihood of my device being compromised. This is something IoT consumer labeling will help to solve.
What most excites you about the field of IoT research/devices?
I’ve given various answers to this question over the past few years depending on what might be on the horizon with respect to even more innovative ways of incorporating connecting technologies into our everyday lives. However, recently I was participating in a meeting with some of the principal investigators from SPLICE. SPLICE involves 10 faculty investigators from various universities I happen to sit on their advisory council. I was very excited to hear one of the investigators talk about the focus of her research: With all the benefits that IoT can bring to people, such as giving them more access to healthcare at home and allowing them to age-in-place, how can we ensure that these devices are being engineered to work for all individuals and not just those that present the largest target market? It would be a terrible thing if there were parts of the market that miss out on these new technologies because they don’t seem lucrative due to financial or other considerations.
How did you get into cybersecurity and/or IoT as a career field?
I was fortunate enough to sort of fall into cybersecurity as a field and am very grateful that I did. In my case, one thing just led to another. I started out my career in marketing. When my company decided to undergo a major integration of their business units as part of an enterprise resource planning (ERP) implementation, the company’s owner asked me to lead the project, and I began working with the IT consultants responsible for the implementation. After that, my career followed an IT path. From there I’ve worked as project manager of IT projects ranging from telecommunications solutions to identity solutions and working with organizations as they undergo their Capability Maturity Model Integration (CMMI) certifications. Identity solutions are an interesting mix of both business enabler and cybersecurity solution when done right.
I heard a quote from someone a few days ago that “cybersecurity is not everything, but without cybersecurity everything is nothing” OK, that might be a bit of an exaggeration, but it really highlights the importance of the work whether it be advancing consumer protections from cybersecurity threats through to national security.
This post originally appeared on Taking Measure, the official blog of the National Institute of Standards and Technology (NIST) on October 21, 2021.
To make sure you never miss our blog posts or other news from NIST, sign up for our email alerts.