The connection of devices, including household devices, to the internet has created a raft of new potential entryways for hackers to invade your home networks and cause chaos and destruction. The proliferation of these devices has prompted calls for the creation of consumer labels to let would-be buyers know about their cybersecurity capabilities. Taking Measure interviewed National Institute of Standards and Technology (NIST) Cybersecurity for Internet of Things (IoT) program manager Katerina Megas to learn more about this new labeling initiative.
The Internet of Things (IoT) is the convergence of internet connectivity with those “things” that used to be disconnected from the internet. These things, such as vacuum cleaners or robotic arms, have both a physical component and the ability to affect the physical world or collect information from it. While these devices used to work as standalone “things,” there are all kinds of benefits now to connecting them to the internet, such as being able to download a newly discovered recipe to your oven that presets it so you don’t have to worry about setting the timer, temperature or mode of the oven.
While connecting a household device to the internet can bring about great efficiencies and new innovations, it also makes that device susceptible to the same cyberattacks as your home computer. While laptops and servers have been dealing with these vulnerabilities for a while, these devices are new to this market and the industry is still figuring it out.
IoT devices have a number of aspects that make them vulnerable, over and above the fact that we’ve learned through experience that essentially all computers are vulnerable. First, IoT devices are often very constrained in terms of processing capacity, memory, power and other characteristics, limiting their ability to include security features such as anti-malware protection, which we’d expect to find on a more powerful device. They often have limited user interfaces (or none at all), so that their ability to raise an alarm if a security problem is detected is quite constrained. Their developers are often focused on the “smart” function of the device without significant considerations for its cybersecurity. Also, many IoT devices have been sold and deployed without any form of software update mechanism, so any flaws that exist in their initial design will persist throughout their lifetime.
If not secured, these devices could be used as a launchpad for attackers to get access to other things on your home network — like your PC. Attackers could use your devices as part of some criminal activity such as a distributed denial-of-service attack that could bring down an online service like an electronic health record system. Someone could hold your devices hostage and try to extract a ransom from you — if this is your front-door lock, then you might have a problem getting into your home. There are countless ways that an attacker could use these devices for malicious purposes.
Among other things, the executive order directs NIST to initiate two product-labeling programs on cybersecurity capabilities of IoT consumer devices and software development practices. We have organized our thinking about the scheme around three parts:
We released a draft white paper focused on the first of the three and recently received public comments. We also listened to input we received at a September public workshop. We will be releasing similar papers focusing on the latter two as well. We are aiming to be able to publish criteria by February and identify where there might be programs that can support those criteria — either programs that already do exist that support those criteria, or programs that support a large portion of those criteria and could incorporate those that they don’t.
The goal is to provide consumers a basis for comparison regarding the security of functionally similar products when they’re in the process of making a purchase decision. As things stand today, it’s extraordinarily difficult to find even basic information about the security capabilities of an IoT product when you’re standing in the store ready to bring one home. We aim to raise consumer awareness and provide information helpful to all consumers regarding the security of these products.
A major challenge is the complexity and dynamic nature of cybersecurity. Other labeling schemes, such as EnergyStar, provide information about product characteristics that are comparatively easy to measure and generally don’t change over the life of the product. Cybersecurity is both much more complex and also inherently dynamic, as flaws can be discovered at any time after a product is brought to market and in use. So, the labeling approach has to provide information about the security of the product at the time it was evaluated AND have some means for the consumer to discover updates to that information if vulnerabilities are discovered in the future. And at the same time, if the manufacturer is responsibly fixing vulnerabilities, then we don’t want the fact that one was found and fixed to invalidate the label.
I have lots of connected devices in my home. I am fortunate that I probably am not the average consumer and have the knowledge to apply some mitigation approaches, such as creating an isolated network for my vulnerable IoT devices. That being said, that is not a foolproof approach, so I still consider my risk appetite and the potential impact when installing new devices. I consider if my device were to be compromised what would I be giving a hacker access to and does it exceed my tolerance for risk? That is, at least until I have an easy way, because I don’t have the time for complicated or hard to access information, to understand what has been done to reduce the likelihood of my device being compromised. This is something IoT consumer labeling will help to solve.
I’ve given various answers to this question over the past few years depending on what might be on the horizon with respect to even more innovative ways of incorporating connecting technologies into our everyday lives. However, recently I was participating in a meeting with some of the principal investigators from SPLICE. SPLICE involves 10 faculty investigators from various universities — I happen to sit on their advisory council. I was very excited to hear one of the investigators talk about the focus of her research: With all the benefits that IoT can bring to people, such as giving them more access to healthcare at home and allowing them to age-in-place, how can we ensure that these devices are being engineered to work for all individuals and not just those that present the largest target market? It would be a terrible thing if there were parts of the market that miss out on these new technologies because they don’t seem lucrative due to financial or other considerations.
I was fortunate enough to sort of fall into cybersecurity as a field and am very grateful that I did. In my case, one thing just led to another. I started out my career in marketing. When my company decided to undergo a major integration of their business units as part of an enterprise resource planning (ERP) implementation, the company’s owner asked me to lead the project, and I began working with the IT consultants responsible for the implementation. After that, my career followed an IT path. From there I’ve worked as project manager of IT projects ranging from telecommunications solutions to identity solutions and working with organizations as they undergo their Capability Maturity Model Integration (CMMI) certifications. Identity solutions are an interesting mix of both business enabler and cybersecurity solution when done right.
I heard a quote from someone a few days ago that “cybersecurity is not everything, but without cybersecurity everything is nothing” — OK, that might be a bit of an exaggeration, but it really highlights the importance of the work — whether it be advancing consumer protections from cybersecurity threats through to national security.
*Edited October 25, 2021
Will it be adaptable to versatile technology platforms..