Email: anwenqq2690502116@gmail.com

In 2023, the U.S. government will launch the Internet of Things security label plan

In 2023, the U.S. government will launch the Internet of Things security label plan

In 2023, the U.S. government will launch the Internet of Things security label plan. How will China's Internet of Things respond?

IoTcloudplatform.com IoT Think Tank

In 2023, the U.S. government will launch the Internet of Things security label plan

In the context of the rapid growth of the number of Internet of Things connections and a major impact on people's production and life, it is of great significance to promote the Internet of Things security label plan, and it also brings certain enlightenment to the development of my country's Internet of Things industry.In 2023, the U.S. government will launch the Internet of Things security label plan

US government launches long-awaited IoT security labeling program

Recently, the U.S. government announced a cybersecurity and certification label program called "U.S. Cyber Trust Mark". In order to help consumers screen trusted devices that are not vulnerable to network security attacks, and protect the legitimate rights and interests of consumers.In 2024, the US Cyber Trust Mark program - 2025 IoT Security Label Certification Lab In 2024, the US Cyber Trust Mark program - 2025 IoT Security Label Certification Lab

 

The "U.S. Cyber Trust Mark" plan is an important part of the series of measures introduced by the U.S. government for IoT security in recent years. Compared with other policies, this plan is more commercially feasible, so it has attracted great attention from the industry.

In the context of the rapid growth of the number of Internet of Things connections and a major impact on people's production and life, it is of great significance to promote the Internet of Things security label plan, and it also brings certain enlightenment to the development of my country's Internet of Things industry.

  • Overview of the Internet of Things Security Labeling Program

From the relevant press releases issued by the White House and the FCC, it can be seen that the corresponding conditions for the implementation of the "U.S. Cyber Trust Mark" plan have been met, which has a significant effect on the network security and privacy protection of IoT devices. The main contents of the plan include:

1. The program focuses on consumer IoT devices

At present, the plan focuses on consumer IoT products, including smart refrigerators, smart air conditioners, smart TVs, smart thermostats, fitness trackers and other home IoT devices, and has begun to define security standards for consumer-grade routers. Routers are included in the certification labeling program; at the same time, the US Department of Energy also announced a cooperative plan to study and develop cybersecurity labeling requirements for smart meters and power inverters.

As we all know, the security risks of the Internet of Things are very serious. According to data from a third-party agency in the United States cited by the FCC, in the first half of 2021, there have been 1.5 billion security supplies for the Internet of Things, and a considerable part of them are for smart homes such as home cameras and smart refrigerators. devices, so it is necessary to certify home IoT products through the IoT Security Logo program.

2. Provide consumers with reference when purchasing through product packaging and labeling

The "U.S. Cyber Trust Mark" program is implemented in the form of product labels. The label consists of two parts, one is the logo pasted or printed on the product packaging, and the other is the QR code. Through these two parts, consumers can get the information they bought. Security information for IoT products.

In terms of logos, the FCC has submitted an application to the United States Patent and Trademark Office, and is applying for a unique logo trademark for the program, which is in the shape of a unique shield logo, pasted on products that meet established network security standards, indicating that the products have passed network security according to the standards certified.

At the same time, the FCC plans to attach a QR code at the same time, which can be linked to the device security certification platform to provide consumers with specific and comparable security information about these smart products, including which sensor data is collected, which data is shared, and how to respond to security updates. , for example, when consumers face new cybersecurity threats or need to patch, they can scan the QR code to know whether the device is still certified.

3. Multiple institutions jointly promote the implementation of the plan

The FCC is the initiator of this plan. Before that, the FCC also joined forces with the US government and several industry organizations to promote the implementation of the plan.

First, in terms of certification standards for IoT products, the program will leverage stakeholder-led efforts to certify and label products according to specific cybersecurity standards published by the National Institute of Standards and Technology (NIST), including requirements for unique and Strong default passwords, data protection, software updates, and incident detection capabilities are the standard.

NIST released a baseline standard for consumer IoT products in September last year, and subsequent related standards will be further improved. In addition, the US Federal Trade Commission also plays an important role. The laboratories of third-party organizations may undertake the certification work, such as CSA (Connectivity Standards Alliance), Consumer Technology Association (Consumer Technology Association), etc.2025 IoT Security Label Certification Lab - IoT Security Certified Products - Recommended Green Products and Services

 

Secondly, in terms of the marketing promotion of the plan, the relevant agencies of the US government will support the FCC in educating consumers so that consumers can pay attention to this new label when making purchase decisions, make purchase decisions based on the safety information contained in the label, and Major U.S. retailers are encouraged to prioritize placing IoT products bearing this logo on their shelves and on e-commerce platforms.

Third, in terms of oversight safeguards, the FCC also plans to work with other regulators and the U.S. Department of Justice to establish oversight and enforcement safeguards to maintain trust and confidence in the program.

4. Although it is a voluntary plan, the leading manufacturers have expressed their support

"U.S. Cyber Trust Mark" is not a mandatory plan. The White House and FCC have made it clear that manufacturers and retailers can choose to join voluntarily. However, at the same time that this plan was announced, leading manufacturers related to the home Internet of Things have basically announced their support for the plan.

The press release issued by the White House mentioned that the participating institutions on the day of the conference included Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco, CSA, Consumer Reporting Agency, Consumer Technology Association, Google, Infineon, Information Technology Industry Council, IoXT, Keysight, LG Electronics America, Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL, Yale, and August U.S.

It can be seen that these institutions cover all aspects of the entire industry chain of the consumer Internet of Things, and many of them are institutions with the right to speak in the industry chain, including manufacturers, retail platforms, monitoring and certification institutions, alliance organizations, and universities. Promoted by these agencies, although the "U.S. Cyber Trust Mark" is a voluntary program, it is likely to become a "quasi-mandatory" requirement widely accepted by the market. Of course, in the first batch of supporters, the role of Apple is missing, which seems a bit regrettable.

5. Strengthen cooperation with allies, aiming to promote the certification to the world

Internationally, the U.S. government will support the FCC in working with allies and partners to harmonize standards and seek mutual recognition of similar labeling efforts, the White House said in its press release. For example, the United States has proposed cooperation with the European Union to promote unified standards, and has begun to contact Singapore's network security labeling plan. It can be seen that the US government also hopes that its IoT Trusted Security Label program can become a "globally recognized label".

  • Inspired by the Energy Star Program, it is more commercially feasible

As early as nearly 10 years ago, U.S. lawmakers realized the security threats posed by the Internet of Things and began to promote legislation on Internet of Things security. In September 2018, the State of California approved and passed the "IoT Device Network Security Act". Although it is only a law in California, this is the first IoT security-specific legislation introduced by the United States. Substantial progress has been made.

In December 2020, then US President Trump officially signed the "IoT Network Security Improvement Act", which became the first nationwide IoT security law in the United States.

In the "Internet of Things Network Security Improvement Act" of the United States, IoT products are clearly defined, that is, at least one sensor (sensor or driver) for direct interaction with the physical world, at least one network interface, and not traditional information technology equipment, Like smartphones and laptops, the identification and implementation of cybersecurity features are well understood and able to work independently rather than just as another device component, such as a processor.

According to this definition, all kinds of smart home equipment products currently used in the home are within this scope.

In 2021, U.S. President Biden issued the "Executive Order on Improving National Cyber Security", which emphasized the need to improve the security of the Internet of Things and required the launch of a consumer Internet of Things labeling plan, including:
Within 270 days of the date of this order, the Secretary of Commerce, through the Director of NIST, in coordination with the Chairman of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, will determine the Internet of Things cybersecurity standards for the Consumer Labeling Program and consider this Whether the consumer-like labeling program can be operated with or replicated with any similar existing government program consistent with applicable law.

These standards should reflect the increasingly comprehensive level of testing and evaluation that products may undergo and should use or be compatible with existing labeling schemes that manufacturers use to inform consumers of the safety of their products. The NIST Director should review all relevant information, labeling, and incentive programs and apply best practices. This review should focus on ease of use for consumers and identify what can be done to maximize manufacturer engagement.

Since then, the Internet of Things security label program has been vigorously promoted. In October 2022, the White House convened a meeting on the Internet of Things security label plan from IoT companies, universities, third-party associations and multiple government departments, which proposed to refer to the "Energy Star (Energy Star)" plan to promote IoT. Networked Security Labeling Program.

Energy Star is a government program jointly implemented by the U.S. Department of Energy and the U.S. Environmental Protection Agency to better protect the living environment and save energy. In 1992, the U.S. Environmental Protection Agency participated, and it was first promoted on computer products. Later, more than 30 types of products were included in the scope of this certification, such as household appliances, heating/cooling equipment, electronic products, lighting products, etc.

The ENERGY STAR program is voluntary and its standards are typically 20-30% more energy efficient than US federal standards, but ENERGY STAR ratings have become an important part of consumer and business purchasing decisions. All manufacturers must submit test results from an accredited, approved laboratory to ensure the product meets the standards in order to receive the ENERGY STAR certification label.

Drawing on the Energy Star program, relevant agencies have also launched preliminary research on IoT security labels. For example, the laboratory of Carnegie Mellon University, which was invited to participate in the meeting, proposed a prototype of an IoT security label as follows:

It can be seen from the tag prototype that the tag provides security update information, access control methods, collected data information, etc. More importantly, the label itself also indicates information such as the purpose of collecting data, storage location, sharing objects, and whether to sell the data. It can be said that this label contains the privacy information that users are mainly concerned about and the commitment made by the manufacturer.

Of course, if all the label information is displayed, it will occupy a very large area. There is no doubt that such a large space cannot be given on many product packaging boxes, so relevant information can be provided in the form of a QR code.

In addition to the enlightenment of Energy Star, there are similar IoT security labeling programs overseas for reference. For example, Singapore has previously launched its own network security labeling program to improve the security of the Internet of Things.

Initially launched just to cover routers and gateways, the program has since expanded to include all consumer IoT devices, such as cameras, smart door locks, smart lights, and smart printers.

Singapore's Internet of Things Security Labeling Program classifies all connected consumer devices into four levels, the first level is to meet the basic security requirements, the second level is to comply with security design specifications, and the third level is the absence of known common software Vulnerability, the fourth level is resistance to common network attacks.

Among them, the first and second grades only need the manufacturer's own declaration of conformity, while the third and fourth grades must be independently tested by a third party to pass the certification. Singapore's plan has been recognized by Finland and Germany.

  • Suggestions for China's Internet of Things industry

In 2024, the "U.S. Cyber Trust Mark" plan will be officially implemented. By then, many consumer IoT products will undergo label certification and be recognized in the US and even global markets.
China's Internet of Things market is not a closed group, and it is necessary to pay close attention to the progress of this plan and actively promote the construction of Internet of Things product security. In my opinion, we can analyze the impact of this US plan on China from two aspects.

1. Domestic Internet of Things companies going overseas should actively pay attention to and join this plan

This IoT security initiative is aimed at consumer IoT products, especially smart home products. China is a big country in smart home output and a big exporter of smart home.

Taking home appliances as an example, according to the data from the General Administration of Customs, from January to June 2023, my country exported a total of 1.73 billion household appliances, a year-on-year increase of 1.4%. The region with the highest export value. A considerable part of the exported home appliances are smart home appliances.

Although the "U.S. Cyber Trust Mark" program is not mandatory, it will still significantly affect the competitiveness of our country's export products.

The Energy Star program may serve as a reference for it. According to the data released by the General Administration of Customs, in 2022, my country’s exports of electrical machinery, electrical equipment, audio-visual equipment and their spare parts to the United States will reach 950.15 billion yuan, a considerable part of which is Energy Star. For products within the scope of certification, Energy Star certification promotes the "going out" of local brands and optimizes the business environment.

With reference to the Energy Star program, Chinese enterprises can learn about the rules of the "U.S. Cyber Trust Mark" program in advance, actively participate in this certification, and gain competitiveness in going overseas.

In fact, many domestic companies have already started to take action. For example, Tuya Smart recently announced that it will actively promote its ecological products to join this plan. Given that the United States plans to promote the "U.S. Cyber ​​Trust Mark" program to all allies around the world for mutual recognition, in the future, my country's Internet of Things overseas products may use the composite label certification as a standard configuration.

2. Plan in advance to build a local IoT security label certification laboratory

In order to obtain the "U.S. Cyber Trust Mark" label, the United States will entrust a third-party certification agency to conduct security testing on IoT products. For domestic products going overseas, if they can obtain certification from a local authorized agency, the cost of going overseas will be greatly reduced.

Still taking Energy Star as an example, in 2010, the U.S. Environmental Protection Agency issued a notice requiring laboratories that conduct Energy Star product testing to be accredited by its authorized accreditation agency in advance before the test results can be accepted by the U.S. The export of products within the scope of Energy Star certification such as electrical appliances, computers, household appliances, and lighting to the US market has brought uncertainty. China National Accreditation Service for Conformity Assessment (CNAS) has done a lot of work, and finally officially entered the list of accredited institutions authorized by Energy Star.

At present, the number of approved Energy Star laboratories in my country has reached more than 80, accounting for about a quarter of the global total. Relying on the recognized international mutual recognition results, the testing data of domestic laboratories are directly recognized by the US side, which not only greatly shortens the product filing cycle, but also greatly saves the testing and verification costs of enterprises, especially small, medium and micro enterprises.

Drawing on this experience, relevant domestic agencies can plan in advance, learn about the relevant specifications of the United States for IoT security certification, build local certification laboratories, and help domestic IoT companies, especially small and medium-sized enterprises, export their products.

3. Actively promote the construction of my country's Internet of Things security research and supervision system

The number of Internet of Things connections in my country has ranked first in the world. The security pressure of the Internet of Things is very high, and the construction of the Internet of Things security system cannot be ignored. At present, although my country has proposed to speed up the construction of the Internet of Things security system in multiple Internet of Things policies, there are no laws and regulations specifically aimed at the security of the Internet of Things. In the context of overseas IoT security legislation and the construction of an IoT security label system, domestic work in this field needs to be strengthened, and overseas experience should be used to build a security system suitable for the domestic industrial ecology.

Share your love

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *