"U.S. Cyber Trust Mark" For IoT Devices Examined
The newly proposed US Government "Cyber Trust Mark" is aimed at helping consumers identify products that are safer and more secure by voluntarily meeting the US Government's cybersecurity standards, but what does this mean for manufacturers, sellers, and the commercial physical security industry?
IPVM spoke to participating companies, and in this report, we examine the U.S. Cyber Trust Mark and its potential impact on the video surveillance and access control markets and include feedback and reactions from NIST and physical security companies.
Executive *******
***** *** ** ********** ***** **** program ** *********, *** ********/********* ******** to ******* *** ******** **** ******* various ****** ** ************* ************/*************, *.*., (TLSv1.3, **** *****, *** *******, ***.), to *** ******* ******** ** *** US **********. ************, ********* *** ******** to ****** ******* ******* **** ****** the *** *****/******** ****** ********* *** Trust **** *** ********.
***** **** ** *********, ** ******* there ** * ****** *********** **** competitors **** ***** ** ** ****, as **** *** **** *** ****, providing ********** * *********** ********* ** marketing, ***** **** ** *** ****** will ****** ** *** *** ***** Trust ****.
**** ** ****** ** ******** *** recommended ************* ************* ******** ** *** end ** ****. ** **** *****, the *** **** **** *** ***** requirements *** ********** *********, ***** ** expected ** “** ** *** ******* in ****”.
*** **** ** ***-********-******* ************* (*.*., Avigilon, ****, ******, ***.) ** ******* at **** ****, ** *** ********* were *** ******** ****** ** *** announcement, *** **** *** *** ******* involvement **** ********* ** ****. *******, the ****-****** ********* *** ***** (** relabeling *********) *** ******** ** ** able ** *********** (***:*** ****** ********* *** *****) ** *** *******.
**** **** ******** ** ******* *** examine **** ******* ** **** *******/******** is ****.
Consumer ******
*** ***** ***** **** ***** ******* includes ************* **** *** ** **********, many ** *** *****'* ******* ********** companies (*.*., ****** *** ******), **** industry *************, *********, *** *** ****** manufacturers. ** ****** *******, ** ****** help ********* ******** *** ******** ******** that ****** *********** ************* **** ********* defined ** ****.
*******, ************* **** ******* ************* ** support ********* ****** ***** ********** *** product. **** *********** **** * ****** cybersecurity **** ** **** ********* ** not ******** ***** ****** ****** ** the **** ****. *** ****** ************* must **** ********* **** ***** ******** updated, ********* ******, ***.
The **** ** *** ************* ******** *******
**** *********, ***** ***** ****** ******** Security ******* *** ***** *** ******** Technologies, ****:
** *****'* ****** **** **** ********* identify *** ****** ******** **** **** the ** **********'* ************* *********. *** they'll **** ********* **** **** **** same ******** ********* * *** ** differentiate ***** ******** *** **** **** their ******** *** **** ***** ******.
*** **** ** *** ***** ***** Mark ** ** ***** ** **** connection [******* ********* *** *********] *** stand **** ** **** *** ********* of *** ** ********** ******** ******* by *** ******** ********* *** *********
*** *.*. ***** ***** **** ** being ********** ********* ** ********* **** ******* **** **********:
**'** ******* ** *** *.*. ***** Trust ****, *** **** **** *** Energy **** **** ***** ********* **** what ******* *** ****** *********, *** Cyber ***** **** **** **** ********* make **** ******** ********** *** **** informed ********* ***** **** **** ** devices **** ***** **** ***** ***** and **********. ** **** *** **** a **** *******, ** * *** home *********, ***'** ** **** ** look *** *** ***** ***** ****, and ***'** ** **** ** **** with ******* **********.
*******, *** ***** ******** * ** code *** ********* ** *** **-**-**** information ***** *******:
****'* ****, ******* ** **** ******* and ******** *** *** ******, **'** proposing **** ***** **** *** **** will **** * ** **** **** provides ** ** **** *********** ** the ******.
*** ********** ******* *********** ********* **** security ******* ** * ****** ** cyber ********* *** ********** *** **** of ****** *** ******* **** ******:
*** ***** *** **** ******** *******, those ********* *********** *** ***** ******* trackers, **** *** **. ******* ********, we **** ***** ** ******* ***** devices ** *** ***********, *** ****'** growing. ** *** *** ** *** decade, ** ****** ** **** ** billion. *** ***** *** ***, ***** incidents ********** **** **** *** ******* too. ** **** *** **** ** wary ** ******** ***** ***** ******* these ******** ** ****** ******* **** our *****. *** **** **'** **** out ** *** *********** ************* *** efficiencies **** **** *** ******.
*** ***** ** ** *****'* **** to ** **** *** ******* ** can ** **** ** **** *** Internet ** ****** *** *** ***** devices ****** *** ** **** ** help ********* **** **** ******* ***** what **** ***** **** ***** ***** and *** **********
Expected ****** ****
*** ******** ******* ** ******** ** be ** *** ******* ** ****:
****** ***** *** *********** ** ******** wireless ************* *******, *** *** ** expected ** **** ****** ******* ** rolling *** *** ******** ********* ************* labeling *******, ***** ** ******** ** be ** *** ******* ** ****.
**** *** **** ****** ** ******** its *********** ************* ************* ******** ** the *** ** ****. ** **** point, *** *** **** **** *** final ************ *** ********** ********* ** participants ** *** ******** *******.
Who ** ******** - ******* ******** ******** ********
*** ************ ***** ** ********* **** participated ** *** ************:
******, **** ***, ******** ****** **********, CyLab, ***** *******, ************ ********* ********, Consumer *******, ******** ********** ***********, ******, Infineon, *** *********** ********** ******** *******, IoXT, ********, ** *********** *.*.*., ********, OpenPolicy, *****, ********, ******* ***********, ** Solutions, **** *** ****** *.*.
***** ****** (****) *** ****** (****) are ******* ******** ** *** *********** video ************ ******, **** **** *** August **** *** **** ********* ********* from *** ******** ******** ********.
Announcement ***** **********
*** ***** ***** ****** ** ****-***-*-**** press ********** ********** *** *******, ******** below:
Launching * ************* ******** *******
****** ******** ******** ** *** ********** Of ********, ************* *** * ******** ***** **** NIST ******* ** ** **** ************* in *** ******* ********** *** *************:
- ****** ************ ** ***** ***** ** the ******* *********** *** *********
- ******** ************ *** ******, ***********, *** operation ** *** *******
- ****** ********** ****** *** *********** **** by ********** ******** ******* ******** ********, including ******** *** *******, *** ************
*******, **** ** *** ********** ****** the ***** ********** *** ***** ** at * **** **** *****, ****** specifics *** ******** **** *** *** of **** / ***** ****.
Who ********* ** *** ******* / ****-************* ******
*** ******** ******* ********** ** *** describe **** ***** (*.*., ********** ******, device ************, *********** *******, ***.) **** certify ** **** ******* ** **** the ******* **** ************ *** ************* capabilities.
**** ***** ** ******* ******** *** label *******, ******* **** **** ****** most ********* ** ****-*******. *******, **** also ***** ************* ** ** *** Consumer ******* ** * **** **** they **** ** ******** ************* ********.
** ******* ** ** **** *** strictly *** ********** **** *****/********** ***** guidelines *** ****-********** *********, ***** ******** an *********** *** ********* ** ********* outcomes.
Labeling ******* *********
****'* ***************** ******** *** ************* ******** *** Consumer ******** ** ****** *********** ********* ** ******** **** *** is ******** ** ** ******* ** 2024.
*** ******** ***** ******* ********** ********* specifications, ****** ******* ******** ******* **** what ** ** *** ******:
*******, *** ******** ********** * **** IoT ****** ***** ********** **** ****** manufacturers *** ***** *** ***** ***** of **** *** ***** ************ **** be:
- ************ ************* ********** *** *** ****** Manufacturers
- *** ****** ************* ********** **** ********
- *** ***-********* ********** ********** **** ********
*** ******** *************** **** ******* * generic ******* ** **** ******** ****** vulnerabilities, ******** ** *** ****** *******, and ******** ******** **** *** **** mitigated *** ********:
Manufacturer ****** ***** ** ****
**** ** *** ******** ******* ** the ************ *********** ***** *******' **** profile, ******** "*****" ** ************* **** for ***** *******, *** ************ ******* based ** **** ****-*************:
*******, **** ****** *********** ***********, *** risk ** ***-**********, ***** ** * manufacturer's *********** ** ******** ** ****** the **** **** ** *** ******** unless ***** *********** ******* ** ************* is ********.
**** ** ** ******** ** ** certifications, ***** *** ******* ******* *** specific ******** ** ******* *******, *** are ********* ** ** *********** *******.
NIST **** *** ********
**** *** **** ****** ** ****** its *********** ************* ********** *** **** with ************* ** ******** *** ********:
** **** ******** ****** ** *** good **** ****'* ******* **** **** by ********** *** ********, ******* **'** going ** **** ** ***** **** recommended ******** ** *** *** ***** Trust **** ******* **.
**** ******** *** ********* ******** ** IPVM ********* *** ******* ** *** White *****:
**** *********** ********** *** *** ***** Trust **** *******, **** ** *** area ** ********** ********** ********* ** well ** ********* ********* ****** *** recommended ******** ******** (**** ** ****). At *** ******* ****** *****, *** Chairperson *********** ********* **** *** ****** is ** **** *** ******* ** the **** ******** ******** *** **** be ***** ******* * ****** ** Proposed ********** (****) ******* ** ******* input ** **** ******* *** *******. The **** ******** ******** *** ********* as ** ************* ******** *** ******** should *******, ******* **** ********* ************* outcomes **** ** *********** ************** **********, to ***-********* ************* ********, **** ** a ********** ******** ******** *********** ******* or ************* ********** *******.
*******, **** ******** "*** **************" *** the *******, ********* ******** ********* *** education:
******* ***** *** *** **********, *** rather *** ************** ***** *******. **** of ***** **** ********* ** *** May **** ****** ** *** ***** (****** *** *** ********* ** *** President *** ******** ******** ******* (*****) on ************* ******** *** *********: ******** of ****** (***) ******* *** ********). **** ******** ****** **** ******** awareness *** *********, ***** *** ***** to ** ******** ** *** ******* of *** ******* *** ******** **** customers ********* *** ****. ***** *** USG **** **** * **** ** this, ***** ************* **** ** ******** Reports *** **** *** (*** **** also **** ** *** ****** *****) will **** **** * **** ** this *** **** ********* ***** ********* about *** ****.
****, **** ******** **** *** ******** program **** ** ********** **** **** participating *********:
** ** ********* **** * ***** set ** ************ *********** ** ***** efforts ** ** ***** *** ** a ****** *********** ** ********* **** can ******* *** ******* ***** ** a **** ***** *** ** ******** IoT ******** ** *** ******* *******.
Axis ******** ********
***** **** *** *** * *********** in *** ************, **** **** **** that ************* ** * **** *********, and **** *** ********** ** *** program:
************* ** * **** ********* ** Axis, ** *******, ** *** ********** of *********** **** ******* ******** ******* security *** ***** ******* ************ ** the ******. *** **** ******** **** IoT ******** **********, ** **** **** preparing *** ******** ** **** *** criteria ******** ***** ****’* ***** ****** of ** ***** *** ***** ** May ****. ***** ****** **** ******* after *** ***** ****** ** ****. In *** ****, ** ********* ***** 14028, ***** *** ***** ********* *** the *** ******** ********** **** *********. The *** ***** ********* **** ************ in **** **** * ****** *** of ************ *** **** ** **** – ******* ** *** *** **** Baseline *** ******** *** ********.
**** **** ***** **** ***** ******* and ****** *** *** ********-******, ******** impact ** ***** ******* *****:
***** **** ** *** ****** *** access ******* ******* ***** ****’* ***** at ********* *********, ** ***’* ********** a ***** ****** ** ***** ******* lines. *******, **** **** ******** ********* all ** *** ******** ** **** IoT ******** *********** ** *** ***** these ************ *** ******.
*** *******, *** ******** ******** ************* will **** ** **** ** ** speed ** *** **** *** ******** initiative ** **** ******* ****** *********.
Other ************* *********
**** **** ********* *****, *****, ******, Motorola *********, ********, *** **** ***** but ****** ******** ** ******** ** "no *******" ********* ** *** **** of **********. ** **** ****** *** report ** *** ************* ******* **** comments.
Keysight ********/******** ************* ******* ********
********** ************* *** ******* ******* ********, * *********** ** *** ************, separately ***** ** **** ***** *** involvement *** ******** **** ************ ********** and ************* ******* *** ******** ******** is ********* ********* ($**,*** *** ******), but **** *** ******* **** ****, FCC, *** ****** ************* ** ****** a ***** **** ****** *** ************ self-certification.
******** **** **** ** *** ***** certification ** * *******, *** **** expect ** *** ******** ******* **** be ******** ******** *** ********** ***** Trust **** ******* *** ******* **** larger ********* **** ****-*******.
** **** ****** ** **** ******** to ******* * ******* ****** ** the *******'* ********** *** *********.
Participant ************ ********
******** ************* ************ ** *** ***** conference, ********* ******** ** * **** level, ******* ** ******* *** ********.
******'* ********* *********** *** **** *** transparency *** **** * ******* ******* to **** ********** ******:
*****, **'** ***** ** ****** ** continue ********** ******'* ******** ******* ******** standards ** ******* ** *** ***** Trust ****. *** ** **** ******** to **** *** *********** ** ************ standards ******* ** ******, ** ****** believe **** ******* ** **** *********** labels, ********* ******* ** ********** *** security *********** ** ***** ******** **** connect ** *** ********. ***** ************* against ******** ********* **** *** **** that * ******* ** **** ** vulnerabilities. *** ************ ** *** **** that ****** *** ***** ******* ** enables ********* ** ******* *** ******** of ******** *** **** ********* *******, which ** **** **** ***** ************* to ******* ***** ***********, ****** *** Internet ** ****** *** *** ** us *****.
******'* ********* *** ** **** ** advertisement *** *** ******** *** ******** as ** *** ************ *** ***** of *** ******** *******:
** **** *** ********* ******* ******** and **** **** ********** ** ******.***. By ********** ******** ******* *** ******** information ** ******* ****** *****, ** have * **** **** *** *** protecting *** *********. ****'* *** *** own ******* *** ******** *** ***** with ******** ****** ** ********. *** while ** **** ***** *** ** protect *** ********* *** **** ***** information **** *** ******. ****** ******** the ** **********'* ********* ** ********** a ************* ** ***** ***** **** labeling ******* **** *********** *** ****** with ****** ******** ************ *** ***********. We ***** *** ********* **** ********** seeing *** ***** *** **** ** packaging **** ***** ******** ****** ** their ********, *** **** **** ******** online. ** **** ******* ** ********** with *** ******** ************ *** *** government ********* *** *** ** **** effort
**** & ******, *** **** ***** focused ******** ******** ********* *************, ******** its "**********", *** **** *** ***** on *******:
**** *** ****** *** ******* ** participate ** **** *** ******** ******* and *** ********* ** ******** *** consumer ******** **** *** *** ******** labeling ******** ** *** ******* ********. As * ******* ***** **** ******** brands **** ****** *********** ******** *** services **** ****** ****** ** *** home, *** ******** *** ******* ** our ********* *** *** **** ****** be *** *** ********. ** *** excited *** *** ****** ** *** program ** ** ****** *** ********** to **** *** ******* ****, ****** and ********** *** *********.
Representative *** ****'* ** *******
************** *** **** ** *************** ** *** ***** ********** ************, making ** ******* ** ** *************:
* ******* * ******* *** **** an *******. ** **** * ******* goes ** ******, *** **** *** a ****, *** **** ***** ***** lamp ****, **** ***'* ****** ** to ***** ** ****. *** *** reason ** ******* *****'* * ****** certification ** **** *** ** ************ Laboratory. *** ****** *** ******* **** time **** ** **** **** ********, they're ********* ** * ************* ******, consumers **** *** ** ** *** at **** ******* ***** ******** ***'* catch ** ****. *** *** ************* know **** **** ****, ** **** get *** **** **** ********, *** target ** **** ****** ** *** the ******* *** ***
*******, ** ** ** *********** ****** certification *******, **** ***** ******** ** commercial ********, *** ******** ******* ********. In ********, *** ***** ******* ******** indicates **** *** ************ **** ** certifying *** ******** ***** *** ********.
*******, ************** **** ********** **** ** voluntary:
* ********** *** ***** ****** *** to ** * ********* ************* ******** initiative *** ******** ******* ** **** Underwriters ********** ***** **, *** *******, and ** *** ** ******* **** the ***** ***** ** *** ***** forward **** ***** ***** ***** ****, voluntary ************* ******** **********.
Questions ******
***** ** ** ******** ** ** launched ** ****, **** *** **** left ** ******, *** ********* ********* remain ***** *** ************** *** *** it **** ****** *** ***** ************ and ****** ******* ******.
**** ******* ** ** **********:
- *** ** *********** *** ********** ********?
- **** ****-****** ********* ********* *** ***** be **** ** ***********?
- **** ***-******** ************* (****, ********, *****, etc.) *********** ** *** *******?
- *** **** ************* ***** ******* ** remain **-**-****?
- *** ******* **** *** ****** *** approve ********** ******* ******* *******?
* ******* **** **** **** **** something **** *** "*************" *** *** headlight *****, *.*. * ****-***-*** ** your ***** ************ (*******) ******* *** will *** ******** ** **** *********. Anyone *** ***** ******** **** **** on ***** ******** ******* **'* ********** or ***, *** *********** ** ***** to ** **** ** ****?
***** ******** ********* *** *********, *** self-certification *********** *** *** ***** *****.
********* *** ******* ** ***** ** NO ******** ******* *** ************ ** those ********* ***** ******** ****.
*****-******** *** ** ** ********, *** self-testingis *********** *** ********** ** *** process.
* ******* **** **** *** ******* to ****-******** ** ****. ****, **** will ****.
******* ******* *** ** ******* ****** and ** **** ******* ************, ***** testing, ************, *** ************* ** ******* is ******** *** *** *** ********.
**** ***** ******* ************ ** **** Server ****** ** ********* ** *** other ** ********* *** ** *********** by ******* *** *********.
**** ************ ** ******** ********* ***'* happen ******* *** *********** ** *** IOT ********** ******* ** ** ****** security ******** *** ******* ****** ** every ******* ** ***** **** ***. (my *******) ** *** ******** *** PRC **** *** ******* ******* ******* penetration *********, *** *** ******** ** built **** ***** ******* ******** ************ by *** *************, ******* *** ******* has **** ********* ** ***.
************ ****** ********** *** ** ************ via * ******** ******, ******* *** manufacturer ****** ** **** ** ***.
*** ****** ** ** *** ********** access ** **** **** ****** ****** IOT ********, ********* ***'* **** **** for ********.
***'* **** **** ** **, ** someone ****** **** *** *** **** needs ** ** ****, *** ** is ******* ****.
****... ** * *** ****. **'* not ******* ** ***'* **** * standard. **'* ******* **** ******** ** by * **** ***** *** *** itself ** ** ** *** ********* to ** ***********. ********* **** **** should ** **** ********** *** ****** approved. *'* ****** *** ** *** version ** ******* **** *** ************* ballsy ****** ** **** *** ***** than ********* **** ****.
** ** ***** *** *** *** only *** **** *********** ******. ***** you **** *** **** ********* ******* for ****** ******** *** *** ********* and *** *******.
**** ************** *** *** ** **** a **** **'* *** ***** *** willing ** ****** *** ***** **** it's *****.
*** ************ ****** *************** ** ****** ****** ******* **** ***** *** ** Cyber ***** ****.
*** **** ******* ** ****** **** manufacturers *** ***** ***** *** **** an *** ****** ** ***** ** be *********, ** "********* *** **** supporting * ****** **** ****** ********* have ******* ***** **". **** ** the ******** ********* **** ***** ** well, ****** **** **** *** ******* outlast *** ************'* ******* *******.
***** **** **** * ****** ** skeptics, ****** **** ******** ** * product ** *** **** ********:
***** **** ******** *** ******** ********** to *** ****, *** ************ **** people **** ****** ******** ** *** issue:
*** **** ***** ********* ****, **** (midnight **) ** **** ******** ** the ********** **********.[*] ****** ** ****: go ********* ***** ** **** ****** ** ‘express’ ******* (**** **** * *******) or * ‘********’ ******* (****** * PDF). ****** ***, *** *** ** required ** ******** **** *********. *** options *** ** *** *****, ** don’t **** ****, *** ** **** your ********* ** ***** ** ********, so **** ******* *** ********** ****. If *** **** * ************* (**** of ****, ******* ******, ***** ** experience, ***.) **** ***** ******* *** credibility ** **** ******** *******, ** sure ** ******* ****, *** *** only ********* ************* ** ***** ** interested ****** ** *** ******.
******: *** ***** ** ******* ****, this ****:*** ******* ********* ************* ******** ******* FOR ***** ********
* ******* *** ******, *** * see ******* *** ******* ** *** horizon.