The White House has been busy when it comes to cybersecurity. Around four months ago, it released the national cybersecurity strategy, and the administration just followed that up with the launch of an accompanying implementation plan. Throughout its 57 pages, the plan outlines several initiatives slated for completion between the end of the 2023 and 2024 fiscal years that revolve around two major calls. One is for enhanced public-private collaboration. The other is “for the technology sector to assume greater responsibility for security on software, hardware and platforms,” as Matt Kapko at Cybersecurity Dive writes.
While partnerships and integrating cybersecurity from the ground up are both important and effective protective measures, it is another recent cybersecurity announcement that has us scratching our heads.
The Introduction of IoT Cybersecurity Labeling
The White House introduced its official proposal for IoT cybersecurity labels. Under the voluntary program, which is called Cyber Trust Mark and set to be overseen by the Federal Communications Commission (FCC), IoT devices would receive labels indicating to consumers if they are cyber secure or not. At the moment, the program is simply in an introductory phase focused on consumer goods. However, the White House hopes to eventually evolve it further to address consumer-grade routers and security devices used in energy settings, according to Government Technology.
Is IIoT Cybersecurity Labeling Next?
So, what does any of this have to do with the industrial sector, other than its projected use in the energy field? As we know, digitalization is rapidly unfolding in the sector. Like Wayne Schaefer puts it in a piece for Engineering.com, “The drive towards more and enhanced interconnectedness in today’s manufacturing facilities means that PLCs, HMI’s, and SCADA systems that either function independently or on isolated plant floor networks have become part of larger, interconnected Industrial Control Systems (ICS).” In part, this growing connectedness is due to the adoption of IIoT, the industrial application of IoT devices. In fact, one of the five key trends determined by the IoT Platform Market for 2024 is “expansion of IoT platforms in industrial applications.”
So, if Cyber Trust Mark intends to clarify the levels of cybersecurity integrated into IoT devices, then it is probably only a matter of time before such efforts are directed toward IIoT as well. This is especially true when lined up with the mounting emphasis on critical infrastructure. But the big question is…is this labeling push actually helpful?
The Problem with Cybersecurity Labeling
The short answer – no. As explained by Jeff Smith, our CTO at DYNICS, Cyber Mark is overly abstract and primed to be taken advantage of as a marketing ploy. Not only that, but it’s also a precursor of the U.S. mimicking the European Union’s recent regulatory actions to hold companies accountable for products that are hacked or compromised.
If vulnerabilities in products or the methods of cyberattackers were static or limited, then perhaps a program such as this could work. Unfortunately, we are well aware that that’s not the case. Today is riddled with a sophisticated and complex threat landscape. In turn, it doesn’t really make sense to declare a product cybersafe, because it only is until it gets compromised. A “mark” is then rendered meaningless whether it’s placed on a IoT or IIoT device.
- “White House shares the 69 initiatives slated to shore up national cybersecurity” – Matt Kapko, Cybersecurity Dive
- “FCC Proposes Cybersecurity Labels, Certifications for IoT Devices” – Government Technology, News Staff
- “The Rising Importance of PLC Cybersecurity: An Essential Look into Industrial Vulnerability” – Wayne Schaefer, Engineering.com
- “IoT Platform Market Forecast for 2024: Trends Analysis” – Mark Allinson, Robotics & Automation News