For four days in Southern France, cybersecurity experts from a broad array of different countries and sectors gathered for the annual ETSI Security Conference. The event undertaken by one of the world’s major industry information-communication (ICT) standards organisations was intended to take stock of the state of cybersecurity and trends.
A notable new collective development manifested this year was the emergence of a vast ecosystem of IoT seal initiatives by all manner of regulatory authorities, industry bodies, standards organisations, and individual companies to roll out diverse cyber seal schemes for IoT (Internet of Things). As chance had it, the FCC’s IoT cyber seal rulemaking proceeding comments were also being filed, and added still further insight into the expanding ecosystem. It was apparent that the number of IoT seal schemes is now measured in the scores and heading toward hundreds. The vastness of this expanding universe was recently revealed graphically last year on the UK IoT security mapping site.
Some of these schemes are motivated by political quests in different jurisdictions to demonstrate responsiveness to public concern or enhance the profile of a government agency; others by a desire to institute best practices within an industry sector or by individual providers. Still other actors see the opportunity to generate new revenue from sales of their standards or certification services. They have all come to the IoT cyber seal frenzy.
The schemes all tend to have the same attributes: 1) a set of technical and process requirements for marketplace products or services, 2) certification of compliance with those requirements, 3) means of implementation and enforcement, and 4) an image of a seal, label, logo, or mark to comfort users. Some schemes are mandated by government authorities—occasionally extraterritorially; others are voluntary. Some schemes have associated public registration mechanisms. All have some means of funding the costly activities. Most are potential anticompetitive barriers to market entry and innovation. All carry the same message “trust in me.”
The disingenuous reality common for all the schemes is that none of them can actually ensure product or service cybersecurity, as the cybersecurity risks faced by all these products and services start increasing significantly at the moment they are powered on. Furthermore, there is extensive research over many years that shows labels for even simple appliances are basically worthless in influencing customer decisions, never mind anything as complex as IoT security. However, the IoT cyber seal frenzy is obviously expanding worldwide as the latest cyber phenom.
The collective result—in addition to the amusement of watching all the players in the rapidly expanding ecosystem attempting to undertake this activity—is a globally expanding “cyber seal fog” of diverse of IoT trust assertions about of the trillions of digital network objects attached to our electronic communication networks but detracts from expending Zero Trust Model resources that significantly reduce risks. The cybersecurity fog phenomenon was first described by the cyber sage Tony Sager in his former role as the NSA Information Assurance Directorate (IAD) operations chief, and remains a pervasive cyber challenge.
Several decades ago, at one of the first IoT security conferences, former UUNET CTO Mike O’Dell opined that a worst-case threat was when all “silicon cockroaches” (as IoT devices were known) chirped at once. A variant of that threat is emerging today—all the cyber trust seal foggers acting in unison.
The Cyber Seal Ecosystem
The certification of compliance with intergovernmental, national, and industry standards for network, radio and computational systems and devices is a practice as old as the origins of the product technologies. The practice has been effective for simple, measurable physical, electromagnetic, and protocol characteristics over many decades. However, at the outset of the “cyber era” at the 1967 Atlantic City conference, RAND and NSA jointly announced, after a two-year study, that the complexity and dynamics of cybersecurity threats rendered certification of compliance wholly ineffective. They adopted what is today referred to as the Zero Trust model—applying continuous critical security controls.
However, during the past decade, political and marketplace pressures have resulted in the appearance of cybersecurity compliance certification programmes—first by major vendors and their standards organisations, followed by government bodies. A global centricity has emerged around the ETSI standards TS 103645/EN 303645. The ecosystem here is basically divided into six groups: industry bodies, individual companies, standards organisations, government agencies, seals, and academic groups. It is essentially impossible to identify all the entities in these groups because there are so many of them today and the numbers continue to expand rapidly. Some of the more prominent are described. Several contributed to the ETSI Security Conference dialogue and filed in the FCC proceeding.
Industry bodies. GSMA as the world’s mobile network industry organisation in London, undertook efforts early on to identify device vulnerabilities and encourage vendors and service providers to engage in cybersecurity best practices. Its efforts included not only developing its own IoT Security Guidelines and Assessment, but also efforts by its security leaders tracking and mapping the emerging array of other recommendations and standards worldwide, including those for automotive IoT. GSMA remains the global mobile IoT security leader and also works closely with other industry organisations undertaking similar initiatives.
The Connectivity Standards Alliance, for example, recently published an extensive compilation of European and North American Consumer IoT Device Cybersecurity Standards, Policies, and Certification Schemes. Its member Google at the Security Week event also provided an overview of the emerging ecosystem showing the clustering around the EN 303645 standard.
The Cloud Security Alliance also early-on addressed the cybersecurity challenges of the rapidly expanding instantiations of virtualised IoT by adopting and implementing CSA IoT Security Controls and certification. Its work also built on the IoT security work undertaken in ETSI’s Network Functions Virtualisation (NFV) standards group over the past decade. The government IoT regulators have completely ignored this segment of the ecosystem.
The industry body Global Platform similarly developed a comprehensive IoT security program as part of its ensemble of schemes.
CTIA as the principal U.S. mobile service provider industry organisation also initiated an IoT certification program several years ago complete with a seal and registry.
The U.S. Consumer Technology Association which is aligned with the U.S. ANSI standards group, also convened multiple parties in 2019 to identify baseline security capabilities for the IoT marketplace.
The Brussels-based Alliance for IoT and Edge Computing Innovation (AIOTI) was formed in 2017 to enhance innovation and economic development in the Internet of Things in Europe. Its reports focusing on IoT as an extension of edge computing and related security requirements, combined with participation in standards organisations are noteworthy.
The Global Certification Forum (GCF) comprised of 335 members has long been providing for worldwide coordination of IoT certification activities relating to mobile devices among 13 industry partners.
Individual companies. One of the more significant observations at the ETSI Security Conference was the degree to which individual major ICT vendors have established their own IoT certification and label ecosystems as part of their core business. For example, Google has a Connected Product Security Compliance Group that now includes the application of the Zero Trust Model to IoT Security. Other major OS vendors like Apple and Microsoft have similar programmes. Huawei has been extremely active. Major IoT vendors like Bosch are similarly creating their own IoT label ecosystems, as are processor vendors at lower levels. Umlaut/Accenture, Thales, and RedAlert are examples of the multiple security providers pursuing the new opportunities.
Standards organisations. ETSI’s IoT security standards development began several decades ago in conjunction with the specifications for wireless and wireline devices and services. The work was frequently done together with GSMA and 3GPP IoT security initiatives and then for the OneM2M partner organisation it supported. At the outset of ETSI’s Cybersecurity Technical Committee creation in 2014, IoT was identified as a primary work area. The diverse global industry participation and outreach resulted in a set of freely-available IoT security standards that have become the globally leading specifications for basic requirements—extensively used by other organisations, companies, and governments. These include: EN 303645 V2, “Cyber Security for Consumer Internet of Things: Baseline Requirements”; TS 103848 V1, “Cyber Security for Home Gateways; Security Requirements as vertical from Consumer Internet of Things;” TS 103701 V1, “Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements”; TR 103305-3 V3, “Critical Security Controls for Effective Cyber Defence; Part 3: Internet of Things Sector;” and a draft EG 203936 V0.0.9, “Implementing Design Practices to Mitigate Consumer IoT-Enabled Coercive Control.” The underlying basis for the EN 303645 normative standard is TS 103645 which is currently being revised to a new version.
ETSI, reprising the 3GPP model, created the OneM2M IoT standards organisation in 2012 among 8 standards organisations and now has 222 industry and government members. OneM2M has more than 100 published standards—many of them implementing cybersecurity requirements—as well as a globally established certification programme.
MITRE, as one of the U.S. national security community’s principal security research and standards organisations, and recognized by ITU-T for its standards, has for several decades engaged in the development of IoT specifications. The most significant IoT standards that definitively express IoT vulnerabilities and weaknesses were created by MITRE and some have been transposed into ITU-T standards. One of the most important new IoT security platforms relating to IoT Supply Chain Risk Management was recently presented at an ITU-T workshop in Korea—which identified 642 specific measurable risks that are potentially nested in an IoT supply chain that are potentially implementable using the IETF’s new SCITT standards.
The IETF/IRTF communities have for many years treated IoT security. In 2019, the IRTF published an IOT Security State of the Art and Challenges RFC. In 2021, the IETF created an IOT OPS group and its draft “Summary of security-enabling technologies for IoT devices” specifies an array of ten requirements. The IETF has also established a significant new standards group dedicated to IoT Software Supply Chain Integrity, Transparency & Trust (SCITT) standards.
The Trusted Computing Group (TCG) was formed in 2003 and for the past two decades, provided foundational IoT security standards that have been implemented on innumerable IoT devices today. The ETSI Security conference provided insight into all the TCG existing and new IoT security standards platforms, including TPM (Trusted Platform Module), DICE (Device Identifier Composition Engine), FIM (Firmware Integrity Manifest), RIM (Reference Integrity Manifest) and CyRes (Cyber Resilient Technologies).
ITU-T has for many years pursued the development of IoT security standards and associated best practices. Rec. ITU-T X.1352, “Security requirements for Internet of things devices and gateways” is part of a suite of related standards published in six languages. It maintains several global IoT resources page, including a very current one specifically for Smart Cities. ITU-T has been considering expanding its conformance seal programme, and could potentially do this for X.1352 and related standards. ITU-T has also recently identified Metaverse virtual IoT security as a priority, and ITU-D has expanded its IoT security development efforts.
The Center for Internet Security (CIS), which developed the Critical Security Controls for the IoT Sector, recently published Internet of Things: Embedded Security Guidance which provides an introduction to IoT security classifications and infrastructures, common related application, network and transport layer protocols, IoT stacks, and recommendations as to eleven desirable requirements.
In 2017, the Trump Administration adopted an executive order to strengthen Federal Networks and critical infrastructure that subsequently resulted in the NIST agency examining the vast ongoing industry work globally and eventually publishing its own IoT guidelines in 2019. These include NISTIR 8228 and NISTIR 8259, “Foundational Cybersecurity Activities for IoT Device Manufacturers.” In 2021, NIST also published a white paper on labeling criteria based on its guidelines. NIST IoT international standards collaboration is essentially limited to ISO/IEC and acts as a marketing agent for its paywall standards.
ISO/IEC several years ago also published several IoT security standards behind paywalls, 27400, 30147, and 15288. The total of 519 Swiss Francs makes them effectively invisible standards. CEN/CENELEC has published another IoT paywall Security Evaluation for Secure IoT Platforms (SESIP) standard, PrEN 17927 that costs 240 Euros plus an additional 1,956 Swiss Francs for referenced ISO/IEC standards. The lack of public availability has limited their use.
Government agencies. Multiple national government regulatory agencies around the world are now adopting IoT Cyber Security regulations that are tracked by Cetome in the UK. These agencies are typically driven by political considerations and most face the challenge of a lack of expertise. A notable exception, the UK’s DSIT, works closely with NCSC and both have long been domestic and global leaders across multiple venues.
The European Union has adopted multiple interrelated IoT regimes under different legislative/regulatory instruments. A draft new instrument known as the Cyber Resilience Act (CRA) which mandates an vast array of requirements with significant non-compliance penalties for every digital element and remote process poses an array of legal, technical, and operational challenges, including lessening IoT security for consumers.
U.S. Federal Communications Commission (FCC) is a newcomer to the IoT security ecosystem arena with a proposed new seal regime that significantly stretches its authority and expertise to further expand the global cyber seal fog, with minimal benefit if any for consumers and decidedly negative benefit for product vendors.
In Europe, in addition to the UK and EU, Finland and Germany have also adopted limited IoT regulatory regimes complete with seals. Germany assisted in developing the ETSI IoT requirements and certification specification which it uses domestically.
The shift toward IoT security regulations is prominent in the Asia region, with new requirements and certification regulations promulgated by China, India, Japan, and Singapore. Singapore asserts mutual recognition with Finland and Germany.
Seals. The “seal” component of the IoT security ecosystem consists of a diverse array of service and trademarks—some of them registered. Some are distinct, dedicated images, while others make use of the proffering organisation or company mark. Some include associated QR codes that provide a hyperlink to additional information or a registration site. There is a veritable Whitman’s Sampler of IoT trust seals discoverable out in the cybersphere. Consumer Reports has a new global guide of many of them.
CTIA has “IoT Network Certified™” MITRE has created and copyrighted “Cyber SEAL.” The Allianz Digitale Security Association in Switzerland has an image designated “CyberSeal” that is coupled to an audit process. Additional companies use the cyberseal term as part of their name.
Several variants of cyber seals have been registered at the U.S. Patent and Trademark Office. Both CYBERSEAL and CYBERTRUST are dead. The FCC obtained “U.S. CYBER TRUST MARK” as both a mark and drawing. Other variants have been obtained by registrants that include iTrustCYBER, Cyber Fides, and ASSURETRUST CYBERSECURE.
Academic groups. The IoT seal ecosystem is complemented by work undertaken by scores of academic institutions and published in a variety of academic journals. Several researchers filed their papers in the FCC Proceeding—one dealing specifically with the usefulness of IoT security labels. Some were underwritten by the EU Horizon 2020 research programme, for example examining certification policies and models. Professional academic groups like the IEEE have for some years published numerous best practice papers and hosted conferences on IoT Security. Google Scholar lists 130 published papers.
Elements of the fog
Adding to the chaos is the fuzzy nature of the term Internet of Things or IoT. The expanding universe of certification labeling schemes tends to define essentially every network connected object and process—both physical and virtual – as Internet Things. The EU is proposing extending the level of IoT granularity to “digital elements” and “remote processes.”
The term “fog of more” has long been recognized as a significant challenge in the cybersecurity field. The vast numbers and constantly changing, autonomous complexities of networks, attached devices, services, software, vulnerabilities, and threats result in enormous information ensembles. Even greater are the complexities of the actions and continuous monitoring, and other resources necessary to reduce the risks to desired levels.
Differing basic definitions. Almost every different party in the IoT ecosystem has gone forward with definitions of the “thing” they are dealing with. For industry organisations and companies, the “thing” has a binding to their products and services being offered or manufactured. For government agencies, the “thing” is tied to the frequently contrived to fit the scope of their legal authority. There is no real definition of “Internet”—which is a virtualised construct used very differently among different parties—which further adds to definitional divergence. Even the technical standards organisations differ in their definitions if they actually define the term. One of the earliest treatments of this challenge is found in the SmartM2M Security 2019 Technical Report. Artificial Intelligence and IOT also add to the fuzziness. ENISA in its June 2023 AI and cybersecurity research brief raises the challenges of intersection between the AI and IoT worlds. Although the EU considered this intersection in its IoT regime, the FCC did not.
Differing compliance requirements. Although there are commonalities among the IoT cybersecurity compliance requirements, the divergences are significant. The only common means for measuring risk and harmonisation the divergent requirements is found in MITRE’s System of Trust platform. However, that platform enumerates 14 top-level risk categories, 214 detail risk categories, and 642 specific measurable risks—which may be potentially automated using the new IETF Software Supply Chain Integrity, Transparency & Trust (SCITT) standard. The combined requirements result is a vast fuzzy matrix among 642 or more potential risks that varies with different product sectors and applications.
Differing, ambiguous compliance processes. An equally large matrix exists among the different compliance processes based on the expanding array of regulatory mandates and existing practices of different organisations. Seal schemes require a testing verdict. It is essentially impossible to determine a priori the basis of a verdict because of the enormous complexities and risk factors for IoT security and different implementation contexts. Conventional tests have two verdicts (pass or fail) and it is clear from the base requirements specification what the mandate is and how it is to be met. However, the IoT security environment consists of an almost infinite array of variants of the requirements with imprecise or unclear guidance to the developer on assuring they get the necessary pass verdict. This clouds the use of marks and seals even further. From both public policy and legal “void for vagueness” perspectives, it also begs the question why some commercial trust/reputation model in the marketplace is not more appropriate, combined with a zero trust analysis at runtime.
Both the EU CRA proposal and FCC labeling NPRM make clear that they have no idea how to resolve the issues raised—which are potentially costly bureaucratic nightmares. Although ETSI’s specification TS 103701 has emerged as a leading candidate for IoT security Conformance Assessment, it is applied to the ETSI EN 303645 compliance requirements.
Hundreds of seals and scores of mutual recognition agreements. It appears that potentially hundreds of private and public organisations are rapidly emerging as part of global IoT seal phenomenon. The public organisation seals are either being mandated by national or local authorities or proffered as a voluntary programme. Most schemes vaguely assert a willingness to accept mutual recognition agreements despite the widely diverging IoT definitions, compliance requirements, and processes. Plainly, these developments are not scalable—resulting in significant confusion and increased costs for product and service developers, impediments to innovation and competition, minimal benefit to consumers, and considerable potential litigation concerning jurisdiction, authority, and adverse compliance determinations worldwide.
Politics at work
The reality today is that governmental political bodies are driving an emerging IoT labeling juggernaut to new extremes. Perhaps nowhere is the politics of IoT labeling more evident than in the ongoing FCC rulemaking proceeding. Many of the comments filed by the different species of lobbying offices in Washington disgorged many pages of claims, begin with a gratuitous statement about how great and wonderful the FCC proposed regime is, and asserting vast benefits bestowed on consumers. Other critical comments express concern about regulatory excess.
In many ways, the most eloquent, sage, and succinct comments are found in four pages from a young woman at the Franklin Pierce School of Law who began with “I am writing on my own behalf as a law student who has researched the legality of certain cybersecurity vulnerabilities….” She proceeds to state:
Although cybersecurity vulnerabilities are concerning for consumers, a voluntary labeling program is premature and likely will be confusing to consumers who are not educated on IoT products and the security risks associated with the products. Before implementing such a program, the Commission should educate the public on a broader scale. Additionally, the free market can resolve consumer security concerns by allowing individuals to purchase IoT products and devices based on a manufacturer’s reputation from a lack of security breaches and marketing of its security measures. If a manufacturer/company participated in the labeling program, the costs associated with meeting the Commission’s standards and updating the product labels as the standards change will likely outweigh the benefits. Consequently, consumers will likely see an increase in the price of IoT products.
Perhaps the FCC and other similarly inclined government bodies will heed her admonitions. It isn’t that IoT product manufacturer guidelines are not useful. The problem is the multiple regulatory regimes around the world that get spun up around them. But then, sage decision making is a rare commodity in insular regulatory agencies where gratuitous politics reign supreme and generating fog is a way of life.
To its credit, the UK government is attempting to contain and mitigate the expanding cyber IoT fog through its efforts to further evolve the original minimalist comprehensive Cyber Security standard for Consumer Internet of Things published by ETSI known as TS 103645 and map the provisions to the numerous other IoT requirement enumerations globally.