|

How Do You Know If Your IoT Device Is Actually Secure? (Part 2 of 3)

ByMary Kolberg, Manager, Communications
Digital check mark matching the US Cyber Trust Mark

In Part 1 of this blog series, we looked at why IoT device updates matter, why some devices can’t be updated at all, and how manufacturer practices vary widely when it comes to cybersecurity. That raises a natural follow-up question: if you can’t always count on the manufacturer, how do you know whether a device is actually secure?

Cyber Trust Mark – A New Label on the Box

The Federal Communications Commission’s (FCC) IoT Cybersecurity Labeling Program, known as the U.S. Cyber Trust Mark, is a step toward answering that question. This voluntary initiative establishes baseline cybersecurity criteria for consumer IoT products. The program is designed to help consumers make safer choices by indicating that a product meets minimum cybersecurity standards, including support for secure software updates. Think of it as a nutrition label for device security.

The Cyber Trust Mark is a meaningful development for consumers, and it’s part of a broader conformity assessment system designed to make that label reliable.

You can learn more about the Cyber Trust Mark in ANAB’s Cybersecurity Conformity Assessment Webinar.

What Is Conformity Assessment?

Conformity assessment is the independent process of evaluating whether a product, system, or organization meets recognized standards for safety, quality, and security. For IoT manufacturers, this can mean evaluating how they design products with security in mind, how they manage vulnerabilities after release, how they issue updates and patches, and how they protect customer data. These evaluations are performed by testing, inspection, and certification bodies using internationally recognized standards (e.g. ISO/IEC 27001, ISO/IEC 17025, ISO/IEC 17065, etc.)

In other words, when a manufacturer claims their product is secure, conformity assessment is the process that puts that claim to the test.

Where Accreditation Comes In With IoT Device Security

Accreditation bodies like ANAB accredit the certification bodies and laboratories that perform these evaluations, including those involved in programs like the Cyber Trust Mark. Accreditation doesn’t test the IoT device itself, but it ensures that the organizations doing the evaluation are competent, impartial, consistent, and following internationally accepted requirements.

This creates a chain of trust between the manufacturer being evaluated, the conformity assessment body doing the evaluation, and the accreditation body confirming that the evaluator is competent and impartial. The system helps ensure that cybersecurity claims, whether on a product label or in a company’s marketing materials, have been independently verified.

What Consumers Can Do to Avoid Cybersecurity Vulnerabilities

You don’t have to wait for labels and programs to take action. NIST maintains the National Vulnerability Database (NVD), a publicly searchable catalog of known cybersecurity vulnerabilities. If you want to check whether a specific product or manufacturer has reported vulnerabilities, the NVD is a good place to start. It won’t tell you everything about a device’s overall security picture, but it can help you understand whether known issues exist and whether they’ve been addressed.

The independent verification that accreditation provides, programs like the Cyber Trust Mark, and tools like the NVD, are all part of the growing conformity assessment ecosystem designed to give consumers better information. Together, they mean you have more ways than ever to make informed decisions about the connected devices you bring into your home.

Next in this series: Part 3 — Who’s Responsible for IoT Security?

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.