NPRM [PSHSB: PS Docket No. 23–239; FCC 23– 65 FR ID 166265]
The FCC issued NPRM on August 10, 2023, regarding the security labeling of devices defined as Internet of Things (IoT). According to the official notice in the Federal Register published on August 25, 2023, the ‘usual’ 30-day period for comments lands “on or before September 25, 2023, and reply comments are due on or before October 10, 2023.” The usual 45-day reply-comments period thus applying.
If you’re a manufacturer, test lab or certification body, you just might want to check this out. The NPRM is chock full of goodies regarding the state of the IoT Market. According to a few sources (noted in the NPRM), more than 25 Billion (capital B) devices will be connected to the Internet by 2030. That’s a lot of potential for ‘nefarious’ actors seeking to compromise the integrity of the Internet of Things
Much of the NPRM provides a useful background and perspective on the state of technology and is great background reading (I’m not kidding) for those who need some perspective on the vulnerabilities and security issues dealing with IoT devices, and there are many.
Goal of the NPRM
“In this Notice of Proposed Rulemaking (NPRM), we propose measures to improve consumer confidence and understanding of the security of their connected devices,” i.e., IoT devices.
The approach outlined in the NPRM, frankly, in my view is mostly “baked” as these often are, that is, the Commission has largely made up its mind on the general approach, and comments are useful to provide perspective and to “tweak” the final Rules. From my experience, the comments will be reviewed, considered, and commented on in an official reply. The big banana is to decide whether Certification of Suppliers Declaration of Conformity SDoC (with some kind of third-party review) is appropriate.
Their ”Legal Basis:” The FCC “tentatively conclude(s) that the Commission has authority to adopt the proposed IoT labeling program. In particular, section 302(a) of the Communications Act authorizes the FCC ‘consistent with the public interest, convenience, and necessity, [to] make reasonable regulations (1) governing the interference potential of devices which in their operation are capable of emitting radio frequency energy by radiation, conduction, or other means in sufficient degree to cause harmful interference to radio communications…’”
There you go.
Weaknesses of IoT Devices
It is also interesting to note that the FCC, charged with “protecting the airways,” spends a bit of time discussing the potential for hackers/botnets/bad guys to try to affect device operation and cause interference to communications. One can imagine that a nefarious group/organization could penetrate a WiFi Routers network, for example, shut them off (or worse, destroy them with corrupt code) and cut off the much-needed access from the millions/billions of users in the US and elsewhere.
For example, one of the concerns is the threat of a larger “Botnet” that could use the device(s) that are compromised as interference generator(s). From the Statement of Commissioner Nathan Simington:
“The Mirai botnet, which at its peak consisted of over 600,000 compromised devices performing large-scale cyberattacks in unison, grew by scanning the internet for devices with unpatched vulnerabilities like IP cameras and routers and taking control of them.”
Some of the weaknesses that are endemic in the industry are outlined in the NPRM: “use of default passwords, lack of regular security updates, and weak encryption and insecure authentication.
The notion of “CyberLAB” is raised (not new), but there are defined criteria set forth with the usual hierarchy of FCC-NIST-Accreditation Bodies-CyberLABs.
Qualifications of a CyberLAB:
- The CyberLAB has technical expertise in cybersecurity testing and conformity assessment of IoT devices and products.
- Resources: The CyberLAB has the necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products.
- Procedures: The CyberLAB has documented procedures for conformity assessment.
- Continued competence: Once accredited or recognized, CyberLABs would be periodically audited and reviewed to ensure they continue to comply with the IoT security standards and testing procedures.53
For devices, the main criteria, following NIST (National Institute of Science and Technology) guidelines, contain the core requirements of IoT-labeling compliance in Appendix A.
“Appendix A: Within the scope of a consumer IoT product, the following baseline product criteria are recommended by NIST to define the cybersecurity outcomes expected of IoT products and IoT product developers as part of a consumer IoT product labeling program.”
These baseline criteria include Details are elucidated in each section of the Appendix, namely:
- Asset Identification
- Product Configuration
- Data Protection
- Interface Access Control
- Software Update
- Information and Query Reception
- Information Dissemination
- Product Education and Awareness
The NPRM asks for more comments on these items and if there are other considerations that should be included in the final Rule-Making.
Ultimately, the goal of the voluntary cybersecurity labeling program would provide “easily understood accessible information to consumers.” This goal is to have a label that would provide this information to consumers (and other types of users) with, perhaps, a QR code that could be accessed that could contain critical information about the adherence of the device to the cyber protocols.
Ultimately, the Commission asks for comments on the “interplay between the proposed IoT cybersecurity labeling program and our current equipment authorization rules.” Noting that the new process may not be administered in the same manner and gives the proposal that they generally “operate in a distinct manner.”
“Comments are due on or before September 25, 2023, and reply comments are due on or before October 10, 2023.