If there’s one thing for sure when it comes to industrial cybersecurity, it’s that there are multiple ways to approach it. These methods range from a defense-in-depth approach—which includes the use of multiple technologies and processes such as anti-virus software, user authentication, firewalls and VPNs, as well as worker training and physical security—to cybersecurity platforms that leverage active and passive network monitoring, limited access authorization and zero trust methods.
Though this abundance of options provides industry with plenty of choices, it also makes the decision of what approach or technology to use all the more confusing.
As presented, the U.S. Cyber Trust Mark program will not address the industrial network security issues that manufacturers face and would only impact consumer products. However, if the program does prove successful, it’s hard not to see the potential value in its extension to common industrial devices, such as sensors, controllers and drives, which are implemented in vast numbers across the manufacturing industries.
The FCC will soon be asking for public comment about the proposed cybersecurity labeling program, which it expects to be operational in 2024. The White House notes that the U.S. Cyber Trust Mark program would “leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology that, for example, requires unique and strong default passwords, data protection, software updates and incident detection capabilities.”
Participants in the program will be able to add a U.S. Cyber Trust Mark “in the form of a distinct shield logo applied to products meeting established cybersecurity criteria,” says The White House.
Manufacturers and retailers that have announced support and commitments to the proposed U.S. Cyber Trust Mark program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech and Samsung Electronics.
Europe’s mandatory Cyber Resilience Act
Though this U.S. program will be voluntary, in Europe the forthcoming European Cyber Resilience Act (CRA) is a mandatory legal requirement that will require manufacturers and importers of network-connected devices worldwide to implement and continuously monitor enhanced cybersecurity measures. In July 2023, the European Parliament adopted rules to establish a uniform set of cybersecurity requirements for all digital products in the European Union as part of the CRA. The goal of the EU program is to “ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties,” according to a release from the European Parliament.
According to OneKey, its cybersecurity platform performs automated auditing and risk assessment of devices with firmware. The integrated compliance check verifies the most important international industry and security standards, adding new ones as they are introduced. With OneKey’s software, manufacturers and importers of technology products can check the firmware of a device or its component-specific software for compliance with standards and detect potential gateways for hackers while providing insight on how to correct such issues.
To determine the potential for using an identifier such as the U.S. Cyber Trust Mark on automation devices, Automation World reached out to several automation device suppliers to get their input. Most responded that they were watching the development of this program in the U.S. as well as the EU’s CRA, but currently have no plans to extend it to their industrial devices.
Which raises the question: Would a cyber trust mark make a difference in your consideration of a new device when making a purchase?
Let me know if you think such a mark would be helpful to you or not as part of your cybersecurity efforts. You can reach me at [email protected]. Please note “cyber trust” in the subject line.