How Will the New U.S. Cyber Trust Mark Impact the World of Physical Security?
The Biden-Harris Administration recently made waves in the world of cybersecurity when it announced plans to roll out a new certification for IoT devices meeting specific standards for cybersecurity. The announcement marked an important step towards greater governmental involvement in addressing the cybersecurity risks that can stem from connected devices, including physical security devices.
While it remains to be seen how exactly the new, voluntary certification – the U.S. Cyber Trust Mark – will impact physical security teams once it’s up and running, it shows that the U.S. government is increasingly taking action to address cyber risks. Following the publication of a new National Cybersecurity Strategy document earlier this year (which noted that “many of the IoT devices deployed today are not sufficiently protected against cybersecurity threats”,) the certification is the latest major indication that the U.S. government is putting its money where its mouth is. It also follows steps taken late last year and early this year by the FCC and TSA to address serious cybersecurity concerns.
But in some ways, the announcement provided more questions than answers. While statements from the White House and the FCC made it clear that the U.S. Cyber Trust Mark is intended to help both consumers and manufacturers of physical security devices, neither said explicitly whether the certification is also intended to meet the needs of organizations with large fleets of physical security devices. And with the specific standards required for a product to receive the certification still unclear, it remains to be seen how those standards will affect the challenge of hardening and maintaining organizations’ physical security devices over time.
Given those questions, it’s important for physical security professionals to pay attention to how plans for the U.S. Cyber Trust Mark develop going forward. Here is a look at some of the key questions, concerns, and takeaways to keep in mind for any organization looking to make sure its physical security devices don’t compromise its cybersecurity.
Regardless of new standards, ongoing device maintenance is still critical
These new standards will certainly help ensure more secure devices. For instance, the White House’s announcement specified that one of the requirements for the new certification is that devices will come with unique, strong passwords right off the shelf. Requirements like that can help to ensure that even if an organization doesn’t actively manage its physical security devices, their default settings should reduce the level of risk that they present.
But even if a device comes with a unique and strong password, it is important to rotate that password regularly. Even if it comes with firmware not known to have any cybersecurity vulnerabilities, it is important to upgrade its firmware as necessary – particularly since new vulnerabilities are constantly being discovered. And even if new devices are far more secure than existing ones, organizations still need to address the issues that could affect the devices they already have.
In short, while the U.S. Cyber Trust Mark should help reduce cyber risks stemming from physical security devices, it won’t reduce the importance of operationally managing those devices regularly.
Raising the bar for cybersecurity
As the recent announcements from both the White House and the FCC make clear, the primary goal of the U.S. Cyber Trust Mark is to raise the overall level of cybersecurity in the U.S., given that the IoT is taking on an increasingly important role in consumers’ lives. Achieving that goal requires adhering to higher cybersecurity standards – not only by buying and selling products that are protected from cyber threats, but also by operationally managing those devices adequately over time.
For manufacturers of connected devices, it seems that this is an indication that keeping up with the competition will require keeping cybersecurity in mind when designing, producing, and marketing products. And given that the announcement of the U.S. Cyber Trust Mark is part of a larger trend towards increasing governmental involvement in addressing cybersecurity concerns (including those relating to IoT devices), device manufacturers could well face additional developments in the future that push them to focus even more on cybersecurity.
The government’s goal of raising the bar for cybersecurity makes sense, given the growing threat of cybercrime. Less than a week after the announcement of the U.S. Cyber Trust Mark, IBM published its 2023 Cost of a Data Breach Report. That report found that the average data breach globally now costs $4.45 million – up from $4.35 million in 2022, and 15.3% higher than it was in 2020. It also found that data breaches in the U.S. are the world’s most expensive, with an average cost of $9.48 million. Those findings and others underscore the magnitude of the risk facing any organization whose physical security devices are compromised by cybercriminals.
That makes it especially important not just to harden physical security devices initially, but to maintain them in an ongoing way. This involves taking steps such as rotating passwords, upgrading firmware, and managing certificates as necessary. While many organizations find these steps to be so time-consuming as to be unfeasible at scale, taking an automated approach can enable them to perform these tasks both efficiently and reliably. By automating the operational management of their physical security devices, they can ensure that critical maintenance steps are taken regularly, protecting those devices from the risk of a cyberattack.
In other words, while the U.S. Cyber Trust Mark aims to ensure that new IoT devices are secure, in practice keeping organizations’ physical security devices secure over the long haul – both reliably and efficiently – requires automation.
How can you consistently ensure that your physical security devices are functioning, fully-compliant and protected from cyber risks? For a detailed breakdown of what it takes to achieve those goals efficiently, check out The Guide to Enterprise-Ready Physical Security