Would a Cyber Trust Mark Make a Difference?

Aug. 15, 2023
As the EU prepares its mandatory Cyber Resilience Act and the U.S. presents a voluntary Cyber Trust Mark program—both targeted at consumer products—it’s hard not to see their potential extension to industrial devices.

If there’s one thing for sure when it comes to industrial cybersecurity, it’s that there are multiple ways to approach it. These methods range from a defense-in-depth approach—which includes the use of multiple technologies and processes such as anti-virus software, user authentication, firewalls and VPNs, as well as worker training and physical security—to cybersecurity platforms that leverage active and passive network monitoring, limited access authorization and zero trust methods.

Though this abundance of options provides industry with plenty of choices, it also makes the decision of what approach or technology to use all the more confusing.

In an effort to demystify the security capabilities of the devices you purchase, the Biden-Harris Administration has announced a voluntary cybersecurity certification and labeling program. Proposed by Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel, the U.S. Cyber Trust Mark program would “raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers and more…to help consumers choose products that are less vulnerable to cyberattacks,” according to a release from The White House.

As presented, the U.S. Cyber Trust Mark program will not address the industrial network security issues that manufacturers face and would only impact consumer products. However, if the program does prove successful, it’s hard not to see the potential value in its extension to common industrial devices, such as sensors, controllers and drives, which are implemented in vast numbers across the manufacturing industries.

The FCC will soon be asking for public comment about the proposed cybersecurity labeling program, which it expects to be operational in 2024. The White House notes that the U.S. Cyber Trust Mark program would “leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology that, for example, requires unique and strong default passwords, data protection, software updates and incident detection capabilities.”

Participants in the program will be able to add a U.S. Cyber Trust Mark “in the form of a distinct shield logo applied to products meeting established cybersecurity criteria,” says The White House.

Manufacturers and retailers that have announced support and commitments to the proposed U.S. Cyber Trust Mark program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech and Samsung Electronics.

Europe’s mandatory Cyber Resilience Act

Though this U.S. program will be voluntary, in Europe the forthcoming European Cyber Resilience Act (CRA) is a mandatory legal requirement that will require manufacturers and importers of network-connected devices worldwide to implement and continuously monitor enhanced cybersecurity measures. In July 2023, the European Parliament adopted rules to establish a uniform set of cybersecurity requirements for all digital products in the European Union as part of the CRA. The goal of the EU program is to “ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties,” according to a release from the European Parliament.

OneKey, a Dusseldorf, Germany-based supplier of software designed to help manufacturers secure their devices at scale using automated software bills of material, vulnerability detection and compliance checks, is positioning itself for the EU’s CRA. "Our cybersecurity and compliance platform, which performs comprehensive firmware analysis for cyber risks, already provides an automatic check for today's known EU Cyber Resilience Act requirements, as well as checking for U.S. Cyber Trust Mark basics such as NIST 8259A and EN303645,” says Jan Wendenburg, CEO of OneKey.

According to OneKey, its cybersecurity platform performs automated auditing and risk assessment of devices with firmware. The integrated compliance check verifies the most important international industry and security standards, adding new ones as they are introduced. With OneKey’s software, manufacturers and importers of technology products can check the firmware of a device or its component-specific software for compliance with standards and detect potential gateways for hackers while providing insight on how to correct such issues.

To determine the potential for using an identifier such as the U.S. Cyber Trust Mark on automation devices, Automation World reached out to several automation device suppliers to get their input. Most responded that they were watching the development of this program in the U.S. as well as the EU’s CRA, but currently have no plans to extend it to their industrial devices.

Which raises the question: Would a cyber trust mark make a difference in your consideration of a new device when making a purchase?

Let me know if you think such a mark would be helpful to you or not as part of your cybersecurity efforts. You can reach me at [email protected]. Please note “cyber trust” in the subject line.

About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher. 

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...