Would a Cyber Trust Mark Make a Difference?

Aug. 15, 2023
As the EU prepares its mandatory Cyber Resilience Act and the U.S. presents a voluntary Cyber Trust Mark program—both targeted at consumer products—it’s hard not to see their potential extension to industrial devices.

If there’s one thing for sure when it comes to industrial cybersecurity, it’s that there are multiple ways to approach it. These methods range from a defense-in-depth approach—which includes the use of multiple technologies and processes such as anti-virus software, user authentication, firewalls and VPNs, as well as worker training and physical security—to cybersecurity platforms that leverage active and passive network monitoring, limited access authorization and zero trust methods.

Though this abundance of options provides industry with plenty of choices, it also makes the decision of what approach or technology to use all the more confusing.

In an effort to demystify the security capabilities of the devices you purchase, the Biden-Harris Administration has announced a voluntary cybersecurity certification and labeling program. Proposed by Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel, the U.S. Cyber Trust Mark program would “raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers and more…to help consumers choose products that are less vulnerable to cyberattacks,” according to a release from The White House.

As presented, the U.S. Cyber Trust Mark program will not address the industrial network security issues that manufacturers face and would only impact consumer products. However, if the program does prove successful, it’s hard not to see the potential value in its extension to common industrial devices, such as sensors, controllers and drives, which are implemented in vast numbers across the manufacturing industries.

The FCC will soon be asking for public comment about the proposed cybersecurity labeling program, which it expects to be operational in 2024. The White House notes that the U.S. Cyber Trust Mark program would “leverage stakeholder-led efforts to certify and label products, based on specific cybersecurity criteria published by the National Institute of Standards and Technology that, for example, requires unique and strong default passwords, data protection, software updates and incident detection capabilities.”

Participants in the program will be able to add a U.S. Cyber Trust Mark “in the form of a distinct shield logo applied to products meeting established cybersecurity criteria,” says The White House.

Manufacturers and retailers that have announced support and commitments to the proposed U.S. Cyber Trust Mark program include Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech and Samsung Electronics.

Europe’s mandatory Cyber Resilience Act

Though this U.S. program will be voluntary, in Europe the forthcoming European Cyber Resilience Act (CRA) is a mandatory legal requirement that will require manufacturers and importers of network-connected devices worldwide to implement and continuously monitor enhanced cybersecurity measures. In July 2023, the European Parliament adopted rules to establish a uniform set of cybersecurity requirements for all digital products in the European Union as part of the CRA. The goal of the EU program is to “ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties,” according to a release from the European Parliament.

OneKey, a Dusseldorf, Germany-based supplier of software designed to help manufacturers secure their devices at scale using automated software bills of material, vulnerability detection and compliance checks, is positioning itself for the EU’s CRA. "Our cybersecurity and compliance platform, which performs comprehensive firmware analysis for cyber risks, already provides an automatic check for today's known EU Cyber Resilience Act requirements, as well as checking for U.S. Cyber Trust Mark basics such as NIST 8259A and EN303645,” says Jan Wendenburg, CEO of OneKey.

According to OneKey, its cybersecurity platform performs automated auditing and risk assessment of devices with firmware. The integrated compliance check verifies the most important international industry and security standards, adding new ones as they are introduced. With OneKey’s software, manufacturers and importers of technology products can check the firmware of a device or its component-specific software for compliance with standards and detect potential gateways for hackers while providing insight on how to correct such issues.

To determine the potential for using an identifier such as the U.S. Cyber Trust Mark on automation devices, Automation World reached out to several automation device suppliers to get their input. Most responded that they were watching the development of this program in the U.S. as well as the EU’s CRA, but currently have no plans to extend it to their industrial devices.

Which raises the question: Would a cyber trust mark make a difference in your consideration of a new device when making a purchase?

Let me know if you think such a mark would be helpful to you or not as part of your cybersecurity efforts. You can reach me at [email protected]. Please note “cyber trust” in the subject line.

About the Author

David Greenfield, editor in chief | Editor in Chief

David Greenfield joined Automation World in June 2011. Bringing a wealth of industry knowledge and media experience to his position, David’s contributions can be found in AW’s print and online editions and custom projects. Earlier in his career, David was Editorial Director of Design News at UBM Electronics, and prior to joining UBM, he was Editorial Director of Control Engineering at Reed Business Information, where he also worked on Manufacturing Business Technology as Publisher. 

Sponsored Recommendations

Put the Plant Floor in Your Pocket with Ignition Perspective

Build mobile-responsive HTML applications that run natively on any screen.

Ignition: Industrial-Strength System Security and Stability

Ignition is built on a solid, unified architecture and proven, industrial-grade security technology, which is why industrial organizations all over the world have been trusting...

Iron Foundry Gains Competitive Edge & Increases Efficiency with Innovative Technology

With help from Artek, Ferroloy implemented Ignition to digitally transform their disconnected foundry through efficient data collection and analysis while integrating the new ...

Empowering Data Center Growth: Leveraging Ignition for Scalability and Efficiency

Data center growth has exploded over the past decade. Initially driven by organizations moving their computer assets to the cloud, this trend has only accelerated. With the rise...