AWS IoT Services alignment with US Cyber Trust Mark

Introduction

In the ever-evolving digital landscape, the increasing number of Internet of Things (IoT) devices opens up new opportunities while highlighting the critical need to address cybersecurity challenges to ensure reliable services, data protection, and sustained growth.

In this blog we will dive into the background of the US Cyber Trust Mark—a new program designed to identify secure smart devices. We will explore the requirements for compliance with this program and discuss how AWS IoT can help you align with it, fostering a more secure and trustworthy digital world.

Understanding the US Cyber Trust Mark

Overview:

On March 14, 2024, the Federal Communications Commission (FCC) approved a voluntary cybersecurity labelling program that provides consumers with clear information about the security of consumer IoT devices. Qualifying products will bear the U.S. Cyber Trust Mark, helping consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.

Why the program is needed:

There is a wide range of consumer smart products on the market that communicate over networks, ranging from personal digital assistants to internet-connected home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, GPS trackers, medical devices, garage door openers, and baby monitors. These products make life easier and more efficient.

However, with convenience comes risk, as these devices can be vulnerable to a variety of security threats and attacks. With the proliferation of connected products, even the most informed consumers may struggle to confidently identify the cybersecurity capabilities of any given device.

Insecure, low-cost IoT devices can compromise your privacy, security, and even the sanctity of our homes. They can enable remote access for unauthorized individuals, allowing bad actors to monitor household activities. This could lead to data theft, or in some cases, the creation of botnets—networks of compromised devices used to launch large-scale cyberattacks.

How the program would help consumers:

Consumers will be able to easily identify smart devices and products that meet widely accepted security and privacy standards by looking for the U.S. Cyber Trust Mark on the devices. The mark would appear on packaging alongside a QR code that you could scan for more information. The QR code Will link to a national registry of certified devices so that you can compare these devices and get the most and up-to-date security information about each.

The FCC expects that over time, an increasing number of manufacturers would participate in the voluntary program to demonstrate their commitment to privacy and security, as there would be increased consumer demand for easily identifiable trustworthy smart products.

What are the cybersecurity requirements to get the label:

The FCC defers to NIST (National Institute of Standards and Technology) on baseline capabilities and the substantive requirements for achieving the U.S. Cyber Trust Mark. NIST R8425 identifies six criteria that directly apply to IoT products and their components, and four cybersecurity criteria that apply specifically to the IoT product developer.

These criteria are applicable to IoT products that have at least one hardware device (sensor or actuator) interfacing with the physical world and any additional components like a mobile App.

Criteria applied to IoT product:

1. Asset identification: IoT product can be uniquely identified and should manage an inventory of its IoT product components.
2. Product configuration: IoT product’s configuration can be securely changed and restored to a secure default.
3. Data protection: IoT products protect data stored by, sent from, or received by the product components.
4. Interface access control: The IoT product ensures that interfaces are accessible only by authorized individuals, services, or product components for their intended use.
5. Software update: Means are available to keep IoT product and component software updated using a secure mechanism.
6. Cybersecurity state awareness: IoT products can help detect cybersecurity incidents affecting or affected by IoT product components and their data.

Criteria applied to IoT product developer:

1. Documentation: Information related to cybersecurity of the IoT product is captured throughout the lifecycle of the product, such as the plans, processes, and policies for how the IoT product’s cybersecurity is supported.
2. Information and query reception: The customer and others can send information and queries related to the cybersecurity of the IoT product to the product developer.
3. Information dissemination: Information relevant to cybersecurity (e.g., vulnerability reports, update notifications) can be sent to pertinent individuals and/or organizations, sometimes, but not always including the customer.
4. Product education and awareness: Customers can be informed about and can understand how to use the cybersecurity features of IoT products.

AWS and the US Cyber Trust Mark

AWS IoT and the US Cyber Trust Mark share a common goal: enhancing cybersecurity and building trust in the digital world. AWS IoT’s robust security features, aligned with the standards set by NIST, makes it an ideal platform for businesses aiming to meet the program’s requirements. AWS offers a comprehensive suite of fully managed cloud services, enabling connected devices to securely and efficiently interact with cloud applications and other devices while ensuring the integrity and confidentiality of transmitted data.

Implementation example: AWS IoT to Meet US Cyber Trust Mark Standards – A Hands-On Guide

In this example, we will walk through the process of implementing AWS IoT to meet the US Cyber Trust Mark standards. Our hypothetical company, AnyCompany, manufactures IoT devices and wants to enhance its cybersecurity posture to adhere to the US Cyber Trust Mark.

Assessing the Current Cybersecurity Posture

Before implementing AWS IoT, AnyCompany needs to assess its current cybersecurity posture. This involves identifying existing security measures, vulnerabilities, and potential threats. Tools like AWS Security Hub provide a comprehensive view of security alerts and compliance status across AnyCompany’s AWS environment, helping to prioritize actions effectively. Meanwhile, AWS Inspector performs automated security assessments across multiple AWS services, identifying potential vulnerabilities and security risks. Together, these tools streamline the identification and resolution of risks, establishing a robust foundation for integrating IoT securely.

Designing the AWS IoT Architecture

This includes:

• Device authentication: Using AWS IoT Core’s device authentication features to ensure only authorized devices can connect to the cloud.
• Data encryption: AWS IoT Core ensures secure data handling by encrypting data in transit. It uses TLS (Transport Layer Security) protocols to encrypt all communication between devices and the AWS IoT Core Device Gateway. AWS IoT Core supports TLS 1.3 and TLS 1.2, with configurable security policies that determine the protocols and ciphers used during TLS negotiations. This encryption ensures confidentiality of the application protocols (MQTT, HTTP, and WebSocket) supported by AWS IoT Core.
• Access control: AWS Identity and Access Management (IAM) enables the regulation of access to IoT resources through policies and roles, ensuring secure permissions for both IoT resource-level security and data routing to services like Amazon Simple Storage Service (Amazon S3), Amazon DynamoDB, or Amazon Simple Notification Service within the AWS ecosystem.

Implementing the AWS IoT Architecture

This involves:

• Setting up device authentication: Registering devices in AWS IoT Core and setting up device certificates for authentication and authorization.
• Configuring data encryption: Enabling encryption for data at rest and in transit.
• Establishing access control: Defining IAM policies and roles for access control.

Testing and Validation

This involves:

• Penetration testing: Conducting penetration tests to identify any vulnerabilities to applicable services.
• Compliance validation: Validating compliance with the US Cyber Trust Mark’s standards using AWS Artifact, which provides on-demand access to AWS’ security and compliance reports.

Continuous Monitoring and Improvement

After successfully implementing the AWS IoT architecture, AnyCompany continuously monitors its cybersecurity posture using AWS Security Hub and AWS Config. This helps in identifying any potential threats or non-compliance issues and take corrective actions promptly.

Applying for the US Cyber Trust Mark

Once AnyCompany is confident that it meets all the US Cyber Trust Mark’s standards, it applies for the trust mark, providing all the necessary documentation and evidence.

Now, let’s do hands on setup to walk through these steps, this guide will walk you through implementing AWS IoT while adhering to these standards:

1. Setting up the AWS IoT environment
   1. Create an AWS account:
      • Go to aws.amazon.com and click “Create an AWS Account”
      • Follow the prompts to set up your account
2. Device provisioning and security
   1. Implement secure device onboarding:
      • Use AWS IoT Core’s Just-in-Time Registration (JITR) feature
      • Read more on JITR here
      • A sample JITR function is provided below:

   import boto3
   
   def lambda_handler(event, context):
       client = boto3.client('iot')
       
       certificate_id = event['certificateId']
       response = client.describe_certificate(certificateId=certificate_id)
       
       # Activate the certificate
       client.update_certificate(certificateId=certificate_id, newStatus="ACTIVE")
       
       # Attach a policy to the certificate
       client.attach_policy(policyName="MyIoTPolicy", target=response['certificateArn'])
       
       return {
           'statusCode': 200,
           'body': 'Device registered successfully'
       }
   

   2. Set up X.509 certificates:

• • • In AWS IoT Core, go to “Security” > “Certificates”
    • Click “Create” to generate a new certificate
    • Download the certificate, public key, and private key

3. Data encryption and secure communication
   1. Configure TLS for data in transit:
      • AWS IoT supports both TLS 1.2 and TLS 1.3
      • Ensure your device SDK supports TLS 1.2 at minimum
   2. Implement encryption for data at rest:

import boto3

s3 = boto3.client('s3')

s3.put_object(
    Bucket="my-iot-data-bucket",
    Key='device-data.json',
    Body=json.dumps(device_data),
    ServerSideEncryption='aws:kms',
    SSEKMSKeyId='your-kms-key-id'
)

4. Access control and device policies
   1. Create and manage IoT policies:
      • In AWS IoT Core, go to “Security” then “Policies”
      • Create a new policy (replace xxxxxxxxxxxx with your account ID and update the region you are using):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iot:Connect",
                "iot:Publish",
                "iot:Subscribe",
                "iot:Receive"
            ],
            "Resource": [
                "arn:aws:iot:us-east-1:xxxxxxxxxxxx:client/${iot:Connection.Thing.ThingName}",
                "arn:aws:iot:us-east-1: xxxxxxxxxxxx:topic/device/${iot:Connection.Thing.ThingName}/*"
            ]
        }
    ]
}

1. 2. Implement least privilege access:
      • Assign specific policies to each device or group of devices
      • Regularly review and update policies

5. Secure software updates
   1. Set up AWS IoT Jobs for OTA updates:
      • Create an S3 bucket to store update files (update bucket name accordingly)
      • Create Amazon S3 bucket pre-signed URL
      • Create an IoT Job (replace xxxxxxxxxxxx with your account ID and update the region, Amazon S3 bucket name accordingly):

import boto3

iot = boto3.client('iot')

response = iot.create_job(
    jobId='firmware-update-001',
    targets=['arn:aws:iot:us-east-1: xxxxxxxxxxxx:thing/myDevice'],
    document=json.dumps({
        "operation": "update",
        "files": [{
            "fileName": "firmware.bin",
            "url": "https://my-bucket.s3.amazonaws.com/firmware.bin"
        }]
    }),
    description='Firmware update to version 1.2'
)

1. 1. 2. Implement code signing for update packages:
         • Use AWS Signer to sign your code
         • Create a signing profile and sign your update package

6. Monitoring and logging
   1. Configure AWS CloudWatch for IoT monitoring:
      • Set up CloudWatch Logs for IoT:

import boto3

logs = boto3.client('logs')

logs.create_log_group(logGroupName="/aws/iot/myDeviceLogs")
logs.put_retention_policy(
    logGroupName="/aws/iot/myDeviceLogs",
    retentionInDays=30
)

1. 1. 2. Implement AWS IoT Device Defender for device anomaly detection:
         • Enable Device Defender in the AWS IoT Console
         • Create a security profile. For Amazon Simple Notification Service (Amazon SNS), create a service role:

import boto3

iot = boto3.client('iot')

response = iot.create_security_profile(
    securityProfileName="MySecurityProfile",
    securityProfileDescription='Monitors device behavior',
    behaviors=[
        {
            'name': 'Auth-Failures',
            'metric': 'aws:num-authorization-failures',
            'criteria': {
                'comparisonOperator': 'greater-than',
                'value': {
                    'count': 5
                },
                'durationSeconds': 300
            }
        }
    ]
)

7. Incident response and recovery
   1. Set up alerts and notifications:
      • Create an SNS topic for alerts
      • Configure CloudWatch alarms to send notifications to the SNS topic
   2. Develop an incident response plan:
      • Document procedures for different types of incidents
      • Regularly test and update the plan
8. Compliance documentation
   1. Document security practices:
   2. Prepare for Cyber Trust Mark certification:
9. Testing and validation
   1. Conduct security assessments:
      • Use AWS IoT Device Advisor to validate your IoT devices for reliable and secure connectivity with AWS IoT Core
      • Perform regular vulnerability scans
   2. Perform penetration testing:
      • Engage a third-party security firm for penetration testing (for applicable services)
      • Address any vulnerabilities discovered during testing

We have built an AWS IoT environment that provides a foundation to adhering to US Cyber Trust Mark standards. Regularly review and update your security measures to maintain compliance, protect against emerging threats, and remove unused or outdated policies.

Conclusion

The US Cyber Trust Mark and AWS IoT are powerful tools in the quest for implementing and improving cybersecurity best practices. By leveraging these resources, businesses can not only protect their digital assets but also build trust with their customers. As the digital landscape continues to evolve, the importance of these tools will only grow.

Further read

About the authors