Cybersecurity Ratings: A New Dawn in IoT or Just Another Day? with Larry Pesce, Product Security Research and Analysis Director, Finite State
On this episode of the IoT: The Internet of Threats podcast, host Eric Greenwald and Larry Pesce (Finite State Director of Product Security Research and Analysis) delve into the recently announced U.S. Cyber Trust Mark, a cybersecurity labeling program for IoT devices - a long-anticipated directive of Executive Order 14028.
Larry and Eric explore how, in contrast to static ratings like ENERGY STAR, this dynamic IoT security score will attempt to reflect the continually evolving landscape of cybersecurity threats and controls. They delve into the efficacy of this voluntary labeling program: Will consumers use it? Will manufacturers comply (and raise prices) or ignore it?
Together, Larry and Eric discuss the initial criteria for assigning these security scores and the user-friendly implementation strategies like QR codes. They also tackle the implications of this program on various connected devices, from baby monitors to solar panels, analyzing whether this voluntary program will see widespread adoption across various industries with varied potential risks (from privacy violations to deadly fires).
In the discussion, Larry turns the tables and asks Eric about the FCC's unexpected role in enforcing IoT labeling compliance and how this labeling initiative aligns with the broader trend towards transparency and accountability in device security regulation and progress.
Interview with Larry Pesce
Since joining Finite State, Larry has been providing expert product security program design and development as well as IoT pen testing services and guidance to product security teams worldwide. He is also a Certified Instructor at the SANS Institute and has co-hosted the Paul's Security Weekly podcast since 2005. Before joining Finite State, Larry spent 15 years as a penetration tester (among other various roles) focused on healthcare, ICS/OT, wireless, and IoT/IIoT embedded devices. Larry holds several GIAC certifications and earned his B.S. in Computer Information Systems from Roger Williams University.
Join in on this insightful discussion where Eric and Larry consider:
Similarities and differences between the IoT labeling and ENERGY STAR rating programs
The need to reflect the ever-changing nature of cybersecurity risk and controls within cybersecurity scores
How, and how much, consumers will actually use the score and value higher-rated devices
Criteria considered when assigning the scores and where labels will appear
The varying impacts of a voluntary IoT labeling program on consumer vs. industrial connected device cybersecurity
The surprising role of the FCC as the enforcing regulator for IoT labeling compliance
Find Larry on LinkedIn:
Larry Pesce: https://linkedin.com/in/larrypesce
Learn more about Finite State: https://finitestate.io/
Thank you for listening to this episode of the IoT: The Internet of Threats podcast, powered by Finite State — the leading supply chain cyber-security solution provider for connected devices and embedded systems.
If you enjoyed this episode, click subscribe to stay connected and leave a review to get the word out about the podcast.
To learn more about building a robust software supply chain security program, protecting your connected devices, and complying with emerging regulations and technical standards, visit https://finitestate.io/