In a release aptly labeled “A Starting Point for IoT Device Manufacturers” the National Institute of Standards and Technology (NIST), an arm of the Department of Commerce, recently added to the discussion with the publication. NIST sought to provide IoT device manufacturers a better understanding of appropriate cybersecurity features for the vast and constantly proliferating range of IoT devices. NIST’s fundamental purpose is to improve the securitibility of IoT devices and to identify, in general terms, the features that can be designed so that customers can better use them to manage cybersecurity risk profiles.
In 2017, as part of a Presidential Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” the Departments of Commerce and Homeland Security were tasked to lead a process to identify and promote actions to improve the resilience of the Internet and the communications ecosystem. A large aspect of this effort was to encourage stakeholder collaboration aimed at reducing threats from automated and distributed denial of service (DDoS) attacks. In May 2018, a joint report to the President on these issues was released. [We reported on it here.] As part of that review, NIST identified a gap in available guidance on the baseline for cybersecurity of IoT devices. Part of the action NIST identified needed to be taken, as part of a 2018 November document, was a roadmap towards resilience against botnets. [We reported on that here]. This roadmap called for NIST, in collaboration with stakeholders, to define core cybersecurity features to promote better security for IoT devices, both in terms of device as well as data security.
This latest NIST report outlines basic practices for secure software design and development that can improve the security of IoT devices. Given the incredible variety and volume of IoT units, the expectations of their management has to be different than that of conventional IT devices, such as smartphones and laptops, where the implementation of cybersecurity features is already reasonably well understood. Many IoT devices interact with the physical world in ways that conventional IT devices do not and these newer devices for the most part cannot be monitored in the same ways as conventional IT devices. The NIST publication observes that a high-level risk mitigation goal for IoT devices, necessarily, must consider or address asset management, mobility management, access management, data protection, and incident detection.
A critical aspect of IoT device cybersecurity design is first identifying the expected customers for the device as well as expected use cases of those customers. Knowing where and how a device will be used, and in what environments, will likely highlight system dependencies and other aspects of device use that will be relevant to assessing cybersecurity risk. NIST recommends that identification of the cybersecurity features of an IoT device happen early in the design process so that the features are taken into account when selecting or designing IoT device hardware, firmware, and software. NIST provides a recommended baseline of key elements as well as a rationale for each of the features it identifies.
Keeping in mind expected customer uses, NIST recommends that IoT device manufacturers define the specifications for device hardware, firmware and software as well as understand how IoT devices might inherit cybersecurity features from the system or environment in which they may be deployed. For example, device specifications for a limited-use IoT device might include avoiding unneeded features and for a more long-term, sophisticated IoT device, anticipating sufficient hardware resources for future use. A careful IoT device design process could determine that certain cybersecurity features may be emitted from a particular device if an equivalent protection is inherited from the environment of the devices’ use, such as using an IoT device that is dependent on an IoT gateway or hub. In those cases, devices may effectively inherit network, logical access protection from that IoT gateway or hub.
Providing relevant cybersecurity information to customers is another key aspect of useful cybersecurity feature deployment. NIST observes that customers will find device cybersecurity features more useful if the information is shared and includes an explanation of the assumptions made by the manufacturer, such as how the device will be used and in what type of environment it will be used. NIST also recommends that software and firmware update information, expected lifespan, service support, and decommissioning are also important aspects of necessary manufacturer communications.
NIST highlights the role manufacturers can play in improving IoT device security by following secure software development practices. Following these practices may help manufacturers reduce the number of vulnerabilities and facilitate the release of software to mitigate the potential impact of exploitation of undetected or unaddressed vulnerabilities. The process can also address the causes of these vulnerabilities to prevent recurrences.
As noted above, because many IoT devices are less easily secured using known existing IT methods, IoT device customers have to implement and manage additional, or new, cybersecurity controls. This unfortunately may result in many IoT devices not being secured properly, leading to their compromise in DDoS attacks or other circumstances. Educating IoT device customers on the differences in cybersecurity risks and mitigation for IoT devices, as compared to conventional IT infrastructure as well as manufacturer anticipation of future risks, is a key take away from this NIST publication.
NIST is seeking public comment on its report. Comments will be accepted through September 30, 2019.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.