Building the caseAmong IoT device customers such as organizations, educational institutions and government agencies, there is a lack of industry measures to help to mitigate cybersecurity risks. It doesn’t help that the methods used to secure conventional IT devices are oftentimes incompatible with those for securing IoT devices. With the emergence of new technological capabilities, IoT devices thus add a new layer upon which customers must apply new security controls or alter their existing controls in order to mitigate risks. The problem is that not all customers are aware of how to alter the existing security controls in their current IT processes to accommodate IoT. Without proper security controls, these devices are highly vulnerable. Their compromise could lead to wide-scale attacks such as distributed denial-of-serve (DDoS) attacks against the organization’s services. In acknowledgement of the challenges discussed above, an internal NIST report IR8228 entitled Considerations for Managing IoT Cybersecurity and Privacy Risks indicates that educating IoT device customers plays an important role and that they should be aware of the cybersecurity risks and mitigation plans for IoT devices. This report also points to the requirement of creating robust communication channels between the manufacturer and the customer, specifically regarding cybersecurity features and expectations for security controls. A manufacturer can’t succeed in implementing cybersecurity controls without maintaining clear communication with the customer. The customer needs to understand how to use these cybersecurity features so that they can tailor them according to their specific needs. With that said, the manufacturer needs to share information regarding device cybersecurity features, device transparency, software and firmware update transparency, support and lifespan expectations and decommissioning. Sometimes manufacturers need a little help, too. In July 2019, NIST published NISTIR 8259 Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers. This report provides a set of recommendations for helping the manufacturers to identify the cybersecurity risks faced by the customer. Using this publication as the starting point, manufacturers can ensure that their IoT devices are at least minimally securable when individuals and organizations use them. This NIST report highlights a key consideration for IoT security: manufacturers are at the forefront of the production cycle. By adopting secure design considerations, they can help to reduce the probability and severity of IoT device compromises as well as the other attacks which can be executed using compromised devices. This publication does not cover the aspects that deal with the deployment and usage of secure IoT devices by customers. The primary goal is to highlight the role of manufacturers in making IoT devices minimally securable.
The Need for a Secure IoT Baseline: IoT vs. Traditional IT DevicesThere is a wide variety of IoT devices that consist of at least one network interface and at least one transducer for direct interaction with its immediate physical environment. Unlike conventional IT devices, the cybersecurity features for IoT devices are not as well understood, as these devices that affect traditional IT devices differently such as laptops and smartphones. These devices are used for smart decision-making to better analyze and respond to the physical environment or upcoming events. With increasing functionalities and efficiencies, there is a need to address emerging cybersecurity risks. These risks are different for IoT devices than they are for conventional IT devices. There are three high-level considerations. Firstly, the way in which IoT devices affect and interact with the physical world introduces new cybersecurity and privacy risks. Secondly, for the access control and management of IoT devices, there may be a need for manual tasks and expansion of staff knowledge with additional tools. Thirdly, cybersecurity features are different for IoT devices. This requires organizations to determine how to respond to risks by selecting and managing additional controls. It’s also important to remember that new challenges emerge within organizations such as the third-party remote access over IoT devices. The table below summarizes the differences between IoT and conventional IT devices.
|IoT devices||Conventional IT devices|
|Interaction with physical world||Make changes to physical systems||Usually do not interact with physical systems|
|Management Features||There is little or no knowledge of the device capabilities which varies with the type of device. May require manual tasks to access, manage, or monitor||Typically, an authorized administrator can directly manage the device at all the times throughout the device’s lifecycle|
|Interfaces||Some devices do not have interface for device management||Have multiple human user interfaces|
|Software Management||A wide variety of software management complicates and affects the configuration and patch management||Software management is manageable|
|Cybersecurity Features||Organizations may have to select, implement, and manage controls for availability, efficiency, and effectiveness of cybersecurity features||Organizations can effectively use centralized management for cybersecurity features|
|Post-Market capabilities||Cannot be installed on many IoT devices||Can be installed|
|Monitoring||No monitored infrastructure network||Can be monitored as IT devices are connected using the infrastructure units|
Publication OverviewThis publication has a dedicated section for the identification of cybersecurity features, allowing manufacturers to better identify the cybersecurity risks their customers face. It is not possible for manufacturers to fully realize the level of risks associated with their customers because each of them faces unique dangers, as there is a variety of factors involved. Therefore, having the use of cases for IoT devices can allow manufacturers to have minimally securable devices for their customers. The term “minimal securable” refers to the technical features which assist the customer in tailoring cybersecurity controls as per their requirements and mitigating risks. Consequently, the customer is responsible for their system security based on how they wish to integrate controls with their IoT devices. This baseline is provided with detailed information including features, essential elements, rationale, and reference examples. The cybersecurity feature identification is part of the existing cybersecurity risk management practices which IoT device manufacturers already follow as part of the design process. These are additional considerations and should not be confused with the risk management process. Some examples of these design cybersecurity features are device management, configurability, network characteristics, nature of device data and access level. Upon identification of these cybersecurity features, the publication also outlines the appropriate implementation of these features. Feature implementation is carried out by defining specifications for IoT device hardware, software, and firmware as well as by understanding the inheritance process of cybersecurity features after deployment in a particular physical environment. The publication covers secure software development practices to determine how secure IoT devices are following the implementation of cybersecurity features. A NIST white paper entitled Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) mentions the advantages of manufacturers using secure software development practices. IoT devices may carry a number of vulnerabilities in their released software, and it can potentially become the root cause of attacks in systems or networks. Therefore, the secure design of an IoT device and carefully implemented cybersecurity controls at the manufacturing phase can mitigate the potential impact of exploited unaddressed weaknesses. There are several existing guidelines, standards and other publications by NIST which manufacturers can use for the references as a starting point, as indicated in this latest report.
Two high-level risk mitigation goalsThe NISTIR 8259 sets two primary high-level mitigation goals that are based on NIST’s Cybersecurity Framework and NIST Special Publication (SP) 800-53.
- Protect device security: Preventing the use of the device for executing attacks. IoT devices are prone to be attack vectors for eavesdropping on network traffic or conducting DDoS attacks. The aim is to prevent all IoT devices from being compromised devices.
- Protect data security: There is a large amount of information gathered by many IoT devices, if not all, which may infer personally identifiable information (PII). The goal is to protect confidentiality, integrity and availability of data that is collected by, stored on, processed by, or transmitted to or from an IoT device.
ConclusionThe NISTIR 8259 publication is a starting point for IoT device manufacturers to identify the necessary cybersecurity features, and it defines the core cybersecurity feature baseline. By following security by design as an approach, security can be built in from the beginning with careful considerations and risk assessments. This core baseline consists of technical features to support common cybersecurity controls by a generic customer. The core baseline plays the role of a default set of cybersecurity features for minimally securable devices. However, it does not specify the method to achieve these features, which provides the flexibility for the implementation purposes to effectively address the needs of the customer.