Securing IoT Devices: Lessons from a NIST Workshop
Connected devices already are making headway into business and consumer markets. “Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the “passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior. Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting. NIST Cybersecurity Baseline for IoT Device Manufacturers Titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, NIST has produced a draft document for comment. The comment period for the draft document runs through September 30, and I’ll have more detail on that document in a follow up post. But, for today, I want to run through impressions from the day-long workshop held at NIST headquarters in Gaithersburg, Maryland. First, some background. The NIST workshop was held Tuesday August 13, 2019. The crowd in the room appeared to be between 125-150 people, with an unknown number viewing via a webcast. The audience included representatives from tech companies, defense contractors, mobile carriers, research institutions and more (and even at least one lawyer!). In introductory presentations, NIST officials explained that NIST does not have rulemaking authority over private industry. It has a role in setting cybersecurity standards that federal agencies must meet, but any influence NIST has on private industry is through voluntary adoption of its frameworks and standards. More broadly, NIST’s mission is to promote innovation and competitiveness through the use of common standards and measurements. The purpose of this workshop was to receive feedback from industry on the guidance document that has been produced. Takeaways By far, the most informative and – judging from conversations the rest of the day, surprising – learning from the day was a presentation on a study conducted by NIST’s Information Technology Laboratory. The presentation discussed consumer perceptions of IoT security. The study consisted of 40 semi-structured interviews with consumers using IoT devices. The participants were not novices – the participants had to be using at least three IoT devices in their homes in order to qualify, and their education levels skewed higher than the U.S. as a whole. The study should re-orient the way we think about the IoT:
- To consumers, the “Internet of Things” is not a thing. Participants did not use the terminology of “IoT” or the Internet of Things. Instead, to the extent that they saw this as a category, participants referred to the devices as “smart home” or “connected devices.” To me, this makes a lot of sense. Consumers don’t want an “IoT doorbell” or likely even know what that might mean. They focus on functionality (it’s a video doorbell, for example) and don’t really care about the labels and buzzwords dominating the policy discussions.
- Participants expressed general concerns about privacy – but used the devices anyway. The rationalizations presented were quite interesting. One participant is quoted as saying that he/she knew the device was collecting personal data but “I like having the convenience of having these things.”
- The participants were confused about the difference between privacy and security and didn’t really seem to understand security. Some took mitigation measures that ranged from the silly (covering cameras with tape) to the minimally effective (not placing devices in certain rooms in the house). The takeaway I had from this is that manufacturers should not expect consumers to know or understand security practices; security will involve a lot of hand-holding to accomplish.
- On a related note, participants were cognizant of a shared responsibility to protect security, but really didn’t take much responsibility themselves. 29 of the 40 participants pointed to the manufacturer as responsible for security. Participants cited manufacturer’s greater knowledge as one factor why they bore a greater proportion of the responsibility for security.