Securing IoT Devices: Lessons from a NIST Workshop

Connected devices already are making headway into business and consumer markets. ​“Smart” speakers, video doorbells, remote programmable thermostats and other devices are increasing in popularity in homes across the United States. Major automakers and startups are pursuing self-driving cars and the ​“passenger economy.” Businesses are using IoT capabilities to enhance preventive maintenance, to track assets through the production cycle and to gain insights into consumer behavior. Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting. NIST Cybersecurity Baseline for IoT Device Manufacturers Titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, NIST has produced a draft document for comment. The comment period for the draft document runs through September 30, and I’ll have more detail on that document in a follow up post. But, for today, I want to run through impressions from the day-long workshop held at NIST headquarters in Gaithersburg, Maryland. First, some background. The NIST workshop was held Tuesday August 13, 2019. The crowd in the room appeared to be between 125-150 people, with an unknown number viewing via a webcast. The audience included representatives from tech companies, defense contractors, mobile carriers, research institutions and more (and even at least one lawyer!). In introductory presentations, NIST officials explained that NIST does not have rulemaking authority over private industry. It has a role in setting cybersecurity standards that federal agencies must meet, but any influence NIST has on private industry is through voluntary adoption of its frameworks and standards. More broadly, NIST’s mission is to promote innovation and competitiveness through the use of common standards and measurements. The purpose of this workshop was to receive feedback from industry on the guidance document that has been produced. Takeaways By far, the most informative and – judging from conversations the rest of the day, surprising – learning from the day was a presentation on a study conducted by NIST’s Information Technology Laboratory. The presentation discussed consumer perceptions of IoT security. The study consisted of 40 semi-structured interviews with consumers using IoT devices. The participants were not novices – the participants had to be using at least three IoT devices in their homes in order to qualify, and their education levels skewed higher than the U.S. as a whole. The study should re-orient the way we think about the IoT:

• To consumers, the ​“Internet of Things” is not a thing. Participants did not use the terminology of ​“IoT” or the Internet of Things. Instead, to the extent that they saw this as a category, participants referred to the devices as ​“smart home” or ​“connected devices.” To me, this makes a lot of sense. Consumers don’t want an ​“IoT doorbell” or likely even know what that might mean. They focus on functionality (it’s a video doorbell, for example) and don’t really care about the labels and buzzwords dominating the policy discussions.

• Participants expressed general concerns about privacy – but used the devices anyway. The rationalizations presented were quite interesting. One participant is quoted as saying that he/she knew the device was collecting personal data but ​“I like having the convenience of having these things.”

• The participants were confused about the difference between privacy and security and didn’t really seem to understand security. Some took mitigation measures that ranged from the silly (covering cameras with tape) to the minimally effective (not placing devices in certain rooms in the house). The takeaway I had from this is that manufacturers should not expect consumers to know or understand security practices; security will involve a lot of hand-holding to accomplish.

• On a related note, participants were cognizant of a shared responsibility to protect security, but really didn’t take much responsibility themselves. 29 of the 40 participants pointed to the manufacturer as responsible for security. Participants cited manufacturer’s greater knowledge as one factor why they bore a greater proportion of the responsibility for security.

The second revelation for me was the way in which these documents have potential to become de facto standards, despite NIST’s protestations to the contrary. The NIST program manager outlined the core principles of the Baseline draft as including (a) recognition that there is no one-size fits all approach, (b) a focus on outcomes, not requirements to get there and (c) an acceptance of risk-based principles. And, again, one should keep in mind that NIST does not have regulatory authority over anyone other than federal agencies. Nevertheless, representatives from regulatory agencies in attendance indicated that they are looking to the NIST baseline as at least a best practice, if not a standard. In my discussion session (one of four), several participants talked about these standards becoming part of government and private industry RFPs, either as requirements or ​“nice to have” differentiators among bidders. Moreover, several industry groups discussed their efforts to build upon guidance such as the NIST Baseline to develop industry-specific standards. Still others saw multiple standards efforts, and stated that the focus should be on the commonalities among the various standards that are published. Regardless of how these developments take form, it is clear that the work NIST has done will have an impact, indirect or not, outside of NIST’s limited regulatory authority. Manufacturers should carefully heed the guidance NIST provides, and should consider providing comments on the draft before the September 30 deadline. Third, the discussion group crystallized some of the interplay among considerations that go into IoT security. Immediately before the discussion groups, a NIST official gave an overview of the draft, emphasizing the difference between a ​“secure” device and a ​“secure-able” device. Nevertheless, some in my discussion group suggested that some devices were not worth securing, distinguishing between ​“securable” devices and those that are not, for cost, utility or other reasons, worthwhile to secure. Others noted that IoT devices most often will operate in a network, not independently, and therefore, security might be provided by other devices in the network (much like a firewall provides security in IT systems today). Moreover, there was general agreement in my discussion group that not every device in a network needed to have all of the security capabilities, and that instead, some devices may have more or different security in order to control (or protect) less secure (or secure-able) devices in the network. These discussions suggested to me that security is more nuanced and that the concept of ​“securable” devices depends on multiple factors. While NIST’s document is a starting point, use of it as a standard has pitfalls. Particularly as we are starting to see a wave of IoT security legislation (notably, SB-327 in California and several bills in the U.S. Congress), the inter-dependency of securability and IoT networks is a layer of complexity that policymakers and regulators may not fully appreciate in their oversight activities. Manufacturers and others in the IoT economy have their work cut out for them in explaining how real-world security might work. Up next: a summary of the NIST Cybersecurity Baseline for IoT devices. Manufacturers and participants in the IoT economy should carefully review this draft and consider filing comments with NIST to inform the final document.