Securing IoT Devices (Part 2): Inside the NIST Guidance Document for IoT Device Manufacturers
At the end of July, the National Institute for Standards and Technology (“NIST”) released draft cybersecurity guidance for IoT device manufacturers. The document, titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, is intended, according to NIST, identify the cybersecurity features that IoT devices should have “to make them at least minimally securable by the individuals and organizations who acquire and use them.” The NIST document is not a rule or requirement for IoT devices, but rather is a continuation of NIST’s effort to foster the development and application of voluntary standards, guidelines, and related tools to improve the cybersecurity of connected devices. NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself. Overview of the Baseline The NIST Baseline (“NISTIR 8259” in government-speak) is subtitled “A Starting Point for IoT Device Manufacturers,” and it is intended as just that. NISTIR 8259 builds upon a base document released in final form on June 27, 2019 relating to cybersecurity and privacy risks for the Internet of Things. IoT manufacturers should review NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks before digging into the Baseline document. Considerations (also known as NISTIR 8228) identifies high-level considerations that make IoT security different than IT security and offers suggestions for mitigating cybersecurity and privacy risks. Its intended audience primarily are the users and organizations deploying IoT devices, but it has meaning for manufacturers, network operators and service providers in the space as well. The NIST Baseline takes these considerations to the manufacturing side, offering (as NIST describes it) to help IoT device manufacturers “understand the cybersecurity risks their customers face” so IoT devices can provide the minimal features to make them securable. (For a discussion of the different meanings that “securable devices” can have in this context, see my blog post on the NIST workshop.) Securing IoT Devices The NIST Baseline explains that cybersecurity risks for IoT devices have two high-level risk mitigation goals: protecting device security and protecting data security. As noted in the user-focused Considerations document, the challenges in doing so stem from three features of the Internet of Things:
- IoT devices interact with the physical world in ways conventional IT devices usually do not. (In other words, they are, by their nature, connected devices.);
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
- The availability, efficiency, and effectiveness of cybersecurity features are often different for IoT devices than conventional IT devices.
- Device Identification. How the IoT device can be uniquely identified, both logically and physically.
- Device Configuration. How the device’s software and firmware can be changed and who is authorized to make such changes.
- Data Protection. How the device can protect from unauthorized access and modification the data that it stores and transmits.
- Logical Access to Interfaces. How the device can limit (logical) access to its local and network interfaces so that only authorized users may access these elements.
- Software and Firmware Updates. How the device can be updated by authorized entities only, using a secure and configurable mechanism.
- Cybersecurity Event Logging. How the device can log cybersecurity events and make the logs accessible to authorized entities only.