Internet of Things (IoT) devices offer tremendous capabilities to users. Looking around I see more and more ways, especially in a post COVID-19 world, that these devices will make our lives easier and safer, which makes this work more critical than ever. And while cybersecurity is a shared responsibility and the solution will likely require an ecosystem approach, how can IoT devices enable customers’ security goals?
Working with industry and other stakeholders, we’ve made great strides in recent years to increase overall IoT cybersecurity. In the Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT) published in November 2018, it was evident that much was already underway. However it was unclear to IoT manufacturers: what applied to them; where to start; and how to avoid fragmentation and promote consistency. What guidance and best practices can device manufacturers therefore follow?
With our latest publication, NISTIR 8259A – IoT Device Cybersecurity Capability Core Baseline, the NIST Cybersecurity for IoT Program identifies a core baseline of IoT device cybersecurity capabilities for manufacturers — i.e. device capabilities generally needed to support common cybersecurity controls.
Published concurrently, NISTIR 8259 – Foundational Cybersecurity Activities for IoT Device Manufacturers, provides specific recommended activities to help manufacturers address customer needs for IoT cybersecurity in their product development processes.
Two-Pronged Approach: Manufacturer Activities and Core Device Capabilities
NISTIR 8259 was divided into specific activities (8259) and device capabilities (8259A) for manufacturers—each of which reinforces the other, but which NIST distinguished for clarity and to facilitate easy adoption.
As IoT device manufacturers plan their product features, they also must consider which technical means will be provided by: the IoT device itself; other devices related to and/or communicating with the IoT device; other systems and services acting on behalf of the manufacturer; and the customer — and how robust each of those means should be. NISTIR 8259 provides six specific recommended activities that can help manufacturers address this overarching dilemma during the pre-market as well as post-market product phase:
Recognizing that IoT use cases span numerous industries and jurisdictions but that there are some common capabilities, 8259A provides a core baseline. It outlines the device capabilities generally needed to support common cybersecurity controls, with the goal of protecting an organization’s devices, data, systems, and ecosystems.
Solution Fueled by Collaboration and Transparency
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure called for “resilience against botnets and other automated, distributed threats.” In the order, the President directed the Secretaries of Commerce and Homeland Security to “lead an open and transparent process to identify and promote action … to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
Recognizing the importance of IoT security to both organizations and individuals (across the nation and throughout the world), and in response to the order, the Departments of Commerce and Homeland Security published A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (a/k/a the “Botnet Report”). Later that year, we released an associated Botnet Roadmap.
Starting with Appendix A in the draft NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, we began by looking at existing efforts, both domestic (e.g. Cloud Security Alliance, the Industrial Internet Consortia) and global (GSMA, ENISA, UK government’s DCMS) initiatives to identify the areas of general convergence on key IoT device capabilities. Encouraged to continue our work, NIST engaged a wide range of stakeholders and cultivated public-private partnerships to collaboratively develop the activities and capabilities that would come to comprise NISTIR 8259. The final publication incorporates more than 450 comments that NIST received during two public comment periods and a workshop that drew more than 500 participants (both virtual and in person).
The result is a robust, risk-based approach that is feasible and practical for industry — and which began to be widely adopted even before publication of the final document.
What’s Next for the Core Baseline?
We plan to continue to participate in the International Organization for Standardization (ISO)/IEC project to develop an international standard for an IoT device baseline of security requirements. We are encouraged to see stakeholders, such as the Council to Secure the Digital Economy’s C2 coalition, incorporating our draft publication in formulating its consensus baseline and look forward to see that work evolve.
We have started developing a federal profile, adapting NISTIR 8259 and 8259A, to define cybersecurity device capabilities — along with manufacturer support and agency non-technical capabilities — that are needed to enable federal agency adoption of more securable IoT devices.
Publication of the final NISTIR 8259 represents a major milestone in the evolution of IoT device cybersecurity, paving the way for a comprehensive approach including other activities called out in the Botnet Roadmap — such as Exploring Labeling or Other Transparency Scheme for IoT Devices and Establishing Assessment Program(s) for IoT Devices — with even greater enthusiasm and focus.