As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of IoT devices, as well as a baseline level of security requirements for these devices.
The first, NISTIR 8259, provides device manufacturers of new IoT devices with a map of recommended activities to help address cybersecurity in the product development process. There are six recommended activities, four of which address identifying and implementing appropriate security controls in the pre-market phase and two that focus on meeting customers’ cybersecurity needs once the device is on the market. These activities focus on identifying a device’s customers and their cybersecurity needs, meeting those cybersecurity needs and planning for how cybersecurity will be addressed once the device is out on the market.
NISTIR 8259A sets out a core baseline of security requirements generally needed to support commonly used cybersecurity controls. At a high level, this core baseline requires the following:
Device identification: The individual device can be identified both logically and physically.
Device configuration: An IoT device’s software configuration can be changed and such changes can only be performed by authorized entities.
Data protection: The data from an IoT device is protected from unauthorized access or modification, both in storage and transit.
Logical access interfaces: Only authorized entities should have logical access to local and network interfaces, and the protocols and services used by those interfaces.
Software update: The IoT device’s software can be updated by authorized entities.
Cybersecurity state awareness: An IoT device can report on its cybersecurity state to authorized entities only.
As we have noted before, the security of IoT devices is increasingly regulated at both the federal and state level. NIST has indicated that it is adapting NISTIRs 8259 and 8259A to enable federal government agency adoption of more secure IoT devices. We also expect legislative activity around IoT security to continue and will be keeping a close eye on any developments in this area.
Putting it Into Practice: While implementation of the security controls included in these two publications is not required by law, this guidance likely will be referenced when determining the reasonableness of IoT device security. Device manufacturers, particularly those that sell or seek to sell to the government, should assume security requirements similar to those in the recent NIST publications will become the standard and should take these two guidance documents into consideration when designing and implementing cybersecurity controls in new IoT devices.