Guidelines provide a template for IoT cybersecurity

Article By : Richard Quinnell

These guidelines form a pretty good template for improving cybersecurity in any IoT design.

In late December 2020, the US created a new law requiring the National Institute of Standards and Technology (NIST) to create guidelines for implementing cybersecurity in IoT devices sold to the US government. A battery of documents, many in draft form, is now available that describe the processes involved. Recent completion of the public comment phase for the draft documents means that the NIST guidelines will soon become requirements for IoT developers seeking to sell into the federal marketplace.

The overview document – Draft NIST Special Publication 800-213, IoT Device Cybersecurity Guidance for the Federal Government – provides background and recommendations to help federal agencies consider how an IoT device that they seek to utilize should integrate into their information systems. The document presents both the IoT devices and their support for security controls in the context of organizational and system risk management, offering guidance on considering system security from the device perspective. The goal is for agencies to identify the device cybersecurity requirements, the abilities and actions they should expect from the IoT device and its manufacturer or third parties, that their systems will require to ensure appropriate security capabilities.

The guidance that SP 800-213 provides begins with the framework defined in NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, which has been available since May 2020. NISTIR 8259 describes six recommended activities that manufacturers should consider performing to improve the foundational cybersecurity of their new IoT devices. As shown in Figure 1, these activities form part of the decisions and actions the manufacturer should perform before beginning device development as well as activities they should plan on performing after device sale.

NIST diagram of activities for development teams to secure IoT designsFigure 1 The NIST recommends that IoT developers perform these six activities prior to selling their devices into the federal market. Source: NIST

As a refinement to the activities outlined in NISTIR 8259, NIST created four additional documents that provide more comprehensive guidance on executing the six activities. The first two, NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline and Draft NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline, form a complementary pair, elaborating on both the technical (device) and non-technical (support) requirements. NISTIR 8259A provides the device’s cybersecurity core baseline while NISTIR 8259B details the activities typically needed from manufacturers and associated third parties, such as documentation, training, customer feedback, and the like.

The third document, Draft NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, describes a process, usable by any organization, for developing an IoT cybersecurity profile suitable for specific IoT device customers or applications. Starting with the core baselines provided in NISTIR 8259A and 8259B, this document explains how to integrate those baselines with organization- or application-specific requirements, referencing NIST Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. NISTIR 8259C helps guide organizations in creating a detailed set of device and support capabilities that respond to the concerns of a specific sector and is usable both by organizations seeking to procure IoT technology and by manufacturers looking to match their products to customer requirements.

The fourth document, Draft NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government, shows the results of applying the NISTIR 8259C process in a federal government customer space. This federal profile provides an example of the criteria for minimal IoT device security capabilities in federal use cases. Organizations with needs this profile does not address can apply the guidance in SP 800-213 to clearly define their own security requirements and then execute the process described in NISTIR 8259C to develop an IoT cybersecurity requirements profile.

One of the documents that the process references is NIST’s IoT Cybersecurity Capabilities Catalog. This is a list of definitions for the various capabilities that an IoT device may need to possess. As with other documents in the 8259 bundle, it breaks these capabilities into both technical and non-technical elements. For instance, technical elements include device identification, device configuration, and data protection capabilities, while non-technical elements include documentation, customer education, and providing device cybersecurity status information.

The documents all hang together as diagrammed in Figure 2. Taken together they form a comprehensive guideline for both developers and their customers within the US government on implementing suitable IoT cybersecurity for federal applications. The guidance can readily be applied to applications outside of the federal market, though. For many organizations, the need to avoid having an IoT deployment compromise information security is just as keen as that of government projects.

flowchart of NIST guidelines for defining requirements for IoT device cybersecurityFigure 2 NIST has provided a complete set of guidelines for defining requirements to ensure cybersecurity in IoT device deployments. Source: NIST

As noted in their titles, many of these documents are still in draft form, but they have now completed their public comment phase and are being prepared for final release as full NIST Interagency Reports. With final release, they will become the official guidelines for IoT cybersecurity that the IoT Cybersecurity Act of 2020 required. This may still require many more months of revision and approvals, but the basic framework should remain intact. Developers seeking to sell their IoT devices into US government markets may want to start becoming familiar with the processes defined in SP 800-213, but even those not targeting the federal market might want to look into these guidelines. They form a pretty good template for improving cybersecurity in any IoT design.

This article was originally published on EDN.

Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.

Related articles:

Leave a comment