The US government has identified essential activities that development teams can pursue to provide a reasonable foundation for their device’s security capabilities.
For many development teams, the idea of building cybersecurity into their IoT design can seem daunting. Striking a balance between adding functionality and minimizing implementation cost can quickly lead to confusion and frustration without a systematic approach to addressing the problem. To support developers, the US government has identified some essential activities that development teams can pursue to provide a reasonable foundation for their device’s security capabilities.
In its document NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, the US Department of Commerce’s National Institute of Standards and Technology (NIST) has defined six foundational activities it sees as essential for development teams to follow when considering cybersecurity in their IoT device designs. These foundational activities can be grouped into two timeframes. The first is the pre-market activities, which take place before detailed development even begins. These activities will help development teams determine what security functionality their designs should provide and can often uncover guidance into how to implement that functionality.
The second group of activities come into play following the delivery of the finished product to market, although they should be planned for before beginning development. These post-market activities relate to the question of how to support customers who have purchased the product and incorporated it into their systems. Because cyber-attack processes continually evolve, IoT devices will also need to be able to evolve. Most customers will expect their device vendor to help support that evolution.
Figure 1 These six activities can help development teams ensure that their IoT designs implement adequate and appropriate cybersecurity features. (Source: NIST)
In the pre-market phase, there are four key activities intended to supplement or be concurrent with a development team’s other, traditional pre-market activities that help define the market opportunity the design seeks to fulfill.
1. Identify expected customers and define expected use cases
This activity is essential for determining what cybersecurity features will be demanded by customers and can often indicate how those features will need to be implemented. Questions to ask might include how and where the device will be used, how long the device will remain in use, what other customer systems the device will interact with, and how attackers might compromise or mis-use the device.
2. Research customer cybersecurity needs and goals
Developers will need to understand, at least in part, how the customer will need to mitigate their unique cybersecurity risks. Understanding what the customer risks and the means by which the customer will control their risk will go a long way toward defining the device’s cybersecurity functionality requirements. Two kinds of threat are in play – the device itself may need protection against its functionality being compromised or hijacked and the information the device handles may need protection from theft or manipulation.
For some customers and use cases, there may also be regulatory or application-specific cybersecurity needs to be addressed. In such cases, the design will benefit from implementing features that simplify and support the customer in meeting those needs. This activity, therefore, might need to include exploring the relevant regulatory standards for guidance on feature requirements as well as interviewing potential customers to understand their needs and expectations.
3. Determine how to address customer needs and goals
For each cybersecurity goal identified in activity 2, development teams need to ask the question: What is a suitable means or combination of means for achieving that goal? The means may include capabilities built into the device itself, be provided by another customer device such as a hub or gateway, or be provided by third parties such as a cloud-based service. Non-technical means also need consideration, such as the customer’s willingness to accept the risk of not meeting the goal. Teams should also consider how robust the means will need to be.
4. Plan for adequate support of customer needs and goals
Developers can make their designs more suitable for meeting the customer goals by ensuring there are mechanisms in place and design choices made with the idea of long-term device support in mind. For example, if a device is to have an installed life of decades, it might be appropriate to include an ability to update encryption algorithms or change keys after installation. Other questions to ask might include how customers can verify the integrity of the hardware and software, how to ensure the security of third-party software, and how to protect the code from unauthorized access and tampering.
In addition to these activities, which can help guide the selection and implementation of a device’s cybersecurity features, there are two post-market activities development teams should plan for.
5. Define approaches for communicating to customers
Customers evaluating a device for purchase will likely need to know what security capabilities the device can provide. Following installation, they may need to know how to activate, modify, or update such features. Development teams thus need to plan on how to communicate this information to customers. Questions to consider include what terminology the customer will understand (based on their technical sophistication), how much information they will need, how that information is to be made available, and how customers can verify the information’s integrity.
6. Decide what to communicate to customers
Many factors may be involved in making the determination of what information to communicate and how to do it. One thing to consider is how long to support the device once sold and what happens after end-of-life. Another consideration is to determine what customers need to know about the device and its design in order to integrate it into their systems and maintain it. Questions to ask also include, how will customers receive updates to software, what must they do to disable a device, and how can they transfer ownership to another party?
The NIST document NISTIR 8259 provides numerous additional, more detailed suggestions for development teams seeking to engage in these activities. It is free to download from the link provided above, and well worth the read. Cybersecurity can seem daunting, but these guidelines will provide development teams with a solid framework for beginning to tackle the challenge.
This article was originally published on EDN.
Rich Quinnell is a retired engineer and writer, and former Editor-in-Chief at EDN.