Ensuring the cybersecurity of an IoT device can seem a daunting challenge. Innumerable options exist for choosing what security features to implement as well as methods for implementation. Fortunately for developers, there is now a baseline of device capabilities that can provide a starting point for consideration.
The US National Institute of Science and Technology (NIST) has released two documents that provide guidance on cybersecurity for IoT developers. The first – NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers – outlines the activities that development teams should pursue when planning their device’s design. An earlier post explored this document.
The second document – NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline – describes the capabilities an IoT device would need to implement to provide the foundation of basic cybersecurity. It identifies six key capabilities that developers should consider providing in the device itself:
Device identification: The IoT device should be uniquely identifiable both logically and physically.
Device configuration: The IoT device’s software configuration should be changeable, with such changes able to be implemented only by authorized entities.
Data protection: The IoT device should protect the data it stores and transmits against unauthorized access and modification.
Logical access to interfaces: The IoT device should be able to restrict its local and network interfaces, and the protocols and services used by those interfaces, to logical access by authorized entities only.
Software update: The IoT device’s software should allow updating, but only by authorized entities using a secure and configurable mechanism.
Cybersecurity state awareness: The IoT device should be able to report on its cybersecurity state and only make that information accessible to authorized entities.
For each of these capabilities, the document describes what common elements an organization might use to achieve that capability. For example, to implement data protection a team might provide cryptographic capabilities for both stored and transmitted data. It also might provide an ability to configure the cryptography usage, such as choosing the key length, and include an ability for authorized entities to render all data on the device inaccessible. This might include an ability to erase all data, erase keys, and the like.
NISTIR 8259A further provides a rationale for implementing each capability. The ability to alter device configuration, for instance, is important for customers seeking to customize a device when integrating it with their own systems. It also supports the restoration of devices to a secure configuration should it become compromised. Similarly, the ability to allow software updates gives customers a chance to refine their security measures as threats evolve and allows them to “roll back” software changes should any prove to adversely impact system compatibility.
By implementing the baseline functionality into their IoT devices, developers can give their customers the tools they will require to implement whatever additional security features the specific installation demands. However, it is also true that not every installation will require all these functions, and some installations will require the device to include additional built-in functionality. It all depends on what is important to the customer.
IoT development teams thus must begin their development efforts by performing a risk analysis. In this analysis, the team needs to identify what kinds of threats they can anticipate and determine which parts of their design will require protection against these threats. The assessment further includes estimating the probability of the attack happening, the potential impact on system operation and data security, and the significance or severity of that impact. By ranking these assessments from slight to severe and estimating the expected cost of providing mitigation, development teams can create a priority list for the functionality that must be implemented.
Here, too, the NIST offers guidance. NISTIR 8228, Considerations for Managing IoT Cybersecurity and Privacy Risks provides development teams with areas of consideration for the risk assessment process to help determine which areas will require mitigation. These risk mitigation areas dovetail with the baseline functionality guidelines, as shown in Figure 1.
Figure 1 There are six key areas of IoT device usage that developers should consider when deciding on what cybersecurity features to implement. Source: NIST
The device baseline document includes numerous references to existing implementations of cybersecurity features to help stimulate development team thinking. These implementations are neither required nor endorsed by NIST; they are simply there for reference. Still, reviewing them can help stimulate ideas for development teams seeking their own approach.
Ensuring the security of IoT devices will require the investment of considerable thought, at the very least. What is becoming increasingly clear, though, is that the investment is one that must be made. The days of believing that “no one will want to hack this device” or “customers will not pay extra for security” are rapidly becoming history. As IoT devices proliferate and their impact on systems and lives grows, cybersecurity becomes increasingly imperative. Guidelines such as these can help development teams begin to get a handle on the problem.