The Internet of Things (IoT) includes items such as smart appliances, smartwatches, and medical sensors. For organizations to enjoy all of the benefits and convenience of IoT devices, enterprise customers must fully understand the potential risks and threats to their systems and the underlying data. IoT devices often lack built-in security controls, a situation which creates risks and threats for federal agencies and consumers.
As IoT devices proliferate, it is important for manufacturers to provide secure and safe devices. According to NIST, built-in security controls include device cybersecurity capabilities as well as non-technical support relevant to cybersecurity. Both can be used to mitigate risks related to IoT devices.
IoT Device Non-Technical Supporting Capabilities
The National Institute of Standards and Technology (NIST) Cybersecurity for the Internet of Things (IoT) program announced the drafting of four public documents that provide guidance for federal agencies and IoT device manufacturers on defining IoT cybersecurity requirements. The purpose of this initiative is to help manufacturers and federal government agencies better understand what kinds of device cybersecurity capabilities and non-technical supporting capabilities may be needed from or around IoT devices used by federal government agencies.
In distinguishing technical and non-technical means for securing IoT devices, NIST notes that IoT devices are primarily secured using technical means, referred to as “device cybersecurity capabilities,” and that non-technical supporting capabilities include actions that manufacturers or third-parties take in support of the initial and on-going security of IoT devices.
The purpose of the NIST Internal Report (IR) 8259B, Non-Technical Supporting Capabilities publication is to provide organizations with a starting point they can use to identify non-technical supporting capabilities needed in relation to IoT devices that they intend to manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.
As an example, suppose that an agency wants to acquire an IoT device such as a smart speaker to use in the office. The smart speaker will need to connect to the federal information system so that agency management can remotely access and play audio over the speaker. These remote connections will require proper authentication and authorization. To support the authentication and authorization controls, the smart speaker may require device cybersecurity capabilities such as the ability to deny remote connections, the ability to authenticate and/or authorize entities attempting to make remote connections, and the ability to terminate connections within organizational policy.
Additionally, the allocated security controls may require the federal agency to configure the smart speaker to authenticate and authorize users within organizational policy, which could require non-technical supporting capabilities from manufacturers. These non-technical supporting capabilities may include obtaining documentation from the manufacturer about how the IoT device can be configured to support organizational authentication and authorization policy.
The wide range of connectivity possible for IoT devices and the ability for these devices to interact with the physical world means securing these devices often becomes a priority but a challenge for customers when they are not adequately supported.
Manufacturers’ Role in Securing IoT Devices
Integrating an IoT device into an information system can present a number of challenges for enterprise customers. Understanding the challenges, however, will help manufacturers to execute the most appropriate implementation strategy for the non-technical support capabilities. NIST recommends that manufacturers consider the following non-technical supporting capabilities for IoT devices they make:
Documentation: The ability for the manufacturer to create, gather, and store information relevant to the cybersecurity of the IoT device throughout the development of a device and its subsequent lifecycle.
Information and Query Reception: The ability for the manufacturer to receive from the customer information and queries related to cybersecurity of the IoT device.
Information Dissemination: The ability for the manufacturer to broadcast and distribute information related to cybersecurity of the IoT device.
Education and Awareness: The ability for the manufacturer to create awareness and educate customers about cybersecurity-related information, considerations, features, etc. of the IoT device.
NIST points out that these four items do not represent an exhaustive list and that if additional supporting capabilities are necessary to enable secure use of the device, organizations are encouraged to consider defining additional supporting capabilities for their particular use case.
NIST IoT Devices Roundtable Discussions
NIST engaged the stakeholder community on the topic of IoT non-technical supporting capabilities in four roundtable discussions that corresponded with each capability area. The feedback from the roundtable sessions shows that while participants found value in the four capabilities, they also expressed that the capabilities would likely need to be tailored for specific audiences and use cases.
There is no shortage of reports, white papers, and blogs related to cybersecurity awareness and training. What about consumer security awareness? The roundtable session feedback revealed that there is a general need to inform customers of how they may securely operate the IoT device, for example, by displaying relevant warning labels related to changing the device’s default password and providing instructional content to consumers. Participants noted that the approach to providing awareness could involve online videos and smartphone applications.
Another takeaway from the roundtable sessions was that IoT product owners need vulnerability and patching information to mitigate risks associated with known vulnerabilities. Specifically, participants expressed a desire to learn about IoT product vulnerabilities and patches as well as for manufacturers to provide guidance describing where consumers can locate this type of information. Some participants suggested that information feeds from Information Sharing and Analysis Centers (ISACs) would be a good source of advice for IoT product customers regarding vulnerabilities and patches. As a starting point, the NIST blog recommends National Council of ISACs.
Mitigating risks associated with IoT devices using non-technical supporting capabilities could be perceived as burdensome for manufacturers (e.g., providing customers with standardized documentation, training material in diverse forms to a variety of customers, and improved consumer security awareness). The manufacturers of IoT devices are in the best position to communicate important non-technical information related to the cybersecurity of the device. They play a huge role in helping enterprise customers and consumers secure IoT devices. Providing customers and consumers with non-technical capabilities for an IoT device complements the device’s cybersecurity capabilities and strengthens the ability to maintain the ongoing security of the IoT device.
Manufacturers that understand and can support an organization’s cybersecurity needs in a non-technical way, as well as those who arm their customers with knowledge of how to effectively use the device’s cybersecurity capabilities, help to build trust between them and their customers. They also support the mitigation of risks inherent in IoT devices, thereby improving the overall security of any associated systems and underlying data.