NIST’s “core baseline” for IoT security is aimed at device manufacturers

From refrigerators and doorbells to insulin pumps and heart monitors, a growing number of devices are being connected to wireless networks. IoT devices offer a world of convenience and benefits, from a homeowner being able to monitor their property while at work to a doctor being able to monitor a patient’s response to a treatment regimen. However, they also open a Pandora’s box of cyber security threats, a situation exacerbated by the absence of any uniform set of IoT security standards for smart device manufacturers to follow.

The current “Wild West” situation of IoT security puts everyone at risk, and this was the impetus for NIST to develop its latest draft publication. Titled “Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturerr (NISTIR 8259),” the publication is aimed at device manufacturers and builds on the material in NISTIR 8228, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” which NIST released earlier this summer.

NISTIR 8228 is aimed at end users and discusses the secure deployment of IoT devices. In contrast, NISTIR 8259’s audience is manufacturers; the guide seeks to educate them about “the cybersecurity risks their customers face,” how they can mitigate these risks through secure development, and how they can go beyond the core baseline security guidelines as appropriate. Additionally, end users can use the guidelines in 8259 as a starting point to identify the security features they want their smart devices to have so that they can specify them in procurement requests.

The NIST IoT security “core baseline”

NISTIR 8259 defines six generic “core baseline” IoT security features that all smart devices, regardless of industry or use case, should have.

1. Device identification: All smart devices should have unique physical and logical identifiers to support asset management, which in turn supports vulnerability management, access management, data protection, and incident detection.
2. Device configuration: End users should have the ability to change an IoT device’s software and firmware configuration settings, restrict configuration changes to authorized entities, and restore the device to a secure default configuration.
3. Data protection: Users should be able to employ accepted cryptographic modules for standardized cryptographic algorithms to protect all data stored and transmitted by an IoT device.
4. Logical access to interfaces: Users must be able to logically or physically disable any local and network interfaces that are not necessary for the core functionality of the smart device.
5. Software and firmware updates: IoT devices should have a secure and configurable mechanism by which only authorized entities can update the device’s software and firmware.
6. Cybersecurity event logging: Users should have the ability to log cybersecurity events across the device’s software and firmware and restrict access to the logs so only authorized entities can view them.

Accompanying each core baseline is NIST’s rationale for including it, the key elements for manufacturers to consider when implementing it, and a list of reference examples. So that the list is as generic and evergreen as possible, the IoT security features don’t recommend any specific software or other technologies. They focus on the end results that device manufacturers should be looking to achieve, not how to achieve them.

Public comments on NISTIR 8259 are being accepted through September 30, 2019.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.