NIST’s Considerations For ‘Cybersecuring’ The Internet Of Things

Experts at the National Institute of Standards and Technology (NIST) have kicked off an initiative to support the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. NIST’s Cybersecurity for the Internet of Things (IoT) and Privacy Engineering Programs drafted a report titled NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks that is now available for public comment.

The report is an introductory document to help organizations better understand and manage the security risks throughout the lifecycle of their IoT devices. The document identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices compared to conventional information technology (IT) devices:

• Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
• Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
• The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.

Heterogeneous capabilities of IoT devices vs. conventional IT devices
Conventional IT devices tend to have largely homogeneous capabilities. For example, most laptops have similar data storage, processing, and transferring capabilities. Because the capabilities are so similar across all laptops, their cybersecurity and privacy risks tend to be similar as well. This is in contrast to IoT devices, which offer an incredible heterogeneous range of capabilities and combinations of those capabilities.

For examples, one IoT device may have just a few basic capabilities, such as sensing data and transmitting that data to a server for processing and storage with no human user interfaces or centralized management capabilities. Conversely, another IoT device may include multiple sensors and actuators, use local and remote data storage and processing capabilities, and be connected to several internal and external networks at once. This variability in capabilities causes similar variability in the cybersecurity and privacy risks involving each IoT device.

Lack of device access, management, and monitoring features
IoT devices typically have a small memory and a rudimentary operating system with no real user interface. This presents a challenge, as those devices have limited power and computing capabilities available for risk-mitigating functionality. Also, there is extensive variety in the software and firmware used by IoT devices. This significantly complicates software management throughout the IoT device lifecycle, affecting areas such as device configuration, certificates and patch management. In contrast, conventional IT devices usually provide authorized people, processes, and devices with hardware and software access, management, and monitoring features.

Control availability, efficiency, and effectiveness
Many IoT devices do not or cannot support the range of controls typically built into conventional IT products. For example, a simple sensing IoT device may not have the processing capability to support the use of strong encryption and mutual authentication without unacceptable delays. Sophisticated network-based intrusion prevention systems, antimalware servers, and firewalls, may not be as effective at protecting IoT devices as they are at protecting conventional IT. IoT devices often use protocols that conventional IT controls cannot understand and analyze.

Given the variety of IoT device capabilities and the issues with accessing, managing, and monitoring these devices, there is a clear need to follow basic guidelines to build a practical security solution for IoT devices. The following principles can serve as a foundation to enable stronger IoT security:

• Security by design: As many IoT devices are constrained by limited resources (CPU/RAM), device manufacturers can choose a chipset that includes integrated security hardware to reduce CPU load and RAM usage. It should be noted that building security in at the design stage could help reduce potential IoT service disruptions such as those caused by DDoS attacks. Moreover, integrated security features would allow manufacturers to avoid the difficult and expensive endeavor of adding security measures to IoT devices after they have already been deployed.
• Use a multi-layered approach: Complex IoT systems can have many different types of users, devices, and data. This can be simplified for both OEMs and service providers by adopting an integrated chip-to-cloud solution rather than stitching together multiple, discrete components.
• Implement well-studied crypto algorithms: The IoT device should support and use well-known and standardized cryptography algorithms and protocols for authentication, encryption, and data transmission.
• Encourage use of a scalable provisioning platform: In addition to implementing security at the design phase, DHS recommends device manufacturers promote security updates and vulnerability management. Life cycle management which includes over-the-air (OTA) updates and vulnerability management, is essential to maintaining the continued security of IoT devices. A scalable provisioning platform should be implemented that utilizes a secure hardware root- of-trust to ensure secure updates of firmware and cryptographic keys.

Bottom line
As more IoT devices are deployed to deliver unique experiences, the degree of vulnerability to cybersecurity threats will inevitably increase. IoT security must be a priority from the initial stages of IoT deployments. IoT asset owners must understand the security and privacy implications of IoT and ensure that the various hardware, network, and software elements are sufficiently secure and properly certified. The NIST guidelines address a number of important areas, including the improvement of cybersecurity for IoT products and basic principles that all products should meet. Now it is up to the IoT OEMs and device manufacturers to play ball.