After four years of research and development, the National Institute of Standards and Technology (NIST) published Tuesday new security guidelines targeting the Internet of Things (IoT) segment that addresses the problem of how to engineer trustworthy, secure systems—systems that can provide continuity of capabilities, functions, services, and operations during a variety of disruptions, threats, and other hazards.
NIST has the authority to issue standards that would be immediately applicable to government agencies and contractors. The increasing prevalence of IoT devices in critical industries, including power production, transportation infrastructure and medical technology, has paved the way for federal security mandates.
The Department of Homeland Security offer stakeholders a way to organize their thinking about how to address these IoT security challenges by building proven security practices; adopting security at the design phase; advancing security updates and vulnerability management; prioritizing security measures according to potential impact; promoting transparency across IoT; and connecting carefully and deliberately.
IoT developers will need to factor in security when a device, sensor, service or any component of the IoT is being designed or developed. IoT manufacturers will be required to increase security for both consumer devices and vendor managed services.
Service providers that implement services through IoT devices must consider the security of the functions offered by those IoT devices, apart from the underlying security of the infrastructure enabling these services.
Industrial and business-level consumers, including the federal government and critical infrastructure owners and operators, to serve as leaders in engaging manufacturers and service providers on the security of IoT devices.
The NIST, an old physical science laboratory, established by Congress to remove a major handicap to U.S. industrial competitiveness at the time—a second-rate measurement infrastructure that lagged behind the capabilities of the United Kingdom, Germany, and other economic rivals.
NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations, from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks.
Developers are encouraged to enable security by default through unique, hard to crack default user names and passwords. User names and passwords for IoT devices supplied by the manufacturer are often never changed by the user and are easily cracked. Botnets operate by continuously scanning for IoT devices that are protected by known factory default user names and passwords. Strong security controls should be something the industrial consumer has to deliberately disable rather than deliberately enable.
The practice of building the device using the most recent operating system that is technically viable and economically feasible. Many IoT devices use Linux operating systems, but may not use the most up-to-date operating system. Using the current operating system ensures that known vulnerabilities will have been mitigated. Developers are also advised to use hardware that incorporates security features to strengthen the protection and integrity of the device. For example, use computer chips that integrate security at the transistor level, embedded in the processor, and provide encryption and anonymity.
The designers must take into account system and operational disruption in mind by understanding what consequences could flow from the failure of a device will enable developers, manufacturers, and service providers to make more informed risk-based security decisions. Where feasible, developers should build IoT devices to fail safely and securely, so that the failure does not lead to greater systemic disruption.
The United States, and every other industrialized nation, is experiencing explosive growth in information technology. These technological innovations have given us access to computing and communications capabilities unparalleled in the history of mankind.
These rapid advancements, and the dramatic growth in consumer demand for them, are occurring alongside a revolutionary convergence of cyber and physical systems, or cyber-physical systems (CPS). The global distribution of these technologies has resulted in a highly complex information technology infrastructure of systems and networks that are difficult to understand and even more difficult to protect.
Consumers and enterprises are spending more on cybersecurity than ever before. At the same time, an increasing number of cyberattacks are being targeted by nation states, terrorists, hacktivists, and other bad actors who are stealing intellectual property, national secrets, and private information.
With companies and consumers generally responsible for making their own decisions about the security features of the products they make or buy, the role of government, outside of certain specific regulatory contexts and law enforcement activities, is to provide tools and resources so companies, consumers, and other stakeholders can make informed decisions about IoT security.
Security should be evaluated as an integral component of any network-connected device. While there are exceptions, in too many cases economic drivers or lack of awareness of the risks cause businesses to push devices to market with little regard for their security.
Building security in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed. By focusing on security as a feature of network- connected devices, manufacturers and service providers also have the opportunity for market differentiation.
A coordinated disclosure policy should involve developers, manufacturers and service providers, and include information regarding any vulnerabilities reported to a computer security incident response team (CSIRT). The US Computer Emergency Readiness Team (US-CERT), Industrial Control Systems (ICS)-CERT, and other CSIRTs provide regular technical alerts, including after major incidents, which provide information about vulnerabilities and mitigation.
