NIST Publishes Cybersecurity Guidance for IoT Device Manufacturers

As the cyber threat landscape continues to evolve, security for IoT devices has never been more important. As development of the IoT industry accelerates, many manufacturing companies overlook standard security measures or guidelines. These oversights could have serious implications for consumer security and privacy.

The National Institute of Standards and Technology Cybersecurity for IoT program aims to improve the cybersecurity of connected devices by providing stakeholders and IoT device manufacturers with guidance and suitable practices during development. In two recent publications, NIST recommends a series of actions to help manufacturers secure their IoT devices.

The first publication, Foundational Cybersecurity Activities for IoT Device Manufacturers or NISTIR 8259 describes activities companies should consider before selling their devices to consumers, in an attempt to “reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.”

The second publication, IoT Device Cybersecurity Capability Core Baseline or NISTIR 8259A, gives organizations a road map for identifying cybersecurity capabilities for new IoT devices they will manufacture, integrate or gain. The report sets out a baseline of security requirements that supports existing cybersecurity controls, including:

• Device Identification – IoT devices can be identified logically and physically
• Device Configuration – changes in the IoT device’s software can be performed by authorized entities only
• Data Protection – IoT device can protect the data it stores and transmits from unauthorized access and modification
• Logical Access to Interfaces: Only authorized bodies should have logical access to the IoT devices’ local and network interface along with any protocols and services it uses
• Software Update – software used by IoT devices can be updated by authorized entities only
• Cybersecurity state awareness- the device can report on its cybersecurity state to authorized entities only

“Regardless of an organization’s role, this baseline is intended to give all organizations a starting point for IoT device cybersecurity risk management, but the implementation of all capabilities is not considered mandatory,” researchers said. “This baseline represents a coordinated effort to produce a definition of common capabilities, not an exhaustive list. Therefore, an implementing organization may define capabilities that better suit their organization.”