NIST Published a New Guidance on Securing IoT Devices

The National Institute of Standards and Technology (NIST) has published its latest guide for companies manufacturing Internet of Things (IoT) devices so that they can integrate proper cybersecurity controls to ensure the devices are secured against risks when connected to the Internet.

This is the second in the series of published security of IoT devices guide. The first guide discussed the risks brought on by IoT devices. The newest guide is called Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers. It is designed to help manufacturers integrate core cybersecurity capabilities into their IoT devices to minimize the incidence and extent of IoT device compromises.

The draft guide specifies a core baseline of cybersecurity functions which ought to be included in all IoT devices, coupled with more features that must be regarded to give a level of security beyond the standard that is ideal for the majority of customers.

IoT device manufacturers have an obligation to make sure that their devices have basic security features and software updates are available to deal with vulnerabilities identified throughout the product’s lifespan. It is additionally the responsibility of IoT device users to enable security controls and download software updates and apply them promptly.

The guidance focuses on a technical audience, though it is desired that both consumers and IoT device manufacturers will use it. It consists of six security recommendations that IoT device manufacturers can implement into their devices. The recommendations could also serve as a checklist for companies to ensure a device is secured prior to its purchase.

The six security features recommended are:

  1. Device identification to identify a device or use a unique address to link to the network
  2. The capability for an authenticated user to upgrade software or firmware
  3. A clear demo of data storage and transmission by the IoT device
  4. The capability to restrict access to local and system interfaces
  5. A risk-free and configurable process for software and firmware updates
  6. A log function that keeps a record of all cybersecurity events

IoT devices that link to a network may not possess an interface through which to apply the security settings and update the software. If manufacturers do not integrate proper security controls and users do not activate them, the devices are vulnerable to security risks and unauthorized persons may exploit them to access home and business networks.

NIST welcomes feedback on the draft guidance and will accept it until September 30, 2019.