NIST Releases New Guidance on Securing IoT Devices

The National Institute of Standards and Technology (NIST) has released a new guide for manufacturers of Internet of Things (IoT) devices to help them incorporate appropriate cybersecurity controls to ensure the devices are protected against threats when users connect them to the Internet.

The guide is the second in a series of publications on the security of IoT devices. The first document outlined the risks posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – is intended to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and severity of IoT device compromises.  

The draft document defines a core baseline of cybersecurity features which should be incorporated into all IoT devices, along with additional features that should be considered to provide a level of protection over and above the baseline that is appropriate for most customers.

The manufacturers of IoT devices have a responsibility to ensure that their devices have at least a basic level of security and for software updates to be released to address vulnerabilities discovered during the lifespan of the products. It is also the responsibility of users of IoT devices to make sure those security controls are activated and software updates are downloaded and applied promptly.

The guidance is aimed at a technical audience, although it is hoped that it will be used by consumers as well as IoT device manufacturers. It includes six security recommendations for IoT device manufacturers to incorporate into their devices. Those recommendations can also be used as a checklist for organizations to make sure a device can be secured before a purchase is made.

Those features are:

  • A device identification feature to allow an individual device to be identified or for a unique address to be used to connect to the network
  • The ability for an authenticated user to perform a software or firmware upgrade
  • A clear demonstration of how the device stores and transmits data
  • The ability to limit access to local and network interfaces
  • A secure and configurable method for updating software and firmware
  • A log feature that records all cybersecurity events

IoT devices connect to and are visible on network, yet they may not have an interface through which security settings can be applied and software updated. If appropriate security controls are not incorporated by manufacturers and activated by users, the devices will remain a security risk and vulnerabilities could be exploited by unauthorized individual to gain access to home and business networks

NIST is accepting comments on the draft guidance until September 30, 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.