New Guidance on Securing IoT Devices Published by NIST

by | Aug 13, 2019

The National Institute of Standards and Technology (NIST) has published a new guide for manufacturers of Internet of Things (IoT) devices to assist them is ensuring that adequate cybersecurity measures are in place so that the devices are secure from  threats when users link them to the Internet.

This is the second in a series of publications on the security of IoT devices being released by the NIST. The first piece of guidance released listed the dangers posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – aims to to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and extent of IoT device compromises.  

The draft document classifies a core baseline of cybersecurity features which should be included with all IoT devices, along with extra features that should be considered to give a level of protection over and above the baseline that is appropriate for most consumers.

The manufacturers of IoT devices have a responsibility to see to it that their devices have at least a minimal level of security and for software updates to be released to address flaws identified during the lifespan of the products. It is also the responsibility of users of IoT devices to make sure those security controls are enabled and software updates are installed and applied quickly.

The guidance is focused on addressing a technical audience, although it is the wish of the NIST that it will be used by consumers as well as IoT device manufacturers. It includes six security recommendations for IoT device manufacturers to incorporate into their IoT devices. Those recommendations can also be implemented as a checklist for groups to make sure a device can be secured before it is ordered.

Those features include:

  • A device identification feature to permit a single device to be identified or for a unique address to be used to link to the network
  • The ability for an authenticated user to carry out a software or firmware upgrade
  • A clear demonstration of how the device saves and sends data
  • The ability to restrict access to local and network interfaces
  • A safe and configurable way of updating software and firmware
  • A log feature that details and saves all cybersecurity events

IoT devices link to and are visible on their network, yet they may not have an interface through which security settings can be applied and software updates  completed. If adequate security controls are not incorporated by manufacturers and enabled by users, the devices will remain a security risk and flaws could be exploited by unauthorized people to obtain access to home and business networks

NIST is seeking comments on the draft guidance prior to September 30, 2019.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy