New Guidance on Securing IoT Devices Published by NIST

The National Institute of Standards and Technology (NIST) has published a new guide for manufacturers of Internet of Things (IoT) devices to assist them is ensuring that adequate cybersecurity measures are in place so that the devices are secure from  threats when users link them to the Internet.

This is the second in a series of publications on the security of IoT devices being released by the NIST. The first piece of guidance released listed the dangers posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – aims to to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and extent of IoT device compromises.  

The draft document classifies a core baseline of cybersecurity features which should be included with all IoT devices, along with extra features that should be considered to give a level of protection over and above the baseline that is appropriate for most consumers.

The manufacturers of IoT devices have a responsibility to see to it that their devices have at least a minimal level of security and for software updates to be released to address flaws identified during the lifespan of the products. It is also the responsibility of users of IoT devices to make sure those security controls are enabled and software updates are installed and applied quickly.

The guidance is focused on addressing a technical audience, although it is the wish of the NIST that it will be used by consumers as well as IoT device manufacturers. It includes six security recommendations for IoT device manufacturers to incorporate into their IoT devices. Those recommendations can also be implemented as a checklist for groups to make sure a device can be secured before it is ordered.

Those features include:

  • A device identification feature to permit a single device to be identified or for a unique address to be used to link to the network
  • The ability for an authenticated user to carry out a software or firmware upgrade
  • A clear demonstration of how the device saves and sends data
  • The ability to restrict access to local and network interfaces
  • A safe and configurable way of updating software and firmware
  • A log feature that details and saves all cybersecurity events

IoT devices link to and are visible on their network, yet they may not have an interface through which security settings can be applied and software updates  completed. If adequate security controls are not incorporated by manufacturers and enabled by users, the devices will remain a security risk and flaws could be exploited by unauthorized people to obtain access to home and business networks

NIST is seeking comments on the draft guidance prior to September 30, 2019.