IoT devices often lack device cybersecurity capabilities that their customers - both individuals and organizations - can utilize to help mitigate cybersecurity risks. Manufacturers can make their IoT devices more secure by providing necessary cybersecurity functionality and providing customers with all the vital cybersecurity-related information they need.
On May 29, NIST released final NISTIR 8259 and 8259A, representing a major milestone in IoT cybersecurity. The publications present six foundational activities and a core baseline of IoT device cybersecurity capabilities for manufacturers as a starting point towards building more securable devices.
In this article, we are going through some basic cybersecurity activities that manufacturers should consider performing before their IoT devices reach their customers.
By improving the securability of IoT devices for customers, manufacturers are helping them meet their goals, which involves determining and addressing a set of risk mitigation areas. The most common risk mitigation areas for IoT devices are:
• Asset Management covers maintaining a current, accurate inventory of all IoT devices and their relevant characteristics throughout the devices' lifecycles. Differentiating each IoT device from all others is essential for the other common risk mitigation areas.
• Vulnerability Management covers identifying and mitigating known vulnerabilities in IoT device software throughout the devices' lifecycles to reduce the likelihood and ease of exploitation and compromise. Vulnerabilities are eliminated by installing updates and changing configuration settings.
• Access Management covers preventing unauthorized physical and logical access to, usage of, and administration of IoT devices throughout their lifecycle by people, processes, and other computing devices. By limiting the access to interfaces, manufacturers can reduce the attack surface of the device, giving cyber attackers fewer opportunities to compromise it.
• Data Protection covers all actions that prevent access to and tampering with data, whether at rest or in transit, that can expose sensitive information or allow manipulation or disruption of IoT devices.
• Incident Detection covers monitoring and analysis of IoT device activities for signs of incidents involving device or data security. These signs can also be used for investigating compromises or for troubleshooting operational issues.
Manufacturers can address these areas by integrating corresponding IoT device cybersecurity capabilities into their devices. That way, customers will have fewer challenges in securing those devices.
Pre-Market Phase Activities
In order to improve how securable their IoT devices are for their customers, manufacturers should consider performing these cybersecurity activities:
- Identifying of expected customers and defining expected use cases
- Researching customer cybersecurity needs and goals
- Determining how to address their needs and goals
- Planning for adequate support of customer needs and goals
Post-Market Phase Activities
Even after the devices are sold, manufacturers still have a role in supporting the customers' cybersecurity needs and goals for their IoT devices. For instance, they can respond to vulnerability reports and provide critical updates.
Most important post-market phase activities can be divided into two groups:
- Defining approaches for communicating to customers
- Deciding what and how to communicate to customers
To help define communication approaches, manufacturers can answer questions like the following:
- What terminology will be most understandable to the customer?
- How much information will the customer need?
- How/where will the information be provided?
Topics that manufacturers might want to use in their communications can be:
- Cybersecurity risk-related assumptions
- Support and lifespan expectations
- Device composition and capabilities
- Software updates
- Device retirement options
As pressure is put on manufacturers to roll out new products, securing IoT devices is becoming more and more challenging. While businesses can't eliminate all IoT attacks, organizations that have their IoT security in check can focus back on their primary goals - optimizing processes, improving quality of service, and reducing costs.
These are just some of the IoT device capabilities generally needed to support common cybersecurity controls. If you want to apply Cybersecurity guidelines or standards on IoT devices, set up Security By Design Frameworks or comply with NIST 8259, you should partner with specialized third-party experts in order to guarantee a cost-efficient implementation.