Smart devices that incorporate physical and sensing capabilities and network interface capabilities are being made at an ever-increasing pace. These computing devices are fulfilling customer needs in every economic sector. Almost all of these devices are connected to the internet. As these IoT devices become smaller and more elaborate and have a rising number of features, their security also becomes more compromised.
On May 29, NIST released final NISTIR 8259 and 8259A, representing a major milestone in IoT cybersecurity. In this article, we will discuss a baseline set of device cybersecurity capabilities that businesses should consider when facing the challenge of the Internet of Things.
IoT Device Cybersecurity Capability Core Baseline
Cybersecurity features and functions that computing devices provide through their technical needs (e.g., device hardware and software) are called Device Cybersecurity Capabilities. The core baseline of IoT device cybersecurity capabilities can be defined as a set of device capabilities needed to support cybersecurity controls that protect devices, their data, systems, and ecosystems.
The role of the core baseline is a default for minimally securable devices. Nevertheless, device cybersecurity capabilities can be added or removed from devices’ designs to best address specific organizations' cybersecurity risks.
Here are six device cybersecurity capabilities in the core baseline:
1. Device Identification - meaning the IoT device can be uniquely identified, physically and logically. Common elements of this capability (which are elements an organization seeking to implement the core baseline would use to achieve the capability) are a unique, logical identifier and a unique, physical identifier. These should be at an internal or external location on the device that authorized personnel can access.
The rationale for needing this capability and its common elements is that this capability supports asset management, which, in turn, supports vulnerability and access management, data protection, and incident detection. As far as the unique logical and physical identifiers go, they can be used to distinguish the device from others.
2. Device Configuration - the configuration of the IoT device's software can be changed, but such changes can only be done by authorized personnel. Common elements of this capability are the ability to change the device's software configuration settings, the ability to restrict configuration changes to authorized personnel only, and the ability for authorized personnel to restore the device to a secure configuration.
The rationale for needing this capability is that it supports vulnerability and access management, data protection, and incident detection. Without it, an authorized entity can't alter a device's configuration for various reasons, such as cybersecurity, interoperability, privacy, and usability. Restoring a secure configuration for a device is beneficial when current configuration contains errors, has been damaged or corrupted, or is no longer trustworthy.
3. Data Protection - the IoT device can protect the data it stores and transmits from unauthorized access and modification. Common elements of this capability are the ability to use secure cryptographic modules for standardized algorithms (encryption with authentication, digital signature, etc.), the ability for authorized personnel to render all data inaccessible by all entities, and the ability for authorized personnel to configure the cryptography use itself.
The rationale for needing this capability is that it supports access management, data protection, and incident detection. Also, it prevents unauthorized entities from accessing the data or inadvertently or intentionally changing it.
4. Logical Access to Interfaces - the IoT device can restrict logical access to its local and network interfaces, protocols, and services used by those interfaces to authorized personnel only. Common elements of this capability are the ability to logically or physically disable any local or network interfaces unnecessary for the device’s core functionality, the ability to logically restrict access to each network interface, and the ability to enable, disable, and adjust thresholds for any ability the device has locked or disabled after too many failed authentication attempts.
The rationale for needing this capability is that it supports vulnerability management, access management, data protection, and incident detection. Also, limiting access to interfaces reduces the attack surface of the device, giving attackers fewer opportunities to compromise it.
5. Software Update - the IoT device's software can be updated by authorized entities only using a secure and configurable mechanism. Common elements of this capability are the ability to remotely update the device's software, verify and authenticate updates before installing it, restrict updating actions to authorized personnel only, etc.
The rationale for needing this capability is that it supports vulnerability management, allowing updates to remove vulnerabilities from an IoT device, correct devices’ operational problems, and enable automatic or manual updates.
6. Cybersecurity State Awareness - the IoT device can report on its cybersecurity state and make that information accessible to authorized entities only. Common elements of this capability are the ability to report the device's cybersecurity state, the ability to differentiate from functional and degraded cybersecurity states, the ability to restrict access to the state indicator to authorized personnel only, etc.
The rationale for needing this capability is that it supports vulnerability management and incident detection. It also helps enable investigating compromises, identifying misuse, and troubleshooting operational problems.
If you want to learn more about the core baseline of IoT device cybersecurity capabilities or want to assess your solution against IoT device baseline security requirements at basic, substantial or high level of security assurance get in touch with a IoT specialized cybersecurity lab.