On June 25, 2019, NIST released NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. This document explored three high-level considerations for IoT security and privacy risks and provided three risk mitigation goals:
- Considerations. These considerations highlight how IoT devices are different than conventional IT devices.
Consideration 1: Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
Consideration 2: Many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can.
Consideration 3: The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
- Risk Mitigation Goals. These risk mitigation goals are additive, with each goal building on the previous one without replacing it.
Goal 1: Protect device security.
Goal 2: Protect data security.
Goal 3: Protect individuals’ privacy.
Building on the guidance in NISTIR 8228, NIST released two interagency reports focused on providing guidance to IoT device manufacturers on May 29, 2020:
- NISTIR 8259, Foundational Cybersecurity Activities for IoT Manufacturers recommends four pre-market activities (1–4) and two post-market activities (5–6) for IoT manufacturers to address cybersecurity in IoT devices.
Activity 1: Identify expected customers and define expected use cases.
Activity 2: Research customer cybersecurity goals.
Activity 3: Determine how to address customers’ goals.
Activity 4: Plan for adequate Support of customers’ goals.
Activity 5: Define approaches for communication to customers.
Activity 6: Decide what & how to communicate to customers.
- NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline provides six capabilities, cross-referenced with applicable industry and federal standards, as a default for minimally securable IoT devices.
- Device identification: The IoT device can be uniquely identified logically and physically.
- Device configuration: The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.
- Data protection: The IoT device can protect the data it stores and transmits from unauthorized access and modification.
- Logical access to interfaces: The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.
- Software update: The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.
- Cybersecurity state awareness: The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.
New Publications on IoT from NIST
On December 15, 2020, NIST released drafts of a special publication and three additional interagency reports expanding its IoT guidance catalog. These draft publications are open for public comment until February 12, 2020.
- NIST SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements provides draft guidance to federal agencies for consideration when integrating IoT devices into federal systems. It builds on NISTIR 8228, expands the NISTIR 8259 series and summarizes NIST IoT security guidance as applicable for federal agencies and builds. It also references existing guidance such as NIST 800-30 and NIST 800-53.
- NISTIR 8259B, IoT Non-Technical Supporting Capability Core Baseline provides additional non-technical supporting capabilities to supplement the capabilities provided in NISTIR 8259A.
- Documentation: The ability for the manufacturer and/or supporting entity to create, gather and store information relevant to cybersecurity of the IoT device throughout the development of a device and its subsequent lifecycle.
- Reception: The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.
- Information dissemination: The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.
- Education and awareness: The ability for the manufacturer and/or supporting entity to create awareness of and educate customers about cybersecurity-related information, considerations, features, etc., of the IoT device.
- NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline presents a method for creating a profile from the capabilities of NISTIR 8259A and 8259B using three central concepts of (1) device-centricity, (2) cybersecurity focus and (3) minimal securability. It also addresses applying other external source documents such as security requirements or frameworks, to build a more customized and detailed security profile for IoT devices in a particular sector or use case.
- NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. This document provides a profile of IoT device capabilities needed to incorporate those devices into a federal information system that implements low baseline controls of NIST SP 800-30. It leverages the profile method of NISTIR 8259C and the capabilities of NISTIR 8259A and 8259B. The result is a profile that maps desired IoT device capabilities into possible NIST 800-53 controls and provides extra detail on key abilities that IoT devices should provide to support those controls.