Appliances from refrigerators to thermostats to TVs are now available in models that interact with a wireless network, making them easier to control with a computer or smartphone. Because these devices also put our security at risk, the National Institute of Standards and Technology (NIST) has released a guide to help us adjust to a world where seemingly everything is connected and potentially vulnerable.
The guide identifies a set of voluntary recommended cybersecurity features to include in network-capable devices, whether designed for the home, hospital, or factory floor. Although the guide’s subtitle is A Starting Point for IoT Device Manufacturers, its principles can be useful to anyone who links a device to the internet.
“This ‘Core Baseline’ guide offers recommendations for what IoT devices should do and what security features they should possess,” says Mike Fagan, a NIST computer scientist and one of the guide’s authors. “It is aimed at a technical audience, but we hope to help consumers as well as manufacturers.”
As with other NIST cybersecurity publications, the Core Baseline (full title: Core Cybersecurity Feature Baseline for Securable IoT Devices, Draft NISTIR 8259), is not a set of rules for manufacturers to follow. Rather, it is voluntary guidance intended to help promote the best available practices for reducing risks to IoT security. It complements the recent publication of Considerations for Managing Internet of Things Cybersecurity and Privacy Risks (NISTIR 8228), which primarily addresses large organizations that have more resources to dedicate to IoT cybersecurity.
IoT devices can provide tremendous benefits (e.g., smart medical devices) as well as a host of conveniences, like checking your refrigerator’s contents from the grocery store. They also create a new type of cybersecurity risk for a society that already suffers newsworthy hacks and data breaches on a regular basis. While a conventional computer might require a password entered from a keyboard, a network-capable coffee maker might have no keyboard at all, but would still appear on a home or office wireless network. This and countless other small electronic devices could be vulnerable to hacking if they do not possess security features that an owner understands and uses.
“Securing devices is a group effort,” Fagan says. “Manufacturers have to supply options and software updates, and users have to apply them. Both sides have roles to play.”
The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices, and that consumers can look for on a device’s box or online description while shopping. Although the document includes technical language not intended for consumers, Fagan provided a straightforward explanation of each feature:
Device identification: The IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks.
Device configuration: Similarly, an authorized user should be able to change the device’s software and firmware configuration. For example, many IoT devices have a way to change their functions or manage security features.
Data protection: It should be clear how the IoT device protects data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data on the devices’ internal storage
Logical access to interfaces: The device should limit access to its local and network interfaces. For example, the IoT device and its supporting software should gather and authenticate the identity of users trying to access the device, such as by using a username and password.
Software and firmware update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from users.
Cybersecurity event logging: IoT devices should log cybersecurity events and make the logs accessible to owners and manufacturers. These logs help users and developers identify vulnerabilities in devices to secure or fix them.
Fagan said that home users might appreciate the value of some of these features more easily—particularly data protection, regular software updates, and interface access controls (which stop other people from accessing your device). Other features represent a more nuanced benefit, such as the ability to reset a device securely to its original settings if the device ever changes hands. All of the draft’s feature recommendations in were developed as part of a public/private partnership with industry, government, and academic stakeholders.
To improve the Core Baseline further, NIST will accept public comments on the draft until Sept. 30, 2019, after which the authors will begin work refining the guide for a future edition.