The Internet of Things continues to draw broad interest from policymakers and regulators around the globe. Following on the heels of a major distributed denial-of-service attack in October 2016 that leveraged potentially millions of compromised IoT devices, members of Congress have sent letters to US federal agencies regarding the risks posed by insecure IoT devices and held a hearing about what if anything should be the US federal response to such IoT-driven cyberattacks. Against that backdrop, in November 2016 two US federal agencies have issued guidance on securing IoT.
National Institute of Standards and Technology (NIST)
After four years of work, NIST (part of the Department of Commerce) on November 15 released groundbreaking guidance on securing the Internet of Things. NIST Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (NIST SP 800-160), focuses on how to to create IoT devices that are fit-for-purpose from a security perspective (akin to how society expects a bridge to be engineered against collapse). NIST approaches IoT security challenges from a systems engineering perspective, leveraging existing international standards for systems and software engineering (e.g., ISO/IEC/IEEE 15288) to consider the entire lifecycle of IoT device security. As a result, the publication is targeted not only to engineering professionals, but also to individuals with security governance, risk management, and oversight responsibilities and it will likely be an influential resource for regulators and others considering the appropriateness of IoT security efforts.
NIST SP 800-160 recognizes that it is not feasible to identify all potential cyberrisks or to protect against all anticipated threats and disruptions. Instead, NIST suggests that through use of systems security engineering, the approach to system architecture and design can make IoT devices inherently less vulnerable to attack, support greater resilience, and reduce the impact of attacks that nonetheless do occur. The guidance emphasizes the importance of security by design, thereby taking into account cybersecurity considerations at every stage of the system lifecycle (including design, development, deployment, and maintenance). The bulk of the 257-page document is devoted to describing the principles and concepts associated with systems security engineering, outlining system security in system lifecycle processes, and providing detailed appendices. Appendix F details thirty-two specific security design principles spanning three areas: security architecture and design; security capability and intrinsic behaviors; and life cycle security. In this context, the guidance offers up security principles such as secure evolvability (a system developed to facilitate the maintenance of its security properties when there are changes to its functionality structure) and continuous protection (all components and data used to enforce the security policy must have uninterrupted protection consistent with security policy and architecture assumptions).
This latest NIST publication on IoT is part of a planned series on systems security engineering, which will address other topics such as hardware security and assurance, software security and assurance, and system resiliency. NIST also signaled its intent to update its foundational security and risk management guidance in accordance with systems engineering considerations. And NIST previously released other IoT-focused guidance, including a separate special publication on Networks of ‘Things’ (released July 2016) and a draft Framework for Cyber-Physical Systems (released May 2016).
Department of Homeland Security (DHS)
In accordance with its mission to secure cyberspace and responding to recent cyberattacks leveraging compromised IoT devices, in November 2016 DHS released guidance on Securing the Internet of Things. The emphasis from DHS for this guidance is on countering potential impacts to critical infrastructure, public safety, and national security in the United States. As part of this effort, DHS released a guidance document on “Strategic Principles for Securing the Internet of Things” (with an accompanying fact sheet), which detailed DHS’s assessment of the risks posed by IoT and a set of principles for addressing IoT security challenges. The DHS guidance is targeted at four categories of stakeholders: (1) IoT developers; (2) IoT manufacturers; (3) service providers that implement services through IoT devices; and (4) industrial and business-level consumers, including the US federal government as well as owners and operators of critical infrastructure.
As put forward by DHS, there are six strategic principles for securing IoT:
- Incorporate Security at the Design Phase. Security should be evaluated as an integral component of any network-connected device. While there are notable exceptions, economic drivers motivate businesses to push devices to market with little regard for security.
- Promote Security Updates and Vulnerability Management. Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates, and vulnerability management strategies.
- Build on Recognized Security Practices. Many tested practices used in traditional IT and network security can be used as a starting point for IoT security. These approaches can help identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption to IoT devices.
- Prioritize Security Measures According to Potential Impact. Risk models differ substantially across the IoT ecosystem, as do the consequences of security failures. Focusing on the potential consequences of disruption, breach, or malicious activity is critical for determining where in the IoT ecosystem particular security efforts should be directed.
- Promote Transparency across IoT. Where possible, developers and manufacturers need to know their supply chain, namely, whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization. Increased awareness can help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies.
- Connect Carefully and Deliberately. IoT consumers, particularly in the industrial context, should deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.
* * *
Together, these guidance documents signal the US government’s increasing focus on IoT security. Such guidance may become the basis for complaints by litigators or regulators that IoT developers, manufacturers, and service providers are not meeting the industry standard of care in the wake of cyberattacks compromising IoT devices. The FTC has brought enforcement actions against IoT developers in the past for alleged failures to address security vulnerabilities. As previously noted, organizations are well advised to pay close attention to these developments; although these guidance materials are “voluntary,” their publication has a government imprimatur and the practices described in them could rapidly become regarded as setting a baseline for industry.