The National Institute of Standards and Technology (NIST) has recently published security guidelines for IoT devices. NIST hopes the new publication can help organizations better understand and manage the cybersecurity and privacy risks associated with IoT devices throughout the devices’ lifecycles.
The IoT guidelines, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks” (NISTIR 8228), offers good insight into the IoT challenges, as well as considerations to help mitigate IoT-related risks.
Many organizations are not aware of the large number of IoT devices and how they use them. As a result, this lack of understanding could negatively impact their cybersecurity and privacy risks.
In addition, cybersecurity controls we normally think of for traditional IT systems don’t necessarily apply to such a diverse, large number of IoT devices.
For example, devices range from medical devices used in the healthcare sector to smart devices used in the transportation sector. Of course, many users have already become familiar with popular consumer electronics, such as home security systems, lights, thermostats, TVs and kitchen appliances, just to name a few.
All of these are examples of IoT devices connected to the internet and pose a wide range of cybersecurity and privacy challenges to organizations.
IoT risk considerations
NIST first recommends organizations understand three basic risk considerations and common characteristics of IoT devices.
The three IoT risk considerations include:
- Many IoT devices interact with the physical world (or internet) in ways most conventional IT devices usually do not.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways as conventional IT devices/systems. This means more manual intervention and less automation.
- Cybersecurity and privacy safeguards are often different for IoT devices as compared to conventional IT systems (in terms of availability, efficiency and effectiveness).
In addition to these common IoT risk characteristics, NIST further describes three primary and high level IoT risk mitigation goals.
IoT risk mitigation goals
Similar to IT system security, IoT risk mitigations can be broken down into three primary objectives, according to NIST. For example, organizations must protect:
- Device security
- Data security
- Individuals’ privacy.
Protect device security
Device Security includes multiple areas such as Asset Management, Vulnerability Management, Access Management and Device Security Incident Detection.
As part of Asset Management, organizations need to keep a current and accurate inventory of all their IoT devices. This is critical to ensure IoT software/firmware is up to date and vulnerabilities addressed in a timely manner (as part of Vulnerability Management).
Access Management goals includes managing the use of and access to IoT devices to ensure authorized access by users and other devices.
Finally, organizations need to monitor IoT device activity for device security incidents.
Protect data Security
In addition to device security, organizations will need to provide strong data protections. For instance, organizations need to prevent unauthorized access to data stored (or transmitted on) IoT devices that could result in sensitive data exposure or disruption to availability of the IoT device operations.
IoT devices also need to be monitored for IoT device activity for security incidents involving data stored or processed.
Protect individuals’ privacy
Organizations also need to pay close attention to protecting personally identifiable information (PII) processed by IoT devices that can impact individuals’ privacy.
NIST describes five privacy protection areas as part of the privacy protection goal:
- Information Flow Management: Maintain an up-to-date, accurate mapping of PII lifecycle, such as data action, data elements processed, context and party used.
- PII Processing Permissions Management: Maintain permissions for PII processing to prevent unpermitted PII processing.
- Informed Decision Making: Allow individuals to understand effects of PII processing and device interactions. Also, ensure they can participate in decision-making about PII processing or device interactions, as well as resolve issues.
- Disassociated Data Management: Identify authorized PII processing and determine how PII may be minimized or removed from IoT devices.
- Privacy Breach Detection: Monitor and analyze IoT device activity for signs of breaches involving individuals’ privacy.
In the following section, I’ve summarized some of the notable challenges from the NIST guidelines. Readers can also reference IR 8228 for more details on how each map to the NIST SP 800-53 and cybersecurity framework as well.
Device security challenges
NIST lists 30 different challenges that could impact device security. I’ve listed a number of the most notable ones and attempted to consolidate others that cover common themes.
A number of the most notable IoT device security challenges (first column) and potential mitigations (second column):
Description of Challenge | Mitigations |
Inability for IoT devices to participate in Asset Management System. | Multiple asset systems, manual asset tracking. |
Blackbox – little information on device hardware, software and firmware. | Manual inventory, catalog of items. |
Lack of understanding of external dependencies. | – Vulnerability scanning; – Establish configuration baseline; – Configure only essential functions. |
Vendor doesn’t release patches timely or device can’t be patched. | – Vulnerability scanning; – Establish configuration baseline; – Configure only essential functions. |
Unable to scan devices for vulnerabilities. | Manual vulnerability checks. |
Hard to uniquely identify each user, device, and process attempting to logically access it. | – Ensure users, devices, and other assets are authenticated; – Ensure identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes. |
Weak identity, password management (e.g., can’t change default passwords, device doesn’t support id entifiers or enterprise user authentication systems, account lock outs). | – Ensure users, devices, and other assets are authenticated (limited); – Ensure identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes (limited); – Use strong or multi-factor authentication commensurate with risk of transaction. |
Device doesn’t support use of logical access privileges. | – Separation of duties; – principle of least privilege; – Data leak protections; – Device logging. |
Lack of network communications restrictions to device. | – Network segregation/segmentation; – Manage remote access. |
Lack of physical security controls to protect device from tampering | – Network segregation/segmentation; – Manage physical access; – Restrict access to removable media. |
Weak logging controls. | – Monitor and log for unauthorized events via centralized logging system. |
Lack device intrusion prevention systems, anti-malware and file integrity checking controls. | – Monitor network for cybersecurity events and malware. – Integrity checking to verify firmware, software and data |
Data Security Challenges
NIST also provides numerous data security challenges that organizations need to be aware of, in addition to device security issues.
Highlighted below is a summary of important IoT data security challenges (first column) and potential mitigations (second column):
Description of Challenge | Mitigations |
Lack of sufficient encryption of data stored on IoT device. | – Encryption and protection of data-at-rest – Removable media restricted and protected. |
Lack of sufficient encryption of data in transit. | – Protection of data in transit; – Transmission confidentiality and integrity |
IoT devices may not verify the identity of other devices before sending sensitive data over the network. | – Protection of data in transit; – Transmission confidentiality and integrity |
Sensitive data not sanitized before disposing/re-using device. | Data destroyed; media sanitized. |
Lack secure data backup and restore. | Data backups are maintained and periodically tested. |
Privacy Protection Challenges
Finally, NIST highlights multiple challenges related to individuals’ privacy protections related to authorized PII processing. Organizations should take into account the challenges listed in all three tables related to device and data security, as well as privacy protections.
Listed below is a summary of important privacy protection challenges (first column) and potential limited mitigations (second column):
Description of Challenge | Mitigations |
Data outside of traditional federated environments. | – Use of identifier mapping tables and cryptography techniques; – Make identity attributes less visible to transmitting parties. |
Lack of interfaces that allow users to interact with it and manage their data. | Devices need to allow users to make informed decisions (such as consent, redress, review privacy notices, and access/manage their information). |
Insufficient centralized control and automation needed to apply policy or regulatory requirements to PII. | PII needs to be processed in compliance with the organization’s policy and regulatory requirements. |
IoT devices can be remotely accessed, thus allowing sharing of PII out of the organization’s control. | Formal information sharing policy and agreements with external parties. |
Insufficient centralized control needed to manage PII and large num ber of IoT devices. | – Boundary protections such separate networks used for public-facing devices from internal networks; monitor and control communication at the external boundaries; – Centralized inventory of PII. |
Limited remote activation preventionda, ta reporting, notice of collection and data minimization. | Data collected by sensors reported to authorized individuals or roles and only used for authorized purposes. |
Decentralized data processing and management can lead to too much PII collected, inaccurate PII and also re-identification of PII. | – Minimize PII collected; – Follow record retention policies; Data quality operations. |
Other recommendations to address IoT risks
In addition to mapping out the previously mentioned challenges, NIST also provides additional recommendations to address IoT cybersecurity and privacy risks.
For example, organizations will need to update their policies and procedures to account for the previously mentioned IoT considerations, as well as the large number of devices and device types. Organizations may also need to explicitly call out how they scope IoT devices and controls required to meet local laws and regulations.
Similarly, organizations should identify which IoT devices are used, their purpose and capabilities. Next, risk can be determined and then entities can determine how to respond to the risk, such as accept, avoid, mitigate, share or transfer it.
Also, organizations may need to consider trade-offs when it comes to addressing IoT risks. For example, IoT devices used for safety need a high degree of resiliency. Adding restrictions for physical access, complex passwords, and account lockouts (like traditional IT systems) could potentially cause delays in the event of a device outage. Consequently, this could affect safety and cause harm.
Finally, organizations can leverage the NIST Cybersecurity Framework to help address cybersecurity risk throughout the IoT device lifecycle. Subcategories include Asset Management, Risk Assessment, and Supply Chain Risk Management, just to name a few.
To add, NIST SP 800-37 Revision 2 and NIST SP 800-53 Revision 5 are also good foundational guidelines for Risk Management Framework (RMF) and Security and Privacy Controls for information systems, respectively.
In conclusion, NISTIR 8228 does provide a good summary of many of the IoT-related challenges and general guidelines to consider. However, it is light on specific examples of potential cybersecurity and privacy controls for IoT devices, but NIST said it plans to publish IoT capabilities in the future.
Related Articles
- Ripple20 zero-day vulnerabilities impact hundreds of millions of IoT devices
- State-sponsored hackers use IoT devices to breach enterprise networks
- New Mirai variant exploits IoT devices