This week’s blog post highlighting Cybersecurity Awareness Month is from NIST’s Katerina Megas, program manager, Cybersecurity for the Internet of Things (IoT) program. In this post, Ms. Megas discusses how technological innovations, such as 5G, might impact the online experiences of consumers and businesses, how IoT is changing security risks, and what solutions are emerging for a more secure Internet of Things.
When NIST stood up the National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC) in 2012, I joined to lead the Trusted Identities Pilot Program as the Federal Program Officer. In November 2016, recognizing that significant work was going on across the agency that supported IoT security, NIST established an umbrella program for IoT cybersecurity and asked me to lead it.
I think the benefits are probably more than I could start to elaborate on, but I can share an anecdote based on a recent discussion related to our National Cybersecurity Center of Excellence (NCCoE) project on Securing Telehealth Remote Patient Monitoring Ecosystem. One of the challenges for telehealth services is configuring health-related devices on a patient’s home network when the remote support needed to deploy the devices is dependent on that home network. The ability to leverage the cellular network to deploy these devices significantly reduces complicating variables for device providers, but, at the same time, adding another interface on these devices creates another potential attack vector.
I anticipate that as devices with embedded 5G connections become more ubiquitous, organizations will have to start exploring new ways to manage device security as they will no longer be able to rely on network-based security controls. Today, we are often able to detect when a new device attaches to our network and then manage the security risks accordingly. As devices are brought into the “boundaries” of our business operations without having to attach to the local network, they may still capture private, proprietary, or critical data. We will need to find new ways to identify the devices and manage the risk.
The introduction of IoT devices has changed the way we approach security risk in a couple interesting ways. (One of our early publications, NIST IR 8228, discusses how IoT is different and may affect risk differently.) Considering the risk of an IoT device use case alone may seem low risk in itself. However, we are seeing that these devices are providing an entryway into networks, as shown recently when hackers used a Las Vegas casino’s fish tank to breach its database. One might look at the narrow use case associated with the risk of regulating the temperature of fish tanks and conclude that there is no need for substantial security. However, lateral attacks like this one are changing that perspective.
Also, as these devices become more ubiquitous, organizations and individuals become more dependent on them for day-to-day operations. With ransomware attacks becoming more widespread, organizations need to consider the impact if operations shut down completely. In that instance, the impact would be less about the data and more about the functionality provided by the connected device. Home users need to consider what might happen if various devices were hijacked. For example, not being able to make coffee might be a minor inconvenience, but a hijacked front door lock could have a more significant impact.
The solution for a more secure Internet of Things probably lies in a multiprong approach, involving both network-centric and device-centric security. There are emerging device-centric approaches and forward-looking network-centric approaches, including Manufacturer Usage Description (MUD), which looks at enabling devices to “advertise” their expected behavior to online network resources.
The importance of focusing on device-centric security needs came out of a key finding during the early days of the Cybersecurity for IoT program. During a public workshop on NIST IR 8228, participants raised the concern that, in some cases, devices were being adopted because of their tremendous benefits despite the fact that there were no good mitigations available for known risks because of dependencies on the devices’ built-in security. This led us to begin looking at the basic security capabilities that manufacturers should consider when developing IoT devices. In NIST IR 8259, we highlight six foundational activities for device manufacturers, and in NIST IR 8259A we highlight six technical capabilities that should be considered as a starting point. A video summarizing these recommendations is available on our website. We are currently developing guidance on the security requirements for IoT device manufacturers for federal agencies using these devices.
I work on a daily basis with colleagues who have vast expertise and are committed to excellence. When I started the IoT program, I was able to draw on a great deal of existing work and expertise at NIST, and everyone was willing to share. This commitment to excellence goes all the way up the management chain. Management always has open doors, even for asking for guidance and advice. NIST leadership demonstrates their view that the agency’s value lies in the staff, and that is shown in the way NIST’s culture has evolved.
As this year’s National Cybersecurity Awareness Month draws to a close, remember that all users connected to the Internet need to do their part to protect the security of their devices and data. For more on NIST’s IoT security-related work, visit the Cybersecurity for IoT program’s website. Also, be sure to take advantage of our list of cybersecurity resources, including guidance on Securing Home IoT Devices Using MUD. Follow NIST on Facebook and Twitter (@NIST and @NISTcyber), and don’t forget, it you connect IT, protect IT!