There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the next step towards a more secure connected ecosystem.
Many of our conversations about connected products focus on connectivity in the technical sense (protocols, algorithms, etc.). Promoting trust among participants in the ecosystem and reducing the cybersecurity risks associated with using these products relies on a different type of communication: open dialogue and sharing information. This helps increase knowledge and improve peoples’ understanding about the cybersecurity of a connected product and is a shared responsibility; from hardware and software component suppliers to product developers, system integrators, security researchers and end users… each member of the ecosystem has a role to play. Ideally, ecosystem members should work in alignment to truly mitigate risk—but they all need information to play their part.
Communicating effectively about security also helps mitigate risk and is important to establishing and maintaining trust. For example, a lack of information about a product’s security capabilities may constrain a customer’s ability to take advantage of them. In some cases, a question is simply not asked (and therefore, the lack of capability goes unrealized until it’s potentially too late). The phrase “knowledge is power” applies; knowing what’s available is the first step to maximizing the value of it, and communication is about what each audience needs to know. To consider next steps, a framework that aligns lexicon and expectations among parties could provide a shared vision of common best practices.
All audiences could benefit from a consistent framework to identify what needs to be communicated, how to organize the information, and the processes that underlie it. Interactions could include developers, manufacturers, service providers, system integrators, security researchers, conformance assessors, regulators, end users, and … (the list can get very long) – each audience may merit a different approach. Additionally, in our interconnected world, this communication often has a global dimension, which brings in cultural and legal variations that must be considered.
For all of these reasons, we are exploring the idea of an approach to creating a Cybersecurity Transparency Framework for Connected Products. Our goal would be to describe a structured approach to achieving necessary and appropriate communication of relevant cybersecurity information among participants involved in the creation, consumption, and use of connected products.
Such a framework would be a tool for sharing information and expectations across the supply chain. For example, it could be used to organize information and identify key topics that need to be covered for various communications use cases, such as:
The scope would encompass structure, format, terminology, process, and content as well as communication means. Creating a framework can help establish a shared lexicon and terminology for communicating about features and means to drive outcomes (reducing risk, driving security outcomes). Related to process, the framework could help each ecosystem participant define interested parties, the purpose of the interaction, the mode of communication, how communications can be supported by technical means, and the options to implement the interaction with considerations for things such as risk, relevancy, and applicability.
The framework approach could also provide a structure for establishing best practices in sharing content, such as the types of information appropriate for communications at different levels of supply chain participants, support, and use in the connected product ecosystem. This would be both broad and high level to facilitate improving the exchange of cybersecurity-related information throughout the product ecosystem (while allowing for customization, as not every connected product and every customer will need to receive the same information in the same way).
NIST SP 800-213A and NIST IR 8259B, which describe non-technical supporting capabilities for IoT devices, provide a potential starting point for these kinds of discussions, as do efforts, both domestic and international ranging from the global work on consumer IoT cybersecurity labeling schemes to voluntary standards such as ETSI 303 645 and ISO/IEC 27402 (DIS). We look forward to future discussions with stakeholders in this very important topic that we feel is foundational to enabling a more secure connected product ecosystem.
Questions or Ideas?
If you’d like to weigh on in this concept, please email us at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov). We’d love to hear from you!