What do Chief Product Security Officers (CPSOs) want to make their job easier? As it turns out, standards. This insight was one of many shared at a public virtual workshop NIST held June 22, 2022, to discuss the next steps for the Cybersecurity for the Internet of Things (IoT) program.
As we move forward in developing cybersecurity guidance for IoT products, NIST remains committed to an open and transparent process that builds on input from stakeholders, including industry and the broader public. Our June 22 workshop explored specific considerations around cybersecurity in IoT products, which have broad applicability across sectors, including consumer products. As Kevin Stine, Chief of the Applied Cybersecurity Division, pointed out, transparency and an open process lead to greater trust, and trust in IoT is essential to the technology’s ability to reach its full potential.
Katerina Megas, Program Manager for the Cybersecurity for IoT Program, kicked off the workshop, which featured keynote addresses from two industry representatives: David Barzilai, Vice President for Sales & Marketing and Co-Founder of Karamba Security, and Jasyn Voshell, Director of Product and Solutions Security at Zebra Technologies.
Karamba Security recently surveyed CPSOs and their equivalents to better understand their biggest challenges. They found that standards and regulations are very useful to CPSOs because it is so difficult for manufacturers to ensure that security practices are employed all along their lengthy supply chains. Barzilai explained how the auto industry is driving change in this area, creating a lifecycle framework with mandatory processes. Original equipment manufacturers (OEM) are ultimately responsible for the final products. OEMs must be able to show regulators that cybersecurity requirements have been met throughout the supply chain and must address critical issues prior to production.
Zebra Technologies provides an array of IoT and IT products, including mobile products, for a broad range of industries. As the company’s director of Product and Solutions Security, Voshell guides the efforts of development teams across multiple business units. His mantra, “Secure by Design, Secure in Use, and Secure Through Trust,” is supported by mechanisms that include maturity models and standards, such as the Software Assurance Maturity Model (SAMM). He pointed out that although the roles of the CPSO and CISO are related, the respective domains of product security and security of business operations are distinct.
In addition to the keynote addresses, the workshop featured three panel discussions led by NIST’s own Jeff Marron, Michael Fagan, and Kevin Brady. The following are some of the ideas shared during the discussions. This is by no means a comprehensive list – a recording of the workshop is available here.
Panel 1: What’s next for the consumer IoT baseline: Considerations we heard for the Consumer IoT Cybersecurity Criteria
Panel 2: Product cybersecurity strategy: How do cybersecurity requirements fit into IoT product development?
Panel 3: The S in NIST: Using standards to support product cybersecurity outcomes
We thank all of the workshop participants and attendees for a lively and interesting discussion. We will be publishing a workshop summary report soon. In the meantime, if you have feedback on the event, please send comments to iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov). Comments on our recently released draft documents are due July 31, 2022.