The Internet of Things (IoT) offers many attractions for small and medium-sized manufacturers (SMMs) who may want to integrate IoT into their facilities and operations, or who seek to enter the IoT market with innovative products. The spectrum of available IoT products is broad and continually growing. When venturing into the IoT waters, it’s helpful to be prepared for the potential cybersecurity pitfalls, whether in the form of implications for organizational risk management when introducing IoT to the environment or considerations for product design and support when entering the marketplace as a product vendor. The NIST Cybersecurity for the Internet of Things program is working to provide the information that SMMs need to navigate these potentially turbulent waters.
Before you install smart thermostats to keep your employees comfortable, add smart coffee pots to break rooms to keep them caffeinated or deploy the latest and greatest Industrial Control System (ICS) technology in your production environment, it’s important to recognize the potential implications. You may have a robust information security program for your traditional IT, but those tools, processes and procedures will likely require adaptation when IoT is introduced. Some of the ways that IoT is different include:
SMMs adopting IoT into their environments need to be prepared to address these challenges. If entering the IoT market as a vendor, understanding these challenges can be an opportunity to develop a product that provides a better customer experience.
When adopting IoT technology in your organization, SMMs should plan to address these challenges with an eye toward three goals:
These goals are articulated in NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, and can be difficult to achieve with currently available IoT products. For organizations that are applying the NIST Cybersecurity Framework (CSF) or defining their security requirements using NIST SP 800‑53 controls, NISTIR 8228 identifies a range of challenges that IoT devices present to achieving the ends that the CSF and SP 800‑53 intend. For example, control SI-2, Flaw Remediation, from SP 800‑53 cannot be satisfied by IoT devices that lack an ability for secure software/firmware updates. Similarly, many IoT devices cannot be analyzed in a manner needed to satisfy the CSF subcategory DE.CM-8: Vulnerability scans that are performed.
Consideration for the three goals identified above should factor into the selection of IoT products as well as how they are managed, as the security capabilities of IoT devices contribute to achieving the overall security requirements of the systems into which the devices are integrated.
If you are venturing into the creation of IoT products, awareness of cybersecurity challenges can help guide your approach to the development and support of your product. The three goals described above also apply when developing an IoT product. A thoughtful approach to development with those goals in mind will result in a more manageable, more secure product. This approach involves both the design and development phase for the product and the support phase once it’s brought to market, as illustrated in this figure from NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.
The core baselines outline device abilities and supporting actions across a spectrum of needs:
|Device Identification||The IoT device can be uniquely identified logically and physically.|
|Device Configuration||The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.|
|Data Protection||The IoT device can protect the data it stores and transmits from unauthorized access and modification.|
|Logical Access to Interfaces||The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.|
|Software Update||The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.|
|Cybersecurity State Awareness||The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.|
|Documentation||The ability for the manufacturer and/or supporting entity to create, gather and store information relevant to cybersecurity of the IoT device throughout the development of a device and its subsequent lifecycle.|
|Information and Query Reception||The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.|
|Information Dissemination||The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.|
|Education and Awareness||The ability for the manufacturer and/or supporting entity to create awareness of and educate customers about elements such as cybersecurity-related information, considerations and features of the IoT device.|
The planning activities combined with applying the technical and non-technical baselines will help SMMs develop products that are both more secure-able and better supported, helping your customers to take advantage of your IoT innovations while limiting the impact to their risk management challenges.
The NIST Cybersecurity for the Internet of Things program has engaged deeply with the community over the last several years and developed a rich collection of guidance around IoT cybersecurity challenges. Whether you are an SMM looking to improve operations with the integration of IoT or enter the marketplace with new products, there are many resources and publications available to assist your efforts.
NIST’s Cybersecurity for IoT welcomes manufacturer feedback on our current public drafts.