Cybersecurity Profile for Consumer Grade Routers: Update from NIST’s December Discussion Forum
On December 7, 2023, NIST held a hybrid discussion forum to present our progress toward the development of cybersecurity requirements for consumer grade routers, as tasked by the White House in July of 2023. Discussions at the forum were organized around the content of two documents that are currently in development:
The Forum was attended by approximately 45 people representing more than 25 organizations—and attendees had the opportunity to ask questions and engage in dialog with NIST presenters throughout the session.
In the first part of the forum, NIST presented the draft NIST consumer grade router cybersecurity profile.[i] This draft profile is derived from the Baseline for Consumer IoT Products (NIST IR 8425) and applies the concepts presented with a focus on the particular needs of consumer-grade routers. In the second part of the Forum, NIST discussed the necessity of identifying cybersecurity outcomes for IoT products[ii], including router products, rather than just devices. Products include components such as backends, mobile apps and other external services.
While the issue of applying the cybersecurity profile to the full router product was discussed in the first part of the Forum, the product-component relationship and the relationship of outcomes, labeling schemes, and standards as initially presented in the February 2022 Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products was the focus of the second half of the Forum. We discussed available standards generally applicable to the cybersecurity of several types of IoT product components and examined some non-technical outcomes associated with IoT product cybersecurity.
NIST’s Mike Fagan further explained that outcomes apply to the product as a whole—but may not be applied identically to each product component. For example, software updates may be applied differently to different product components, while data at rest protections would be implemented similarly by each component.
Discussion on the router profile focused on considerations for applying the router cybersecurity profile to consumer-purchased vs. ISP-supplied routers. From a technical and cybersecurity standpoint, the discussions did not highlight a significant difference between a consumer-purchased router and an ISP supplied router. The major differences were around network interactions and how the device is acquired and provisioned in the home. NIST presented the view that the router-profile is applicable to either situation.
Participants also raised the topic that manufacturers may not have the control over (or information about) all the components that are included within products and would need to demonstrate conformity to the NIST cybersecurity outcomes. This lack of transparency across the multiple entities providing components in the product supply chain creates special challenges for manufacturers. An example was raised where certification for an IoT product would rely on cooperation from a manufacturer's competitor if the product is using (or could be configured to use) the competitor's backend. While NIST recognizes the challenge for manufacturers, the goal of the NIST outcomes is for all IoT product components[iii][iv] necessary for its full functionality to be integrated securely. Thus, to ensure the outcomes are met, the product needs to be considered as a whole by the manufacturer.
Another area discussed was the challenge of manufacturer to customer communication (especially when there might not be a defined relationship between the two). An example was given that customers aren’t always readily accessible by the manufacturer due to low product registration response rates. Another discussion on documentation indicated that, in many cases, the retailer selling to the customer may not have the documentation supplied by the manufacturer in the first place. NIST intends to focus on what is in the control of the manufacturer in achieving outcomes (and that there should be intent from manufacturers to connect broadly with customers).
Send Us Your Feedback
We thank all of the attendees for a lively discussion, great feedback, and for the detailed ideas and documents. In the meantime, if you have feedback on the event, please send comments to iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov). Comments on our preliminary draft document are due December 21, 2023.
[i] The process of profiling tailors and/or extends from the most applicable starting point (i.e., the consumer profile) and can be performed at any level of specificity.
[ii] IoT products are digital products with transduction and networking capabilities. In most consumer use cases, the digital aspect of IoT products extend beyond the confines of the IoT device, relying on other IoT product components such as backends and mobile apps to perform even basic functions.
[iii] The concept of IoT product components used here draws on Internet of Things (IoT) Component Capability Model for Research Testbed (NIST IR 8316), which discusses how IoT components, systems and environments relate.