Appliances from refrigerators to thermostats are now available in models that interact with a wireless network, making them easier to control with a computer or smartphone. Because these devices can also put our security at risk, the National Institute of Standards and Technology (NIST) has released a guide to help us all adjust to a world where seemingly everything is connected — and potentially vulnerable.
The guide identifies a set of voluntary recommended cybersecurity features to include in network-capable devices, whether designed for the home, the hospital or the factory floor. Although the guide’s subtitle is A Starting Point for IoT Device Manufacturers, its principles can be useful to anyone who links a device to the internet.
“This ‘Core Baseline’ guide offers some recommendations for what an IoT device should do and what security features it should possess,” said Mike Fagan, a NIST computer scientist and one of the guide’s authors. “It is aimed at a technical audience, but we hope to help consumers as well as manufacturers.”
As with a number of other NIST cybersecurity publications, the Core Baseline, whose full title is Core Cybersecurity Feature Baseline for Securable IoT Devices (Draft NISTIR 8259), is not a set of rules for manufacturers to follow. Rather, it is voluntary guidance intended to help promote the best available practices for mitigating risks to IoT security. It complements the recent publication of Considerations for Managing Internet of Things Cybersecurity and Privacy Risks (NISTIR 8228), which primarily addresses large organizations that have more resources to dedicate to IoT cybersecurity.
IoT devices can provide tremendous benefits (e.g., smart medical devices) as well as a host of conveniences, like checking our refrigerator’s contents from the grocery store. They also create a new type of cybersecurity risk for a society that already suffers newsworthy hacks and data breaches on a regular basis. While a conventional computer might require a password entered from a keyboard, a network-capable coffee maker might have no keyboard at all — but would still appear on a home or office wireless network. This and countless other small electronic devices could be vulnerable to hacking if they do not possess security features that an owner understands and uses.
“Securing devices is a group effort,” Fagan said. “The manufacturer has to supply options and software updates, and the user has to apply them. Both sides have roles to play.”
The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices, and that consumers can look for on a device’s box or online description while shopping. While the document includes technical language not intended for consumers, Fagan provided a straightforward explanation of each feature:
Fagan said that home users might appreciate the value of some of these features more easily — particularly data protection, regular software updates, and interface access controls (which stop other people from accessing your device). Other features represent a more nuanced benefit, such as the ability to reset a device securely to its original settings if the device ever changes hands. All of the feature recommendations in the draft IoT Core Baseline were developed as part of a public/private partnership with industry, government and academic stakeholders.
To improve the Core Baseline further, NIST will hold a workshop on Aug. 13, 2019, to gather feedback on the draft. The authors will hold breakout sessions to discuss aspects of the draft with the stakeholder community. Registration is open until Aug. 6. The agency will accept public comments on the draft until Sept. 30, 2019, after which the authors will begin work refining the guide for a future edition.