Let’s demystify the latest NIST IoT security releases

Earlier this month, President Trump signed into law the 2020 Internet of Things Cybersecurity Improvement Act. The law calls on the government to purchase only security-connected devices and asks the National Institute of Science and Technology (NIST) to make periodic recommendations as to what, exactly, a secure device will comprise.

This week, NIST released four documents that — along with two others released earlier this year — will provide federal agencies with the requested guidance. I can’t dig into every aspect of these papers, but I’m going to try to help y’all get a lay of the land so that you understand what’s in each document and what, depending on your industry and your goals, will matter to you.

So let’s have at it!

Back in August 2019, the agency released a draft report outlining how device manufacturers should think about IoT device security. I did a deep dive on that draft, which covered six core areas. For those who want the TL;DR version, here’s an overview from my write-up:

So what does NIST recommend? Most of it is common sense, in line with what I’ve been saying for years. Make sure a device can be updated over the air, and ensure that it’s secure. Give each device a unique identifier so it can be identified on a network. Give authorized users a way to change and adjust features, especially those related to security. Make sure both logical and physical access to a device is controlled. For example, an outdoor camera whose reset button can be pressed by a stranger isn’t secure (this was a real issue) and having too many open ports on a network can be a problem.

The final two recommendations are ones I am really excited to see being made official: Log actions on an IoT device and app, and communicate to customers how the product is secured.

This week, NIST released additional draft versions that are meant to complement that main report, which is titled NIST Interagency Report 8259. The follow-on NIST Interagency Reports or, NISTIRs, released this week are labeled with a B, C, and D. (NISTIR 8259A was released in May of this year.) They aim to tell companies how to apply the main report to various entities.

Let’s think of the B version of NISTIR 8259 as a process report. It aims to translate some of the technical demands of the original security goals and turn them into easy-to-understand processes that device manufacturers should put in place to help users buy secure devices. For example, one of the guidelines in the original report calls for device manufacturers to tell users how a device is secured. NISTIR 8259B explains how a company can document product security, such as by explaining what data the device collects and how it’s used. In a series of tables, it offers suggestions and rationales for those suggestions that anyone can understand.

NISTIR 8259C, meanwhile, is an explainer that tells readers how NIST developed NISTIR 8259D, which itself tries to help device manufacturers that are building for specific markets address the demands of the 8259 document overall. The specific market covered by version D is the federal government, since that’s what the new law covers. However, any manufacturer could use the explainer to build profiles for other markets, such as health or finance.

This leaves us with one other new report from NIST this week — NIST Special Publication (SP) 800-213. This draft report tries to take all of the device-specific recommendations from the aforementioned reports and place them in the context of overall IT networks. Because, as most of us know, IoT security is about devices, networks, cloud applications, mobile applications, and people.

It’s worth emphasizing that these latest lettered NISTIRs are all draft versions, and are open for public comment until February 12, 2021. Also, the 2020 IoT Cybersecurity Improvement Act requires NIST to update its recommendations every five years, which means we’ll likely see a continual lobbying effort from those eager to make devices more secure and those who are inclined to leave them perhaps less secure, but easier to use and sell.

I hope this helps y’all figure out what matters in the morass of NIST cybersecurity reports and guidelines ahead of the new law going into effect. Most of them are pretty common-sense best practices, so don’t let the jumble of letters and numbers scare you away. I’d love to see most of the guidelines in the 8259 document applied to devices everywhere.