Y’all know I love a good NIST report. The National Institute of Standards and Technology does a good job of taking the established wisdom and distilling it into a set of best practices or rules for an industry. This isn’t the place to go for leading-edge problems, but it’s a great place to establish a baseline. And NIST has now tackled IoT device security with a new draft report focused on security needs for connected devices.
The report focuses on six elements of secure devices (although a video dumbs it down further into three questions for those consumers seeking to purchase a device). The suggestions it makes are aimed at the companies making connected devices, with consumers who use the products as a secondary audience. It’s very different in scope from the far more detailed security recommendations laid out last week by the Industrial IoT Consortium, which takes a deep dive into how to secure connected devices, their connections, and the back-end cloud.
So what does NIST recommend? Most of it is common sense, in line with what I’ve been saying for years. Make sure a device can be updated over the air, and ensure that it’s secure. Give each device a unique identifier so it can be identified on a network. Give authorized users a way to change and adjust features, especially those related to security. Make sure both logical and physical access to a device is controlled. For example, an outdoor camera whose reset button can be pressed by a stranger isn’t secure (this was a real issue) and having too many open ports on a network can be a problem.
The final two recommendations are ones I am really excited to see being made official: Log actions on an IoT device and app, and communicate to customers how the product is secured.
The first one is important not just for individual devices on their own, but for individual devices that are tied together using hubs or digital assistants. Users need to know what will trigger a device to turn on or off. Not only is it helpful for people like me who have lots of integrations, it’s also a good way to see if some unauthorized person or device has infiltrated your network.
But my favorite recommendation for device makers is to share how they secure devices. Even today, three years after Mirai made IoT security a thing, it’s still hard to get information from companies about how they handle device-to-hub or hub-to-cloud encryption. Most can’t tell you if your password is stored securely in a hashed database or how long they keep your Wi-Fi data (or why they even need it after that first connection).
NIST also suggests that manufacturers provide what’s known as a software bill of materials associated with devices, especially those destined for the enterprise. This lets customers understand where they may become vulnerable as time goes on. In line with the transparency around devices, NIST suggests manufacturers tell customers what functions a device has, including hidden functions, and lists what data the device collects or can collect.
Again, this seems like common sense, but companies have already broken those rules with mics on televisions and cameras in telematics. I’m frustrated that NIST can’t penalize companies that don’t follow these basic guidelines, but I’d love to see a certification develop based on the agency’s recommendations that helps create a more secure device ecosystem.
The current paper is just a draft, so if you want to offer your input NIST has an open meeting set for Aug. 13 where you can meet the authors in person and share your thoughts. If you don’t want to hit up Washington, D.C., you can submit written comments through Sept. 30.
Like this story? Get it and more every Friday when you sign up for my free IoT newsletter. Sign up here.