NIST’s new cybersecurity rules are ready for real-world testing

February has been a good month for those of us who care about IoT security. First up, the National Institute of Standards and Technology (NIST) released rules that will be used to create a labeling scheme for more secure consumer-facing IoT devices. NIST also released rules related to creating a cybersecurity label for consumer software, but we will focus on the IoT device rules in this article.

Second, the World Economic Forum (WEF) has released an agreement with several governments and technology experts that provides five essential security requirements for consumer-facing IoT devices. The WEF statement doesn’t have an enforcement component, but the hope is that governments will add these elements to legislation and that device makers will voluntarily adopt them.

The WEF requirements are pretty easy to discuss, so we’ll start with them before getting into the NIST regulations. The WEF asks those building consumer-facing IoT devices to:

• not use universal default passwords
• keep software updated
• provide secure communication
• ensure that personal data is secure
• implement a vulnerability disclosure policy

Honestly, these are the same things I have advised consumers to look for since 2017, so none of this is exactly forward-looking. Perhaps if the WEF and governments really want to boost security they should tell companies and consumers whose connected devices don’t feature these characteristics that they should simply throw them away.

The NIST rules, on the other hand, go into way more depth. If the devil is in the details, then NIST has brought the devil to help address device security.

Back in May of 2021, in the wake of the Solar Winds attacks and the Colonial Pipeline ransomware debacle that led to delayed fuel deliveries across the eastern U.S., President Biden released an executive order calling for greater cybersecurity The order laid out broad strokes to protect against supply chain attacks like Solar Winds and ordered the creation of ato help consumers know if their connected devices were secure. It was a good order, but it relied on NIST to plan the nitty-gritty details.

On Feb. 4, NIST released guidelines for a consumer-facing label that would go on connected devices. It covers the basics proposed by the WEF requirements plus much, much more. Indeed, as we saw in the wake of the Cybersecurity Improvement Act of 2020, NIST understands that cybersecurity for connected devices runs a whole gamut of activities from apps, hardware, and clouds. It even gets the role of third-party APIs and service providers.

The latest rules call for the creation of a label, much like the Energy Star label created by the EPA to indicate that an appliance is energy efficient. Consumers don’t know what goes into the label, but they tend to trust it. NIST has created a 27-page document that describes what elements the newcovers and explains why it matters, but it isn’t creating the label, nor will it manage the label program.

Broadly, any organization that creates this label will have to contend with the challenge that connected devices range in complexity, both from a security perspective and in terms of the sensitivity of the data they collect. A connected medical device designed to monitor and administer insulin has a very different risk profile compared with my Fitbit, for example, and a Fitbit has a different risk profile than a pair of connected running shoes. That’s why, as NIST explains, we might need different labels.

So what must a label contain? First, the device owner and device makers need a unique way of identifying each device; device owners also need ways to interact with and change permissions related to how the device connects. Either the owner of a device should be able to delete data stored on the device and all data moving between it and other devices, or the cloud should be secured. It’s notable that the document doesn’t describe a particular encryption scheme. This is because NIST is trying to work based not on specific standards, but on outcomes.

To earn a label, a consumer IoT device also has to shut down mechanisms by which users can make unintended changes to the device firmware or hardware. It must also ensure proper access control features, such as a password, are required for making changes. Developers should also make sure that, once connected, connected devices lock down any means of provisioning said device. Many of my current IoT devices are terrible at this, so it would be nice if developers locked provisioning down a bit, especially devices with Bluetooth radios.

The label also calls for devices to have over-the-air software updates, and requires a software bill of materials as well as accessible information about how the connected device is secured and that security is tested. Consumers need to be able to easily find that information. Additionally, because vulnerability information and security practices in general are always changing, NIST says companies should ensure that they regularly share information about new updates, vulnerabilities, breaches, and any other changes that matter. Companies also need to create an education campaign to help consumers understand cybersecurity basics, such as why always using the same password is bad or why you don’t want to share Wi-Fi credentials with just anyone.

The document also recommends any organization devising a label try to harmonize the requirements of the government cybersecurity label with existing security standards so a company seeking to make a UL-certified device won’t run afoul of getting this label as well. Of course, this won’t work with every device and every security standard, but NIST believes an effort should be made.

The document also includes a “greatest hits” of IoT cybersecurity fails, which are stripped of company names that anyone who follows the space would likely be able to identify and recall. So even if you don’t care about the label details, it’s a fun document to scan.