Appliances from refrigerators to thermostats are now available in models that interact with a wireless network, making them easier to control with a computer or smartphone.
But in the rush to develop these products, how much security was built in? Unfortunately, the answer in quite a few cases is not much.
Since these devices can put security at risk, the National Institute of Standards and Technology (NIST) released a guide to help adjust to a world where almost everything is connected — and potentially vulnerable.
The guide identifies a set of voluntary recommended cybersecurity features to include in network-capable devices, whether designed for the home, the hospital or the factory floor. Although the guide’s subtitle is A Starting Point for IoT Device Manufacturers, its principles can be useful to anyone who links a device to the internet.
“This ‘Core Baseline’ guide offers some recommendations for what an IoT device should do and what security features it should possess,” said Mike Fagan, a NIST computer scientist and one of the guide’s authors. “It is aimed at a technical audience, but we hope to help consumers as well as manufacturers.”
IoT consumer devices on the network
As with a number of other NIST cybersecurity publications, the Core Baseline, whose full title is Core Cybersecurity Feature Baseline for Securable IoT Devices (Draft NISTIR 8259), is not a set of rules for manufacturers to follow.
Rather, it is voluntary guidance intended to help promote the best available practices for mitigating risks to IoT security. It complements another publication of Considerations for Managing Internet of Things Cybersecurity and Privacy Risks (NISTIR 8228), which addresses large organizations that have more resources to dedicate to IoT cybersecurity.
IoT devices can provide tremendous benefits as well as a host of conveniences, like checking our refrigerator’s contents from the grocery store. They also create a new type of cybersecurity risk. While a conventional computer might require a password entered from a keyboard, a network-capable coffee maker might have no keyboard at all — but would still appear on a home or office wireless network. This and countless other small electronic devices could be vulnerable to hacking if they do not possess security features that an owner understands and uses.
“Securing devices is a group effort,” Fagan said. “The manufacturer has to supply options and software updates, and the user has to apply them. Both sides have roles to play.”
The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices:
1. Device Identification: The IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks.
2. Device Configuration: An authorized user should be able to change the device’s software and firmware configuration. For example, many IoT devices have a way to change their functionality or manage security features.
3. Data Protection: It should be clear how the IoT device protects the data it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
4. Logical Access to Interfaces: The device should limit access to its local and network interfaces. For example, the IoT device and its supporting software should gather and authenticate the identity of users attempting to access the device, such as through a username and password.
5. Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
6. Cybersecurity Event Logging: IoT devices should log cybersecurity events and make the logs accessible to the owner or manufacturer. These logs can help users and developers identify vulnerabilities in devices to secure or fix them.