For many years, cybersecurity professionals have lamented the rush to market of the multitude of Internet of Things (IoT) devices. Why were we so concerned? As far back as the early days, the idea of an internet connected tea kettle, home security cameras, and even a refrigerator seemed very convenient to a lot of folks. Why were the InfoSec experts so concerned?
Lateral movement in a network attack has become one of the most common attack vectors, and most people who have IoT devices attached to their home network are unfamiliar with such things as network segmentation, as well as even how to enable a guest network, which would isolate these devices from the more valuable assets, such as the home computer on which confidential information may be stored.
Beyond the home network, corporate networks are also at risk from IoT devices, as was demonstrated in the infamous casino aquarium attack. Fortunately, that well-documented attack seems to be more of the outlier than the norm, however, the points are clear:
- Most IoT devices were not made with security in mind;
- Most people are unaware of the possible vulnerabilities in these products;
- Very few manufacturers have an update mechanism to patch these flaws.
Has the situation with IoT improved? Apparently, not enough to add comfort to the cybersecurity community, or even the public at large. Security is not the only concern; privacy is important too. According to a recent survey, 63% of respondents said that they “find connected devices ‘creepy’ in the way they collect data about people and their behaviors”. Is there a way to combat both the security and privacy concerns of these now omnipresent devices?
New Guidance from NIST
Fortunately, help may have arrived in the form of new guidance from the National Institute of Standards and Technology (NIST). In new Interagency Reports (IR), for example, “Foundational Cybersecurity Activities for IoT Device Manufacturers”, “IoT Device Cybersecurity Capability Core Baseline“, as well as a new Special Publication in draft form, “IoT Device Cybersecurity Guidance for the Federal Government”, NIST offers direction that could improve trust in these devices. These new documents continue towards strengthening the Cybersecurity Framework.
How could an IoT device ever enter a Federal Information System without being subjected to the rigorous standards applied to all other system components? As explained in the introduction to SP800-213, IoT devices fall below the “information system” level, functioning under a more “system element” level. The purpose of the Special Publication is to assist Federal Agencies in considering system security from that “device perspective”.
Some security professionals may wonder, given all the bad news about IoT security weaknesses, what purpose could any such device serve on a network. The NIST document takes a more practical view, showing that IoT devices actually support system security. This is not so far-fetched as it may seem. Many of the “traditional” tools that have been used in our networks, from temperature sensors, to backup battery voltage monitors, and even door alarms on data centers, fall into the category of a system element.
The NIST approach is a very practical viewpoint. It is easily arguable that, if applied correctly, securing an IoT device offers better security controls than the legacy systems, some of which were guarded by little more than dial-up modems, which were susceptible to something as simple as a war-dialing attack.
This in no way should be construed to indicate that NIST is dismissing the inherent risks of IoT devices. That is where the release of the Interagency Reports comes into play. NIST.IR.8259A offers guidance on establishing baselines for IoT devices, from the manufacturing, integration, and acquisition perspectives. In IR.8259, “Foundational Cybersecurity Activities for IoT Device Manufacturers” addresses ways that IoT manufacturers can build into their devices before they are released to the market.
If these guidelines are honored, along with the IoT privacy direction presented in NIST.IR. 8228, titled “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks”, we may truly be entering a new age of IoT security that could ultimately benefit everyone. While all the advice is practical, it is best handled by a qualified cybersecurity professional with the right training to implement it.
No Rear-view Mirror
One brief area of note in NIST.IR8259 states that:
“This publication is intended to inform the manufacturing of new devices and not devices that are already in production, although some of the information in this publication might also be applicable to such devices.”
This means that a manufacturer is under no obligation to secure a previously manufactured device.
Overall, as made clear in all NIST documentation, these are guidelines and do not hold any regulatory force. However, any long-time enthusiast of NIST publications is keenly aware that these often precede the formulation of regulations.
A Healthy Dose of Humility
The authors of the NIST baselining documentation also clearly state that:
“This baseline is not the only set of capabilities that exist. This baseline represents a coordinated effort to produce a definition of common capabilities, not an exhaustive list. Therefore, an implementing organization may define capabilities that better suit their organization. Using these additional capabilities to support IoT device cybersecurity risk management is encouraged.”
As always, the authors humbly indicate that theirs is not the final word on this topic, and there is always room for more discovery and constant improvement. In any case, it is good to finally see some unified thought around IoT security.
How the CISSP Can Help You Succeed
If you are looking to better understand the reasoning and deliberate thought that goes into the creation of the NIST documentation, there is no better course of study than the CISSP Common Body of Knowledge (CBK). The CISSP domains present the student with a broad set of topics that must be considered when building or maintaining an effective security program for any organization.
Just as the NIST publications leave no gaps in the exploration of a topic, the rigorous examination of topics in the CISSP CBK is equal to that of a fully realized security plan.
Moreover, the CISSP also gives the student the understanding that security is an ongoing journey, and like any science, new discoveries will yield advances towards more secure information systems.
To discover more about CISSP read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader.Read the White Paper