by Diana Proud-Madruga
This three-part series explores the challenges of securing the Internet of Things. Part 1 traces the history of governmental action, including standards development, reports, legislation and congressional hearings.
I love science fiction and all the futuristic devices it describes. Looking around my home, I realize that the future is now. Many of these devices already exist. I can make phone calls using my watch (à la Dick Tracy and Star Trek). I can “talk” to my house remotely to turn lights on/off, adjust temperature, lock doors and check security. I can ask my car to get information from my other devices, almost like KITT in “Night Rider.”
As artificial intelligence becomes more prevalent, the chatter between devices will expand exponentially. As more devices find their way into the workplace, should we be asking meeting attendees to remove their watches as well as turn off their cell phones before starting? The bigger questions are: How do we know our devices are not talking to someone else’s? How do we ensure control over what information is shared? How can we enjoy the convenience of these devices without compromising our privacy?
As it turns out, governments and standards organizations are already working to address these concerns.
The Internet of Things (IoT) is experiencing an explosion of growth. Gartner predicts there will be 20.4 billion connected IoT devices by 2020 compared with 8.4 billion in 2017. Security concerns accompany this growth, as any malicious actor could launch a large-scale attack by commandeering unsecured IoT devices.
In response, the National Institute of Standards and Technology (NIST) and other federal government agencies are collaborating to address IoT cybersecurity uniformly.
Starting in 2016, NIST launched its Cybersecurity for IoT Program. This flagship program, which has spawned multiple IoT cybersecurity research and standards projects, is the primary interface for NIST and federal government collaboration.
And, this collaboration is yielding results. In February 2018, NIST released the draft NISTIR 8200, Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which defined the IoT landscape, analyzed the current state of IoT standards and identified gaps in standards. May 2018 saw the release of Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which seeks to enhance the nation’s cyber posture by modernizing and securing IT infrastructure. The Departments of Commerce and Homeland Security responded to the EO with their Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. This “Botnet Report” describes a multi-pronged approach for developing resilience against botnets. They also released the accompanying Botnet Road Map, which identifies tasks and timelines for achieving Botnet Report goals.
NIST initially responded to the EO with the draft NIST Interagency Report (NISTIR) 8228, Considerations for Managing IoT Cybersecurity and Privacy Risks, which identifies unique risks posed by IoT devices and ways to mitigate them. In February 2019, NIST continued this work with the Considerations for a Core IoT Cybersecurity Capabilities Baseline discussion paper. Using this work, NIST is coordinating efforts of industry leaders and government to identify core IoT cybersecurity capabilities that are vital for IoT devices to function securely.
Congress and NIST were busy in March through May 2019. Both the House (H.R. 1668) and Senate (S.734) introduced the IoT Cybersecurity Improvement Act of 2019, which calls for new information security standards to manage cybersecurity risks of IoT devices. It would require NIST to develop IoT cybersecurity guidance within 180 days of enactment of the legislation. In addition, the Senate Committee on Commerce, Science, and Transportation Subcommittee on Security held hearings on strengthening IoT cybersecurity that included testimony from Dr. Charles Romine, Director of the NIST Information Technology Laboratory.
Meanwhile, NIST was publishing a preliminary draft standard, NIST Special Publication 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD). It leverages Internet Engineering Task Force (IETF) rfc8520: Manufacturer Usage Description Specification architecture to automatically permit a connected IoT device to send and receive only the traffic it requires to perform its intended functions. While today’s focus is on access control, future work will likely expand to other areas of cybersecurity.
NIST also launched a new National Cybersecurity Centers of Excellence (NCCoE) project, Securing the Industrial Internet of Things (IIoT): Scenario-Based Cybersecurity for the Energy Sector, which provides guidance on securing IIoT device use and communications.
Stay Tuned . . .
Every day brings new legislation or standards intended to secure the IoT. The next two parts of this series will focus on IETF’s MUD architecture and how NIST proposes we use it.
Diana Proud-Madruga, CISSP, is a Senior Security Analyst with Electrosoft.