On January 7, 2020, the National Institute of Standards and Technology (NIST) released a draft of revised cybersecurity recommendations for IoT devices at both the pre-market and post-market stages. NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, identifies six voluntary steps manufacturers should take to account for security throughout a connected device’s lifecycle. It builds on the agency’s initial IoT guidance released last June, NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Comments on the revised draft are due by February 7, 2020.
NIST explains that the IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world.
The draft recommends that manufacturers take four pre-market steps:
- Identify expected customers and define expected use cases;
- Research customer cybersecurity goals, including device identification, device configuration, data protection, logical access to interfaces, and software and firmware updating;
- Determine how to address customer goals; and
- Plan for adequate support of customer goals.
NIST advises two additional post-market steps:
- Define approaches for communicating to customers; and
- Decide what to communicate and how to do it.
NIST recommends that manufacturers consider: cybersecurity risk-related assumptions made during design and development; support and lifespan expectations; the cybersecurity capabilities that a device or manufacturer provides; device composition and capabilities, such as information about the device’s software, firmware, hardware, services, functions, and data types; software and firmware updates; and end-of-life or retirement options. Many of NIST’s recommendations may also help IoT device manufacturers assess security measures related to the safety of a connected consumer product and its operation.