NIST guidance aims to help providers secure IoT tools
A new National Institute of Standards and Technology guide identifies cybersecurity features that should be included in network-capable Internet of Things devices.
The principles included in the NIST guidance are appropriate to any type of device that is linked to the Internet.
“This core baseline guide offers some recommendations for what an IoT device should do and what security features it should possess,” says Mike Fagan, a NIST computer scientist and one of the authors of the guide. “It is aimed at a technical audience, but we hope to help consumers as well as manufacturers and other entities.”
The guidance is not a set of rules to follow but is intended to help promote best practices for mitigating risks to IoT security. It also complements recent other guidance from NIST, titled “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks,” which addresses large healthcare organizations and other industries that have more resources to dedicate to IoT cyber security.
IoT devices can create new types of cyber that are not readily apparent, Fagan warns. For example, while a computer may require a password entered from a keyboard, a network-capable device might have no keyboard, but it would still appear on a home or office wireless network, making other networked devices vulnerable to hacking if they don’t have proper security features. So, even a network-connected coffee maker could be a conduit for a hacker to break into a network.
"Securing devices is a group effort,” Fagan advises. “The manufacturer has to supply options and software updates, and the user has to apply them. Both sides have roles to play.”
The guidance further describes six security features that health providers and other stakeholders can build into IoT devices.
- Device identification: The IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks.
- Device configuration: An authorized user should be able to change the device’s software and firmware configuration. Many IoT devices have a way to change their functionality or manage security features.
- Data protection: It should be clear how the IoT device protects data it stores and sends over the network from unauthorized access and modification. Some devices use encryption to obscure the data held on the internal storage of the device.
- Logical access to interfaces: The device should limit access to local and network interfaces. The device and supporting software should gather and authenticate identity of users attempting to access the device via a username and password.
- Software and firmware updates: The software and firmware should be updatable using a secure and configurable mechanism. Some IoT devices receive automatic updates from the manufacturer, which requires little or no work for the provider.
- Cybersecurity event logging: Devices should log cybersecurity events with the logs accessible to a healthcare provider or other entities. The logs help users and developers to identify device vulnerabilities and fix them.