More Security Advice for IoT Device Manufacturers
08.08.2019 Terry Gaul
With its many promises and great prospects, the Internet of Things (IoT) warrants much stronger protection then the closed systems of the past. IoT systems rely on public networks, which by definition, are unsafe environments. Hackers are always looking for backdoors and exploits while trying to tamper with data to cause untold damage.
The U.S. National Institute of Standards and Technology (NIST) recently released a draft of security recommendations for IoT devices. Titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers (NISTIR 8259), the draft defines a core baseline of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce.
The publication is intended to help IoT device manufacturers understand the many cybersecurity risks inherent in IoT devices and help them provide cybersecurity features that make them at least minimally securable by the individuals and organizations who acquire and use them. The publication also provides information on how manufacturers can identify features beyond the core baseline most appropriate for their customers and implement those features to further improve device security. NIST says this approach can help lessen the cybersecurity-related efforts needed by IoT device customers, which in turn should reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices.
The Core Baseline provides a list of six recommended security features that manufacturers can build into IoT devices:
- Device Identification: The IoT device should have a way to identify itself, such as a serial number and/or a unique address used when connecting to networks.
- Device Configuration: Similarly, an authorized user should be able to change the device’s software and firmware configuration. For example, many IoT devices have a way to change their functionality or manage security features.
- Data Protection: It should be clear how the IoT device protects the data that it stores and sends over the network from unauthorized access and modification. For example, some devices use encryption to obscure the data held on the internal storage of the device.
- Logical Access to Interfaces: The device should limit access to its local and network interfaces. For example, the IoT device and its supporting software should gather and authenticate the identity of users attempting to access the device, such as through a username and password.
- Software and Firmware Update: A device’s software and firmware should be updatable using a secure and configurable mechanism. For example, some IoT devices receive automatic updates from the manufacturer, requiring little to no work from the user.
- Cybersecurity Event Logging: IoT devices should log cybersecurity events and make the logs accessible to the owner or manufacturer. These logs can help users and developers identify vulnerabilities in devices to secure or fix them.
For a more in-depth analysis of the nature of IoT security threats and the technical measures designed to protect these connected devices from malicious hackers, you can download our white paper, Licensing and Security for the Internet of Things.
This whitepaper explores the various trends emerging in the IoT and the key strategies for success, which depends not only on superior products, creative marketing, and aggressive sales activities, but security, integrity and reliable licensing as well.
It also outlines the standards that must be addressed and long-term considerations that will impact security, like integration in devices and software, upgrades and updates, secure boot, licensing models tailored to the IoT, license management, access rights and certificates, scalable safeguards and data integrity protection
Contributor
Terry Gaul
Vice President Sales USA
Terry Gaul is a sales and business development professional with extensive experience in the software and technology sectors. He has been involved with software protection and licensing technologies for more than 20 years and currently serves as Vice President of Sales at Wibu-Systems USA. When he is not helping customers with software licensing, Terry typically can be found coaching his daughters' soccer teams or camping with his family on the Maine coast.