National Institute of Standards and Technology releases report: Profile of the IoT Core Baseline for Consumer IoT Products
October 19, 2022 |
The Internet of Things is a key part of any cyber security and privacy. The National Institute of Standards and Technology (“NIST”) has released a very important report on IoT baselines, titled Profile of the IoT Core Baseline for Consumer IoT Products.
The Abstract provides:
This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for small businesses to consider in the purchase of IoT products. The consumer profile was developed as part of NIST’s response to Executive Order 14028 and was initially published in Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. This document also discusses the foundations to developing the recommended consumer profile and related considerations. NIST reviewed a landscape of relevant source documents to inform the consumer profile and engaged with stakeholders across a year-long effort to develop the recommendations.
At 30 pages it is a relatively brief NIST publication. That does not mean it is not technical and dense.
Some interesting points made:
The IoT product protects data stored across all IoT product components and transmitted both between IoT product components and outside the IoT product from unauthorized access, disclosure, and modification.
1. Each IoT product component protects data it stores via secure means.
2. The IoT product has the ability to delete or render inaccessible stored data that are either collected from or about the customer, home, family, etc.
3. When data are sent between IoT product components or outside the product, protections are used for the data transmission.12
Cybersecurity utility: Maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data are protected and that protection of data helps to ensure safe and intended functionality of the IoT product.
Regarding interface access control
1. Each IoT product component controls access to and from all interfaces (e.g., local interfaces, whether externally accessible or not, network interfaces, protocols, and services) in order to limit access to only authorized entities. At a minimum, the IoT product component shall:
a. Use and have access only to interfaces necessary for the IoT product’s operation. All other channels and access to channels are removed or secured.
b. For all interfaces necessary for the IoT product’s use, access control measures are in place (e.g., unique password-based multifactor authentication, physical interface ports inaccessible from the outside of a component).
c. For all interfaces, access and modification privileges are limited.
2. Some, but not necessarily all, IoT product components have the means to protect and maintain interface access control. At a minimum, the IoT product shall:
a. Validate that data shared among IoT product components match specified definitions of format and content.
b. Prevent unauthorized transmissions or access to other product components.
c. Maintain appropriate access control during initial connection (i.e., on-boarding) and when reestablishing connectivity after disconnection or outage.
Cybersecurity utility: Enumerating and controlling access to all internal and external interfaces to the IoT product will help preserve the confidentiality, integrity, and availability of the IoT product, its components, and data by helping prevent unauthorized access and modification.
Regarding cybersecurity state awareness:
The IoT product supports detection of cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit.
1. The IoT product securely captures and records information about the state of IoT components14 that can be used to detect cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit.
Cybersecurity utility: Protection of data and ensuring proper functionality can be supported by the ability to alert the customer when the device starts operating in unexpected ways, which could mean that unauthorized access is being attempted, malware has been loaded, botnets have been created, device software errors have happened, or other types of actions have occurred that was not initiated by the IoT product user or intended by the developer.
The documentation regarding IoT non technical supporting capabilities:
1. Throughout the development lifecycle, the IoT product developer creates or gathers and stores information relevant to the cybersecurity of the IoT product and its product components including:
a. Assumptions made during the development process and other expectations related to the IoT productssumptions made during the development process and other expectations related to the IoT product
b. All IoT components, including but not limited to the IoT device, that are part of the IoT product.
c. How the baseline product criteria are met by the IoT product across its product components, including which baseline product criteria are not met by IoT product components and why (e.g., the capability is not needed based on risk assessment).
d. Product design and support considerations related to the IoT product
e. Maintenance requirements for the IoT product
f. The secure system lifecycle policies and processes associated with the IoT product
g. The vulnerability management policies and processes associated with the IoT product
Cybersecurity utility: Generating, capturing, and storing important information about the IoT product and its development (e.g., assessment of the IoT product and development practices used to create and maintain it) can help inform the IoT product developer about the product’s actual cybersecurity posture
The NIST set out the following considerations regarding a consumer IoT profile:
- many consumer IoT devices are supported by additional components, such as a back-end and/or mobile app, that are critical to using the IoT device to the point that the device cannot be meaningfully used without these components.
- home consumers often have little control over these additional components. The concept should expand beyond the device to include the full product. This scope may include additional components as part of an IoT product, including those that the consumer interacts with only indirectly.
- the consumer profile must be implemented in the context of key privacy and safety perceptions and considerations for the sector.
- safety and privacy considerations are dynamic for consumer IoT products use cases for IoT products may vary significantly.
- there may be clear safety implications to a product and its operation, but this is not always the case. The same goes for privacy.
- different use cases may share broad safety and/or privacy considerations, but the specifics on their impacts and/or mitigations can be very different.
- the consumer profile’s cybersecurity capabilities must broadly support a variety of use cases while taking care to not hinder these areas.
- cybersecurity practices of the customers that would be managing consumer IoT products will vary in definition and maturity.
- the unpredictable and ad hoc nature of customer risk mitigation for consumer IoT products highlight the need for broadly useful and generally recommended cybersecurity practices be reflected in the profile.
- an important cybersecurity need for this sector is usable cybersecurity capabilities that are implemented to require minimal/efficient customer set-up and interaction for use.
- specific standards, solutions, implementations, or mitigations should be used as appropriate for an IoT product’s functionality and use case.
- No single set of specific requirements can be applicable to all consumer IoT products therefore, the consumer profile describes IoT product-level cybersecurity guidelines in terms of outcomes to be achieved and supported by the product as a whole but may not apply to all IoT product components the same way.