The National Institute of Standards and Technology (NIST) has drafted guidance through its Interagency International Cybersecurity Standardization Working Group (IICS WG) which focuses on Internet of Things (IoT) security. With more and more everyday products being built with internet connectivity capabilities, cybersecurity researchers and practitioners have become concerned about the security and privacy of those devices, as one insecure device in an office or home could lead to a massive breach.
Individuals and groups have been lobbying for improvements in manufacturing and supply chain oversight for the past several years, but to-date no industry group or government has passed laws requiring developers and manufacturers to follow secure practices. For one thing, the types of IoT devices being developed are diverse, spanning myriad industries and user purposes. For another, the components that comprise IoT devices may be manufactured at multiple organizations in far-flung geographic regions that, themselves, hold varying viewpoints of information security and privacy.
In spite of these challenges, NIST has decided it’s high time to address this growing problem before IoT becomes de facto (despite the prevalence of IoT, it’s still early days compared to what’s ahead). As such, NIST has drafted the NISTIR 8200, a set of guidance for cybersecurity standards development for IoT. Still, in its comments period (until April 18, 2018), NIST attempts to lay out best practices that will help manufacturers and developers consider the cybersecurity of the devices they’re bringing to market, in the hope that these companies will build security into the planning of networked devices.
As the NIST guidance takes shape, several lawmakers have drafted a bill that would create a certification program for companies that “meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.” While the so-called Cyber Shield doesn’t refer to the drafted NIST guidance specifically, it follows that certification would be based on NIST’s recommendations. How will this affect the industry? InfoSec Insider asked two experts to weigh in on current events and offer their perspective on what this means for security practitioners.
NIST proposed guidance, in summary
Most important, says Lisa Tuttle, CISO of SPX Corporation, is NIST’s attempt to define IoT. “Today there are no de facto standards,” she says, “and purpose-built devices are independently manufactured.” What this means for the industry is that any company with the inclination and a modicum of IT capability has been able to manufacture connected products, but without much thought to or expertise in how to secure those products. NIST’s guidance, says Tuttle, shifts focus “from diverse IoT devices to their more similar device capabilities,” the understanding of which can influence security and privacy considerations.
Doing so would certainly be a positive step, but Antonio A. Rucci, Director of Information Security and Threat Intelligence at Information International Associates, warns that guidance is just guidance—not a mandate. Nor have we seen in the security space that following guidance or earning a certificate is a clear path to breach avoidance; companies must go above and beyond standards to truly implement tools, techniques, and processes that affect cybersecurity outcomes.
Further, says Rucci, “It’s going to be extremely difficult for companies to wrap their arms around the significant change they will need to undertake to develop and manufacture legitimately secure devices.” Though it’s likely that many companies will eschew building security into their products in favor of speed and higher margins, Rucci says that once the guidance is finalized, government organizations “will make decisions on contract awards based on NIST guidance,” so anyone who wants to play in that space and/or tout a competitive advantage may be prone to adopt the new standards.
A global perspective
Cybersecurity and privacy regulations have become commonplace over the years as industry organizations and lawmakers attempt to tamp down on organizational negligence. NIST and the authors of Cyber Shield are therefore probably hoping that guidance about minimum viable security for IoT will help drive the industry towards more thoughtful development and manufacturing. However, many product components are developed outside U.S. borders, in countries where U.S. recommendations or laws are inapplicable, unheeded, or impossible to enforce. As such, it’s not likely either the NIST guidance or a certification program will affect overseas manufacturing, upon which U.S. entities are dependent.
It’s possible that companies which adopt a more rigorous IoT security stance could simply choose to work only with those suppliers that can provide attestation that their security practices are in accordance with the NIST and/or regulatory guidelines. However, as Rucci points out, “China owns much of the chip manufacturing space and will for the near future, at least. It’s difficult to simply cut them off and blacklist them as their products are in nearly every one of our commercial machines and a significant portion of U.S. government systems.”
Closer to home, Tuttle thinks that “manufacturers can leverage standards or certifications to promote a competitive advantage.” Especially as cybersecurity becomes more of a hot-button topic for boards of directors, companies building or selling IoT devices will want some level of assurance that their products are not the gateway to privacy and data disclosure, costing them millions (+) of dollars, brand damage, and loss of productivity.
Reality is that more than 25,000 new U.S. regulations—and goodness knows how many ad hoc cybersecurity certificate programs—have been created in the last ten years. Despite these efforts by lawmakers and industry groups, cybersecurity breaches and incidents are not on the decline…which may lead some to think, “What’s the point, then?” The point is to establish a baseline, a you-can’t-go-lower-than delineation so that people/companies can’t simply do nothing. Best case scenario, companies recognize that scraping the bottom of the barrel isn’t good enough and build more rigorous security processes and policies above and beyond whatever is mandated or recommended.
What actually happens, however, is that organizations run into time and budget issues and default to “just enough to get through the next round of audits, just enough to make it through Q/A for release,” says Rucci. This mindset, he continues, is not likely to change because building security into the front end is more expensive and time-consuming than not adding it and hoping for the best.
Tuttle agrees and says that “Risk acceptance is part of every business decision. Cultural changes by manufacturers to adopt a culture of continuous compliance and maintain security- and privacy-by-design will boost their development IQ.” Relying on broadly-written standards that are meant to cover all companies in X industry or producing Y product, Tuttle says, will always leave too much room for interpretation, leading to uneven results.
Only when companies building IoT devices—all throughout the supply chain—commit to security-by-design practices will we see real change in the state of IoT security. Rucci believes that “manufacturers should be held to a rigid, enforceable standard,” much like PCI,” so that consumers are better protected. Of course, he warns, even a hardened device can be improperly implemented and configured, leading to network vulnerabilities. Regardless of the widget that comes out of the box, system administrators must be held accountable for secure deployment.
In the meantime, while neither Tuttle nor Rucci believes the NIST standard nor new regulations will drastically alter how manufacturers and developers approach IoT security, both feel that raising the bar to eliminate the most egregious disregard for the security of components that go into IoT devices is, at least, a small shuffle in the right direction.