Users can easily know if a product complies with the Restriction of Hazardous Substances Directive (RoHS) or Underwriters Laboratory (UL) certification because products are clearly labeled. There is little guidance, however, on adherence of effective cybersecurity requirements for Internet of Things (IoT) tools. Soon, IoT device and software companies will be able to provide clear information directly on their packaging that certifies their solutions’ cybersecurity status and safety.
On February 4, 2022, the National Institute of Standards and Technology (NIST) issued draft recommendations for IoT labeling criteria in response to President Biden’s Executive Order (EO) on “Improving the Nation’s Cybersecurity.” The NIST recommendations outline cybersecurity criteria for an IoT product labeling program that would include label criteria and design considerations for user education and conformity assessment.
The program would provide clear indication of whether or not an IoT product or software package has met a set of specified cybersecurity requirements. NIST also recommends a scannable, accessible URL or QR code for additional information about the cybersecurity status of an IoT product or software. This information could help users and the federal government make informed decisions about their vendors and devices.
While the NIST recommendations are general and contain few specific cybersecurity demands, they are broad and designed to be “outcome-based,” not burdensome. Recognizing that a “one size fits all” approach is not realistic, NIST established baseline criteria that includes:
- Uniquely identifiable products with asset identification
- Changeable product configuration
- Data protection
- Interface access control for restricted access
- Updatable software
- Cybersecurity state awareness to detect cybersecurity incidents
- Product information documentation
- Information and query reception
- Information dissemination
- Product education and awareness
The cybersecurity industry should brace for novelty
While NIST labeling recommendations do not guarantee cybersecurity, they certify that the process by which an IoT tool was built and developed considers security and follows industry-leading best practices.
Companies must understand that the list of affected products may be broad and unexpected. An insecure camera or television connected to a corporate network could provide an entry point for an attacker to infiltrate and obtain sensitive information. An IoT toothbrush that helps consumers improve brushing habits can pose a cybersecurity risk once connected to a local wireless network, where the toothbrush can become an entry or pivot point for attackers to breach a network.
The NIST-recommended labeling will bring some clarity to IoT cybersecurity — especially for non-technical users. Businesses will benefit from having clearer cybersecurity expectations about IoT tools before connecting devices to their networks.
Implement cybersecurity early and make necessary changes
While some manufacturers are not mindful of best practices that bolster IoT security, most manufacturers should take steps to prepare for NIST recommendations. Cybersecurity and the NIST recommendations are a continual effort. Some controls may require gradual implementation, and both manufacturers and enterprise security leaders will need to manage their cybersecurity transitions.
- The right resources can come in many forms — internal staff, external experts or knowledgeable security champions. Organizations must determine whether they have staff with necessary skills and qualifications. They should consider necessary resources for device security life cycle proficiency, need for external expertise, and availability of internal resources for programming and software development staff. Understanding use-case security implications and threat modeling are paramount.
- Manufacturers should consider the relative cybersecurity importance for each product or product family they produce and evaluate the potential for user concern about the product’s security.
- Manufacturers should embrace the NIST recommendations relevant to their connected tools. Unfortunately, security is not static. New system features will require implementation, and cyber practices will need to be built into a technology refresh.
- Use cases — beyond a product’s immediate function — are critical considerations for risk. Knowing the impact a device could have on the rest of a system in the ecosystem or environment where it exists offers the planning and assurance users seek.
- Having an audit team that knows how to audit NIST recommendation implementations is vital. The team should be aware of the organization’s processes and point to an audit trail that documents them.
The early bird gets the worm
For now, there is no oversight or certifying agency for the NIST recommendations. The labeling program requires a scheme owner to oversee it — a concept many view as an opportunity and potentially challenging. Recommendations are still evolving while NIST seeks public feedback. As of yet, there are no steadfast effective dates.
Security leaders who implement applicable NIST recommendations proactively over time can see lower implementation costs and a stronger competitive posture. Those who wait until the last minute and are forced to implement quickly will likely experience greater costs and business disruption. It is essential to consult with experts who assist businesses in understanding the requirements and their associated impact — whether from damaging impact to brand reputation when things go wrong or from rewards that come from proactive implementation.