Nist releases guidance on IoT cyber security

  • December 28, 2020
  • Steve Rogerson

The US National Institute of Standards & Technology (Nist) has released draft guidance on IoT device cyber security. The four documents should help align manufacturer and federal procurement of secure IoT devices.

As the IoT grows to connect an a diversity of devices to electronic networks, the four publications from Nist offer recommendations to federal agencies and manufacturers concerning effective cyber security for these devices.

The four related publications should help address challenges raised in the recently signed IoT Cybersecurity Improvement Act of 2020 and begin to provide the guidance that law mandates. Together, the four documents – Nist Special Publication (SP) 800-213 and Nist Interagency Reports (Nist IRs) 8259B, 8259C and 8259D – form a unit intended to help ensure the government and IoT device designers are on the same page with regard to cyber security for IoT devices used by federal agencies.

“The three Nist IRs offer a suggested starting point for manufacturers who are building IoT devices for the federal government market, while the SP provides guidance to federal agencies on what they should ask for when they acquire these devices,” said Katerina Megas, manager of Nist’s cyber-security IoT programme. “We look forward to the community’s feedback on these drafts as we work to provide IoT cyber-security guidance that aids both vendors and customers.”

As is the case with all Nist publications, the guidance itself is not regulatory. However, Nist is responsible for developing information security standards and guidelines, including minimum requirements for federal systems. Because companies that do business with government agencies will need to interact with technology the government finds acceptable, the guidance is likely to have far-reaching influence.

SP 800-213 provides overall guidance for federal agencies, extending Nist’s risk-based cyber-security approach to include integration of IoT devices into federal information systems and infrastructure. The document has background and recommendations to help agencies consider what security capabilities an IoT device needs to provide for the agency to integrate it into its federal information system.

The Nist IR 8259 series provides guidance that IoT device manufacturers can use to help organisations implement SP 800-213’s guidance. Two publications in this series, Nist IR 8259 and 8259A, were released previously, bringing the total in the series to five. Megas described these two earlier publications as a set of foundational activities to help manufacturers meet their customers’ cyber-security needs.

“These two previous publications outline a process and starting point for manufacturers to identify the capabilities a customer will expect,” she said. “If you buy a device, you would want to be sure you can see and identify the device on your network and change its password, for example. It articulates those kinds of features on a high level.”

The three new publications extend the landscape of the first two. IR 8259B complements 8259A with guidance on nontechnical processes manufacturers should implement that support cyber security, such as documenting updates and informing customers of how to implement them. IR 8259D begins to get more particular, helping manufacturers consider the needs of a specific market sector, in this case the US federal government.

IR 8259C describes the process Nist followed to develop 8259D, so that manufacturers in other markets – such as medical devices that would have to meet health information privacy requirements – can use that same process if they desire.

“We help a manufacturer start with a baseline set of capabilities and then tailor it to their market needs,” Megas said. “Whoever they are, we want to help them improve their security in a world where things are still developing.”

Nist is accepting comments from the public on the four draft documents until February 12, 2021.