NIST to revise IoT cyber-security framework
- November 25, 2024
- Steve Rogerson
At a workshop next week, the US National Institute of Standards & Technology (NIST) plans to start revisiting and revising foundational cyber-security activities for IoT device manufacturers.
In May 2020, NIST published Foundational Cybersecurity Activities for IoT Device Manufacturers (IR 8259, csrc.nist.gov/pubs/ir/8259/final), which describes recommended cyber-security activities that manufacturers should consider performing before their IoT devices are sold to customers.
These foundational cyber-security activities can help manufacturers lessen the cyber-security-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.
In the nearly five years since this document was released, it has been published in three languages (English, Spanish and Portuguese), downloaded over 40,000 times, and was complimented by two additional entries in the series: IoT Device Cybersecurity Capability Core Baseline (csrc.nist.gov/pubs/ir/8259/a/final) and IoT Non-Technical Supporting Capability Core Baseline (csrc.nist.gov/pubs/ir/8259/b/final). These provide specific technical capabilities and non-technical supporting activities that manufacturers should consider in their product designs and support plans to help ensure they are addressing customers’ cyber-security needs and goals.
The IR 8259 series introduced concepts to help manufacturers and customers consider the cyber security of IoT devices intended to be connected to a network or system to function. However, additional IoT concepts have come to light through NIST’s efforts to build upon the foundations of the IR 8259 series that may be useful in adding to the framework. NIST is seeking discussions with and feedback from the community as it begins the effort of updating IR 8259 at its upcoming workshop on December 4th (www.nist.gov/news-events/events/2024/12/workshop-updating-manufacturer-guidance-securable-connected-product).
The NIST team has built upon the concepts introduced in IR 8259 in subsequent publications to elaborate on cyber security for several sectors and use cases. IR 8259 serves as a foundational document for all these publications, providing the conceptual and contextual basis for their guidance. But in their extension of the guidance, these subsequent publications also introduce new concepts.
NIST thus proposes revising IR 8259 to align with the concepts introduced in these publications. Additionally, some topics have consistently come up in discussions with the community that it considers potential areas to add to a revised IR 8259, including:
- Broaden the discussions from a focus on individual IoT devices to considerations of entire IoT products and connected products to reflect the wide variety of applications and use cases that exist.
- Develop the relationship between risk assessment and threat modelling activities.
- Address the different cyber-security considerations between IT, IoT, OT and IIoT.
- Identify insights, considerations, approaches and so on for IoT based on the NIST Privacy Framework, Cyber Physical Systems/IoT Framework, Cybersecurity Framework 2.0 and Secure Software Development Framework.
- Incorporate lessons learned and techniques developed in the execution of several IoT-related NCCoE projects.
- Address emerging connected product technologies more directly, such as immersive tech and artificial intelligence.
- Discuss any relationship that may exist between the repairability of connected products and cyber security.
- Provide guidance on balancing cyber security with device support considerations, especially when there is a significant mismatch between the expected end of support of the IT components and the end of life of the mechanical components of the connected products.
These topics are a few examples of considerations that IR 8259 could incorporate or expand on in a revision. NIST is in the early stages of this effort and look to the community for thoughts and feedback.