Executive Order 14028[i],
issued in May 2021, required NIST to develop a “cybersecurity labeling program”
for IoT devices. The program was never intended to be regulations, but rather a
certification issued by one or more private sector organizations, which would
be sponsored and encouraged by the federal government. While there has been a
lot of uncertainty about when the program will be announced and what it will
include, it seems that will soon go away.
In June, there will be a White House announcement about the
program. Here is some information I currently have on it:
1.
The basis for all certifications will be NIST.IR
8425, which is discussed in detail below.
2.
It appears that the program will be run by the Consumer Technology Association (which runs
the huge Consumer Electronics Show every year).
3.
Some organizations that currently offer cybersecurity
certifications for IoT devices will be empowered to issue their own labels, but
they will have to at least address the guidelines in NISTIR 8425. One of those
organizations is the IoXT Alliance.
One of my clients, Red Alert Labs in France, is one of the small number of
organizations that has been certified
as an assessor for IoXT.
Of course, I expect the announcement in June will provide a
lot more information on the program. In the meantime, both IoT device
manufacturers and IoT device users (which includes almost every business, and a
good percentage of the people, on the planet) should take a look at NIST.IR
8425, which I think is a very good document. I wrote a post
on it after it came out last fall, but below is a larger discussion of what’s
in the document.
NIST.IR 8425
was released in September 2022. It appears to be the last NIST document
regarding IoT device cybersecurity, at least in the near term. The NIST.IR 8259
series (including NIST.IR 8259 as well as 8259A through 8259D, all of which
were developed in 2020) provides a larger set of IoT guidelines than what is
included in this document. NIST.IR 8425 contains a subset of what’s in the 8259
series, which were selected with a lot of input from the software community in
2021.
NIST.IR 8425 is intended to be the set of guidelines for the
device labeling program, but this is clearly meant to be a baseline for all IoT.
It consists of selections from NIST.IR 8259A (“IoT Product Capabilities”, or
technical requirements) and NIST.IR 8259B (“Product Developer Activities”, or
manufacturer policies and processes). The specific selections from these two
documents are listed on page 11 of NIST.IR 8425.
There are many things to like about NIST.IR 8425. One is
that, unlike the earlier NIST documents on the “consumer” IoT device labeling
program, this document is clearly aimed at IoT products for businesses as well
as households. This is emphasized in the Abstract on page i. The first sentence
states that the publication “…identifies cybersecurity capabilities commonly
needed for the consumer IoT sector (i.e., IoT products for home or personal
use)”. However, the second sentence reads, “It can also be a starting point for
businesses to consider in the purchase of IoT products.”
NIST has recently stated that there will later be a set of
IoT guidelines that is aimed at “enterprise” devices – presumably devices that
are aimed at large businesses and government agencies. If so, those requirements
will likely be selected from NIST.IRs 8259A and 8259B. NIST.IR 8425 should be
seen as the initial step toward compliance with the “enterprise” guidelines,
when and if they appear in the future. In the meantime, 8425 provides a good
set of baseline requirements.
The remainder of this post provides comments on many of the
requirements and subrequirements in NIST.IR 8425. However, these are only a
minority subset of the total requirements. The reader is encouraged to read the
whole document.
IoT Product Capabilities
Asset Identification (page 5)
“The IoT product is uniquely identifiable and inventories
all of the IoT product’s components.
1. The IoT product can be uniquely identified by the
customer and other authorized entities (e.g., the IoT product developer).
2. The IoT product
uniquely identifies each IoT product component and maintains an up-to- date
inventory of connected product components.”
By “components”, NIST is referring to the four things that
are part of what they call an IoT “product”. They include:
1.
The device itself
2.
Any hardware that’s required to be used with the
device, like an intelligent hub
3.
Any software interface to the device, like on a
smartphone
4.
The cloud backend
This requirement states that a) the “product” needs to be
uniquely identifiable by users, although users are almost always just going to point
to the device itself, not the cloud backend or the smartphone app (even though
NIST considers these to be just as much part of the IoT product as the device
itself); and b) the “product” always maintains an inventory of its components,
although a footnote points out that the inventory can be installed on any of
the components – such as the cloud backend.
Product Configuration (page
6)
“The configuration of the IoT product is changeable, there
is the ability to restore a secure default setting, and any and all changes can
only be performed by authorized individuals, services, and other IoT product
components.
1. Authorized individuals (i.e., customer), services, and
other IoT product components can change the configuration settings of the IoT
product via one or more IoT product components.
2. Authorized individuals (i.e., customer), services, and
other IoT product components have the ability to restore the IoT product to a
secure default (i.e., uninitialized) configuration.
3. The IoT product applies configuration settings to
applicable IoT components.”
Perhaps the most important of these three items is number 2.
The product needs to be capable of being restored to its secure default
configuration, and both services and other components of the product need to be
able to do this. While this is essential for real “consumer” devices, business
users may not want this capability, since a rogue service might reset the
device when it’s performing an important function. Business users will probably
want to be able to turn this capability off, at least some of the time.
Data Protection (page 7)
“The IoT product protects data stored across all IoT
product components and transmitted both between IoT product components and
outside the IoT product from unauthorized access, disclosure, and modification.
1. Each IoT product component protects data it stores via
secure means.
2. The IoT product has the ability to delete or render
inaccessible stored data that are either collected from or about the customer,
home, family, etc.
3. When data are sent between IoT product components or
outside the product, protections are used for the data transmission.”
Many people, when they think of protecting data stored in an
IoT product, just think of protecting data stored in the device itself.
However, it’s equally important to protect data stored in the cloud backend,
the smartphone app, and any other components. It’s also important to protect
data as it’s transmitted between the components.
Interface Access Control (page 8)
“The IoT product restricts logical access to local and
network interfaces – and to protocols and services used by those interfaces –
to only authorized individuals, services, and IoT product components.
1. Each IoT product component controls access to and from
all interfaces (e.g., local interfaces, whether externally accessible or not,
network interfaces, protocols, and services) in order to limit access to only
authorized entities. At a minimum, the IoT product component shall:
a. Use and have access only to interfaces necessary for
the IoT product’s operation. All other channels and access to channels are
removed or secured.
b. For all interfaces necessary for the IoT product’s use,
access control measures are in place (e.g., unique password-based multifactor
authentication, physical interface ports inaccessible from the outside of a
component).
c. For all interfaces, access and modification privileges
are limited.
2. Some, but not necessarily all, IoT product components
have the means to protect and maintain interface access control. At a minimum,
the IoT product shall:
a. Validate that data shared among IoT product components
match specified definitions of format and content.
b. Prevent unauthorized transmissions or access to other
product components.
c. Maintain appropriate access control during initial
connection (i.e., onboarding) and when reestablishing connectivity after
disconnection or outage.”
Often, a device manufacturer will consider it enough
protection if they simply instruct users to disable any physical or logical
interfaces that they don’t need. But that doesn’t allow for the idea that users
of some devices may need to utilize certain interfaces at some times but not
others. Having that capability requires being able to control access by
interface.
The fact that this requirement is here shows that this
document isn’t just for pure “consumer” products. The owner of a baby monitor
shouldn’t need to be able to control access at the interface level. But a
business might very well need to do that.
Software Update
(page 9)
“The software of all IoT product components can be updated
by authorized individuals, services, and other IoT product components only by
using a secure and configurable mechanism, as appropriate for each IoT product
component.
1. Each IoT product component can receive, verify, and
apply verified software updates.
2. The IoT product implements measures to keep software on
IoT product components up to date (i.e., automatic application of updates or
consistent customer notification of available updates via the IoT product).”
Item 1 is important. It says that each component – the
device itself, the cloud backend, and the smartphone app – must be able to
verify and apply its own updates; no component should have to depend on another
component to update itself, since communication among the components can never
be taken for granted.
Cybersecurity State
Awareness (page 10)
“The IoT product supports detection of cybersecurity
incidents affecting or affected by IoT product components and the data they
store and transmit.
1. The IoT product securely captures and records
information about the state of IoT components that can be used to detect
cybersecurity incidents affecting or affected by IoT product components and the
data they store and transmit.”
This might seem like an odd requirement, since it says the
product needs to capture information about the state of IoT components, but it doesn’t
even attempt to say anything about what that information is. A footnote at
least gives some examples:
Information
about the state of IoT components that would be useful to detecting
cybersecurity incidents is highly contextual to the IoT product, its
components, and its operation. In most cases, temporal information such as
time-stamp or location data (digital or physical) should be captured. Software
and hardware version and operational state (e.g., known fault or exception
thrown) may help detect cybersecurity vulnerabilities (e.g., specific software
or hardware may have known vulnerabilities). Cybersecurity state information
may also contain records of commands and actions received by and executed by
the IoT product or other data that is meaningful to the IoT product and how it
works, and are therefore useful to detecting incidents.
Clearly, this is something that needs to be configurable by
the integrator of the device, although probably not by the end user.
IoT Product
Non-Technical Supporting Capabilities
Until this point, all of the items have been “IoT Product
Capabilities”. The remaining items are all classified as “IoT Product
Non-Technical Supporting Capabilities”. That is, these relate to the
capabilities of the manufacturer or integrator of the product, not to the
capabilities of the product itself.
Documentation (page 11)
This is a long section and lists over 30 individual topics
that need to be addressed in documentation by the manufacturer. Of course, if
any of these topics is not relevant to the type of device in question, the
manufacturer should indicate that the topic is not applicable. Below are topics
I consider particularly relevant:
Item 1.a.vi. (page 11): “(The documentation
must address) The IoT product developer’s assumed cybersecurity requirements
for the IoT product.”
The developer’s “assumed requirements” should include
everything in this document, but they could always include more. For example, NIST.IR
8425 includes a subset of the requirements in two larger documents: NIST.IR.8259A
and NIST.IR.8259B. A manufacturer that wants to go beyond what NIST.IR 8425
requires might decide to follow most or all of the 8259A and B requirements.
Item 1.d.iv. (page 12): “(The documentation
must address) Consideration for the known risks related to the IoT product
and known potential misuses.”
This is very important. It implicitly acknowledges that,
with IoT products being put to such diverse uses, there’s no way that a single
set of requirements can address all known risks to the product. On the
other hand, NIST wants manufacturers to acknowledge any product-specific risks
they know about, even if they’re not fully mitigated. By including this
requirement, NIST is requiring the manufacturer (or integrator) to point out product-specific
risks to users. (My opinion is that, if the manufacturer has already mitigated
a risk, they shouldn’t feel obligated to point it out, unless there remains
some residual risk that needs to be mitigated. And any serious risk shouldn’t
be pointed out in documentation, but perhaps in private verbal communication
with users. Of course, if there really is a serious risk in the product, for
which there is currently no mitigation available, why is the manufacturer
putting the product on the market at all, except because…no, that can’t be…they
prioritize making money over the security of their customers! What a ridiculous
idea…)
Item 1.d.v. (page 12): “(The
documentation must address) Secure software development…practices used.”
It would be wise for developers to say they’ve followed
NIST’s new Secure Software Development Framework (SSDF), although they will
need to be prepared to show how they’ve followed it. As with any NIST framework,
the manufacturer needs to perform a risk assessment, which determines which of the
items in the framework they will address and which they will not address. However,
the developer needs to be able to state that they have at least considered
every item in the framework, and provide a reason why they have not addressed
any particular item.
Item 1.d.v. (page 12): “(The documentation
must address)…supply chain practices used.”
This phrase refers to the practices the manufacturer follows
with respect to their own suppliers – i.e., the developers of the hardware and
software included in the device. It would be best if the manufacturer could
indicate they follow a particular framework of supply chain practices. NIST’s primary
supply chain security format is NIST SP800-161, which is far too detailed for
this application. However, the NIST Cyber Security Framework (see below) describes
a good set of supply chain security practices, which might be appropriate in
this context.
Item d.vi. (page 12): “(The documentation must
address) Accreditation, certification, and/or evaluation results for
cybersecurity-related practices.”
This item refers to general cybersecurity-related practices,
not specifically supply chain practices. The most widely used cybersecurity
framework in the US now is the NIST Cyber Security Framework (CSF). The CSF is
something like a security maturity model. It delineates three tiers of cyber
practice. The organization needs initially to determine into which tier it falls,
and then develop a plan to achieve the next tier. To establish conformance with
this requirement, the manufacturer could provide a copy of the initial
assessment and the tier to which they were assigned, as well as their
documented plans to move to the next tier.
Item 1.f.i. (page 12): “(The documentation
must address) Steps taken during development to ensure the IoT product and
its product components are free of any known, exploitable[ii]
vulnerabilities.”
This requirement seems to indicate that an IoT product (or
any standalone software product) can never be secure unless all “known,
exploitable” vulnerabilities have been patched. In fact, there is general agreement
in the software community that having some number of unpatched low-severity vulnerabilities
does not in itself pose much if any risk to software products or intelligent
devices. Therefore, requiring suppliers to patch every vulnerability of any severity
level is likely to lead to a mis-expenditure of resources, which will
ultimately result in higher prices to consumers.
A better way to word this requirement would have been, “Steps
taken during development to ensure the IoT product and its product components
are free of any serious, exploitable vulnerabilities.”
Item 1.f.ii (page 12): “(The
documentation must address) The process of working with component
suppliers and third-party vendors to ensure the security of the IoT product and
its product components is maintained for the duration of its supported
lifecycle.”
This requirement is much more understandable when it is
restated using the active, not passive, voice: “The device manufacturer needs
to implement and maintain a program to work with component suppliers and
third-party vendors to ensure the security of the IoT product and its product
components.”
New vulnerabilities are identified all the time by security
researchers and sometimes by hackers. Thus, no matter how rigorously the
supplier followed secure software development practices, new vulnerabilities
can be identified in any product at any time. The manufacturer needs to
acknowledge this fact by implementing and maintaining a vulnerability
management program, which includes identification of new vulnerabilities in
software or firmware installed in their product, and providing patches for any
of those vulnerabilities deemed to be serious.[iii]
Item 1.f.iii (page 12): “(The
documentation must address) Any post end-of-support considerations, such as
the discovery of a vulnerability that would significantly impact the security,
privacy, or safety of customers who continue to use the IoT product and its
product components.”
The previous requirement addresses the issue of
vulnerabilities that occur during the period that the IoT product is under support
by the manufacturer, meaning the manufacturer takes responsibility for patching
significant vulnerabilities. However, that responsibility ends when the product
is no longer under support. This is a normal practice in the software and intelligent
device worlds: The manufacturer makes it clear that, as of a certain date, they
will no longer provide updates or patches for a particular version of a
software product or device. After that date, customers who do not upgrade to a
supported version (or move to a competitor’s product), yet continue to use the
product, will run the risk that a serious new vulnerability will be discovered
in the product, for which the manufacturer will not provide a patch. As long as
the manufacturer provides sufficient advance notification[iv]
of the end of support, their customers cannot claim they are being treated
unfairly.
This requirement takes into consideration the fact that, no
matter how much advance notice a manufacturer provides, there will always be
some customers who will not upgrade. What will happen if a serious
vulnerability is discovered after the end of support? Often, even if one of the
“holdout” customers now wants to upgrade, they will run the risk of suffering a
serious breach before they can complete the upgrade. While the manufacturer is
free to adopt any policy they wish in this situation, they might decide to
develop a patch for the vulnerability and offer it to the holdout customers for
a fee. They also may offer a post-end-of-life support contract, which usually carries
a hefty fee.[v]
1.g.iv. (page 13): “(The
documentation must address) Policy for disclosing reported vulnerabilities.”
Disclosing reported vulnerabilities is always a difficult
question to discuss in a policy context. Of course, if the manufacturer has
developed a patch for the vulnerability, there is no question they should
disclose the presence of the vulnerability in their product, although this
should be done at the same time that they announce the availability of the
patch. By the same token, there is not much question that the manufacturer
should not disclose the presence of the vulnerability if they expect to
have the patch available in a short amount of time, perhaps one day.
However, the discussion becomes more difficult if the manufacturer
has not yet developed a patch for a serious vulnerability that they know is
present in their product. The policy will depend on the answers to several
questions:
1. Has
the vulnerability been publicly disclosed and is there general awareness of it
– at least in the hacker community?
2. Has
the vulnerability begun to be actively exploited in the general community?
3.
Has it been revealed that the vulnerability is
present in the product in question, or have active exploits of the
vulnerability in that product already begun?
If the answer to question 1 is No, it would not be a good
idea for the manufacturer to reveal that their product is vulnerable. If the
answer to question 1 is Yes but the answer to question 2 is No, it would also
probably not be a good idea for the manufacturer to reveal that their product
is vulnerable (of course, in both of these cases, the manufacturer should
expedite development of the patch as quickly as possible).
If the answers to questions 1 and 2 are Yes but the answer
to 3 is no, the answer to the question whether the supplier should announce the
vulnerability in their product is not clear-cut. The manufacturer needs to determine
a) how long it will take them to develop the patch, and b) how quickly exploits
of the vulnerability are spreading. The more imminent the availability of the
patch, the more the manufacturer should lean toward not revealing the
vulnerability.
However, if exploits are spreading very rapidly and it is
possible that one or more of the devices will be attacked before the patch is
available, the manufacturer should probably announce that the device is
vulnerable and recommend a mitigation, including perhaps removing the device
from customer networks pending the patch being available.
If the answers to all three
questions are Yes, there is not much question that the manufacturer should
announce that their device is vulnerable, and – unless there is an effective
alternative mitigation already available – suggest that customers remove the
device from their networks, pending availability of the patch.
Product education and awareness
(page 16)
This section addresses a deficiency in documentation for
many software products and IoT devices: The documentation describes the
cybersecurity capabilities of the device but says nothing about why those
capabilities should be used and how the customer might decide the proper policies
and settings.
The section makes clear that the IoT device manufacturer should
do more than just recite technical details about their product in their documentation,
especially when it comes to security capabilities. They need to discuss the
following:
1.
Why the customer might want to change the
default configuration settings.[vi]
2.
The different options for access control
(including password settings), and considerations for deciding appropriate
policies.
3.
Securely managing data on the device and its
components (especially the cloud component).
4.
Maintaining security of the device and its
components, including after support from the manufacturer has ended.
5.
Managing vulnerabilities in the device and its
components.
[i] Section
4, subsections (s) and (t)
[ii] The
word “exploitable” is important. As IoT device manufacturers start to issue software
bills of materials (SBOMs) to their customers regularly, the customers are
likely to be alarmed to discover many vulnerabilities, when they look up the components
(dependencies) listed in an SBOM in a vulnerability database. However, probably
over 95% of vulnerabilities in software components do not pose a risk to the
user of the device, because an attacker would never be able to “exploit” them
to penetrate the device; this is often because of how the component was incorporated
into the product by the developer. In the near future, it is hoped that a “VEX”
(Vulnerability Exploitability Exchange) API will be available to inform users
that particular vulnerabilities found in software components are not exploitable
in the product itself.
[iv] What
constitutes “sufficient notification” will vary by the type of product and
other circumstances. Generally, notification should be provided at least a year
in advance, and sometimes longer.
[v] Sometimes,
a manufacturer will consider a new vulnerability to be so serious, that they
will make an exception and “backport” a patch for the out-of-support versions
of their product. Of course, a customer should never count on their doing this.
[vi] Of
course, the manufacturer should never reveal the default settings themselves.