NIST official warns against device-only approach to secure IoT

As federal agencies near a congressional deadline to regulate purchases of devices capable of connecting to the Internet, a leading official at the National Institute of Standards and Technology highlighted the role of cloud services and other infrastructure providers— Beyond device makers – play in mitigating cyberattacks that want to take advantage of their connectivity.

“The product is often more than just what” [customers] “In a box they buy off the shelf,” said Katerina Megas, who manages NIST’s program on cybersecurity for the Internet of Things. “There is often a mobile app that controls access to the device. Is, [that] lets you gain access to data on the device; It can let you turn it on and off. Often, that device is connected to the cloud.”

Megas was speaking at an event organized by the American Enterprise Institute on Tuesday. He is a NIST’s a. has led the production of series of documents that together guidance agencies must follow under the IoT Cyber ​​Security Reform Act, a bipartisan bill that Congress approved in late 2020, along with High praise from cyber security executives,

is a list of documents equipment capacity Agencies can use that to inform their new procurement requirements, which Megas said must be activated in December under the law. Agencies may want to consider whether vendors allow them to change the passwords needed to access their devices, for example, according to Catalog.

In conjunction with the IoT Cyber ​​Security Reform Act, NIST also references a set of documents—the 8259 series—that emerged from an executive order during President Donald Trump’s administration. That May 2017 order was seen to build “resilience against botnets and other automated, distributed threats.” and as a result a roadmap It set out roles and responsibilities for not only the equipment manufacturer, but also the enterprise end users of the equipment and the Internet service providers who supply the infrastructure connecting them to each other.

“We have to make sure we don’t lose sight of the fact that everything is interconnected,” Megas said. “We’ve always warned, ‘Let’s not just say, you know, cyber security has a responsibility [only with] Manufacturers of equipment.’ It really is an ecosystem. You cannot expect the device to be secure, as it is very interconnected.”

The roadmap for 2018 was procured from key industry stakeholders, including the telecom industry, which Agreed On the importance of measures to secure Internet routing systems such as the Border Gateway Protocol to protect against botnet attacks, in which hackers can induce widespread denial of services on a network by remotely controlling hijacked IoT devices.

But as other federal agencies Call the Federal Communications Commission The industry is opposed to such regulation, with the industry considering moving beyond voluntary initiatives to address vulnerabilities in routing systems.

“Respect the Internet’s multi-stakeholder standards development process,” reads a November 2 report From the Broadband Internet Technology Advisory Group, a non-profit sponsored by Internet service providers such as Comcast and AT&T. “If regulation is considered, set targets rather than specify technologies.”

On stage with Megas during the AEI event, Brian Schreiber, vice president of security and privacy technologies for CableLabs—a trade association for the cable industry—also took issue with an aspect of NIST. Guidelines for IoT procurement of agencies.

The first device capability listed on NIST’s list of potential requirements is the device’s ability to identify itself. NIST saw the utility of device manufacturers called manufacturer’s use descriptions—or MUDs—files in their products in connection with an agency project called “Device Intent Signaling.”

“The device can send a message to the router and say, ‘I’m a light bulb… I shouldn’t be talking to the thermostat in my house.’ This light bulb shouldn’t be able to talk to other things,” said Megas, describing the project.

Referring to the responsibilities of enterprise clients such as agencies, Schreiber said, “[MUD] Downstream puts an awkward responsibility on someone else to solve the problem,” adding, “there’s no economic driver to go back and necessarily update that device.”

Megas defended the inclusion of MUD in NIST’s guidance, saying that a same document The agency has submitted in relation to President Joe Biden’s Executive Order on Cyber ​​Security describing customer IoT responsibilities. He stressed the need for stakeholders to adopt the concept of “protect in depth” to effectively improve the cyber security of the Internet of Things through a comprehensive approach.