| Listen on Google Podcasts | Listen on Mave | Listen on Yandex Music |
Ruslan Rakhmetov, Security Vision
The extensive development of the microelectronics industry and data networks, as well as the development and implementation of new specialised and energy-efficient networking technologies and protocols such as 5G, Bluetooth Low Energy, LoRa, Zigbee and Z-Wave over the last 10 years have led to the formation of a whole class of low-cost and high-performance devices - so-called IoT (Internet of Things) devices.
The application of the IoT concept and related technologies IIoT (Industrial Internet of Things) and IoE (Internet of Everything), including in industry, medicine, transport, infrastructure of large companies from retail and logistics to shearing services and utilities, provides fantastic business opportunities and creates new challenges, including in the field of information security risks. NIST SP 800-213 ‘IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements’ and NIST SP 800-213A ‘IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog’, which will be analysed in this paper.
In summary, NIST SP 800-213 maintains a logical link to the NIST Cyber Risk Management Framework (NIST RMF, i.e., Risk Management Framework), most notably NIST SP 800-39, 800-37, and 800-30. At the same time, NIST SP 800-213A provides a catalogue of IS requirements for information security capabilities of IoT devices and their manufacturers, logically linked to the provisions of NIST SP 800-53, which describes requirements for security and privacy measures. According to the RMF framework, IoT devices are elements of information systems that can be part of both IT and OT networks (Operations Technology). OT-networks use a variety of devices: sensors, transducers, actuators (actuators), which are connected to the IT infrastructure via IoT-devices to process incoming information. An example of an IoT device is an LPWAN modem, which transmits information from a pressure sensor from a hard-to-reach section of a gas pipeline to a control centre, where, based on this telemetry, the efficiency of gas pumping and fulfilment of contractual obligations is analysed.
One of the peculiarities of IoT devices is their introduction into the often already functioning IT/OT infrastructure, from which more telemetry of business value (analytics, forecasting, control) was required. To give a trivial example, a security manager decides to install ‘smart’ video surveillance cameras on the company's premises, connecting them to the Internet for remote monitoring; however, after the purchase, it turns out that the devices lack functionality to restrict network connections and protect against bruteforce attacks, and the manufacturer of this equipment does not provide instructions for configuring user access rights and an updated version of the firmware. For these situations, NIST SP 800-213 proposes an approach that consists of requiring cybersecurity requirements for IoT devices' functionality, while analysing the vendor's/vendor's ability to address organisational and technical IS issues, which in turn should help to keep cyber risks at a predetermined acceptable level after IoT device deployment.
Identifying and establishing information security requirements for IoT devices in accordance with NIST SP 800-213 consists of 3 steps:
1. Identification of usage scenarios of IoT devices and characterisation of information security properties in them:
1.1 Use cases and business benefits of IoT devices, using cost-benefit analysis and considering that IoT devices can become a breach in a company's defences and serve as an entry point into the IT infrastructure for attackers.
1.2 The impact of IoT devices in collecting, storing, and transmitting protected information (e.g., personal data, trade secrets, data on the state of the critical information infrastructure object, proprietary information on the device's operating environment, etc.), taking into account the specifics of data processing: use of cloud infrastructures, vendor's or its contractors' networks, interaction with web applications, data transfer to other jurisdictions.
1.3 Interaction with other components of information systems in the company, taking into account the impact of IoT devices on the physical operating environment and on other IT/OT elements: for example, whether IoT devices can affect the privacy of employees' personal data when using video surveillance systems or the safety of employees themselves when it comes to smoke detectors or wearable electronics. In addition, one must consider the architectural features of IoT devices, such as prioritising operational reliability over cybersecurity, the inability to override device firmware properties, and the use of proprietary protocols and data formats. Vulnerabilities that need to be either patched (by changing settings or re-flashing) or compensating measures to mitigate the risk should also be considered.
1.4 IS assurance practices of IoT device vendors: does the vendor follow theSSDF(Secure Software Development Framework), does the vendor follow supply chain risk management guidelines (in accordance with NIST SP 800-161), how does the vendor remediate and disclose vulnerabilities, how does the vendor provide firmware updates to address vulnerabilities in their IoT devices.
2. Identifying the impact of IoT devices on the company's cyber risk level assessment:
2.1 The impact of IoT devices as sources of new cyber threats and cause of new IS incidents.
2.2 The impact of IoT device vulnerabilities on the security state of the company and its infrastructure (e.g., a default and unchangeable superuser password can become a point of entry for attackers into the company or, at a minimum, make the IoT device part of a botnet for DDoS attacks at the hacker's command).
2.3 The impact of the probability of realisation of IS threats by IoT devices: for example, the presence in an IoT device of a permanent internet connection to a cellular network may mean an increased probability of exploitation of network vulnerabilities in the device by an attacker. The specifics of IoT devices and their interaction with protected assets should be considered: for example, IoT devices (with the exception of Edge Computing) typically do not store data, which removes the need for ‘data at rest’ protection, but ‘data in transit’ protection should be applied when they transmit information.
2.4 Assess the damage/impact when IS threats are realised by IoT devices: for example, the failure of a critical infrastructure IoT device or medical IoT device can significantly increase the potential damage to a company.
3. Identifying the required IS characteristics required of IoT devices:
3.1 Select applicable IS requirements and information security properties of IoT devices to maintain an acceptable level of cyber risk.
3.2 Select applicable IS measures from authoritative sources (catalogue of protective measures from their NIST SP 800-213A publication, IS controls from NIST SP 800-53, applicable NIST Cybersecurity Framework standards).
The document states that cybersecurity requirements for IoT devices can be key and other requirements. Key device cybersecurity requirements are those IS characteristics that an IoT device must have or that a device manufacturer must provide; without fulfilling these requirements, an IoT device cannot be integrated into a company's information systems. Non-compliant (other) requirements can be covered by compensating measures and imposed information security measures. The paper also emphasises that information about the IS functions and characteristics of an IoT device should be obtained prior to its purchase and operation, which in turn means that close interaction with the device manufacturer/supplier is necessary before making a purchasing decision. Furthermore, it is emphasised that IoT device manufacturers often neglect to implement information security features and vulnerability remediation in order to be cost-effective and remain price competitive.
The following is a brief description of NIST SP 800-213A, ‘IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog’. This document contains a list of information security requirements that can be imposed on IoT devices both from a technical point of view (software and hardware functionality of the device) and from an organisational point of view (documentation, vendor's work with vulnerabilities, consumer training by representatives of the vendor or supplier).
Technical requirements are represented by the following groups:
1. device identification: availability of unique device identifiers and the ability of the device to authenticate itself using them.
2. Device configuration: logical delimitation of access to device settings, configuration of interfaces and information displayed on the device screen. 3.
3. Data protection: cryptographic methods for protecting processed information to ensure confidentiality and integrity, including performing cryptographic operations, managing encryption keys, encrypting data on the device, and providing an encrypted data channel.
4. Logical access to interfaces: supporting authentication and authorisation mechanisms, supporting role-based access differentiation model, managing user accounts on the device, providing secure connection to external services, managing remote access to the device.
5. Software update: managing installation of updates only from reliable sources, ability to rollback installed updates, installing updates from remote and local sources.
6. Providing information about the device information security status: maintaining security logs of required detail with required storage depth, setting event timestamps, device response to IS events, security log protection.
7. Device security: protection of executable code, protection of interaction with other devices, secure use of system resources, ensuring the integrity of the device software and hardware, secure connection to networks, physical protection of the device.
Organisational (non-technical) requirements are represented by the following groups:
1. Documentation: description of the device operation in various scenarios and environments, compliance with legislative and other regulations, description of the device information security functions, description of the device technical support and maintenance process, description of the device authentication process by the buyer.
2. Receiving feedback and questions from customers: sharing information about the vulnerabilities found and how to fix them, answering customers' questions regarding the device IS functions.
3. Dissemination of information about IoT device cybersecurity by the manufacturer. 4.
4. educating customers on the cybersecurity of the IoT device.
Finally, Appendix ‘B’ provides a table of how the requirements of NIST Publication SP 800-213A align with the requirements of NIST Publication SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organisations.
