By Mark Walker, Director, Technology Policy at CableLabs
This past August, the Open Connectivity Foundation (OCF) published a blog on the suggested core security capabilities for device manufacturers laid out by National Institute for Standards and Technology (NIST), and how the OCF Specification includes and will continue to build upon these capabilities. As these capabilities are included in the OCF Specification, each OCF-certified device has been developed and maintained with security in mind. This security-by-design approach to device development allows the Internet of Things (IoT) to continue to evolve and helps prevent future security and interoperability challenges.
Last month, the OCF submitted comments to NIST in response to draft NISTIR 8259 (“Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers”). These comments range from support of different features to suggestions on how to continue developing these and other capabilities. The OCF supports NIST’s work in IoT security and specifically its development of a core cybersecurity feature baseline for the IoT. More broadly, the OCF urges NIST to work with global governments to help ensure harmonization of IoT security policy to accelerate the promised benefits of an IoT. The OCF also made clear that it has already implemented nearly all of the identified features in its specification and in the associated open source implementation.
The OCF is currently working through how to implement “cybersecurity event logging” and believes the industry would benefit from further guidance from NIST in this area. More generally, the OCF expressed its support for NIST’s flexible approach to implementing the identified cybersecurity features, the recommendation that IoT manufacturers use established IoT platforms, and the need to clearly communicate cybersecurity information to customers. However, the OCF suggested that NIST separate the core baseline of cybersecurity features (Section 4) from the business practice guidance (Sections 3, 5, 6, and 7) and place this latter guidance in a separate, standalone document.
By providing these comments and suggestions, the OCF is actively accomplishing its mission to work with government and industry organizations in order to develop a more reliable, secure IoT for all verticals around the world. As we have said before, developing IoT security cannot be brought by a single actor in the industry. Engaging with government organizations and contributing to industry-led security reports, such as the C2 Consensus, showcases the OCF’s leadership as well as its ability to help build a security framework that anyone can follow, no matter the size of the project. The OCF is here to enable every organization to make the IoT a reality.
OCF’s full comments can be found here.