This is the second part in a two-part series highlighting IoT security issues and how the OCF addresses them. This blog will cover the suggested security capabilities laid out by NIST that the OCF specification includes and will continue to build upon, ensuring a secure, interoperable IoT around the world.
During the Open Connectivity Foundation (OCF) face-to-face meeting this summer in New Orleans, Louisiana, Michael Fagan, a cybersecurity specialist from the National Institute of Standards and Technology (NIST), spoke to OCF members about NIST’s ongoing work to improve the security of Internet of Things (IoT), including the development of a core set of security capabilities applicable to all IoT devices. NIST’s mission includes promoting U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
To help drive increased IoT security, NIST develops guidance for industry and the public sector in the form of reports and other publications and through its National Cybersecurity Center of Excellence (NCCoE), which leverages a collaborative model to develop practical solutions to pressing cybersecurity issues. In particular, NIST is currently developing a report (“Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers,” NISTIR 8259 (Draft)) that provides guidance to manufactures on the core set of security capabilities that should be included in all devices. These capabilities range from logical and physical device identification to the ability for IoT devices’ software and firmware to be updated via a secure, controlled, and configurable mechanism.
So how is the OCF going to implement these capabilities? We already have. Of the six core IoT baseline capabilities identified in the draft NIST report, OCF currently supports five, with plans to cover the remaining one in the near future. These capabilities include:
- Device Identification: OCF supports strong identity through the incorporation of digital certificates in each end point – both IoT devices, gateways, and cloud services. Each OCF endpoint can be verified and attested using asymmetric cryptography and an ecosystem PKI administered by OCF.
- Authorized Changes: OCF enables authorized users to securely change an IoT device’s configuration, including restoration to a secure “default.” Preventing unauthorized changes to the IoT device’s configuration helps minimize potential for compromising an IoT device.
- Data Protection: OCF has standardized, well-vetted cryptography that allows IoT devices to secure stored and transmitted data. Using asymmetric cryptography, each OCF endpoint can be verified and attested.
- Local and Remote Access: OCF supports both local and remote access and control of IoT devices and their interfaces, including the use of access control lists to manage authorizations.
- Secure Updates: OCF allows for evaluation of current software as well as triggering updates for IoT devices’ software and firmware using a secure, controlled, and configurable mechanism.
Each of these capabilities are currently supported within the OCF Specification, allowing each device to be developed and maintained with security built in. This security-by-design approach will allow the IoT to continue to evolve while preventing cybersecurity issues that currently impact the industry. The OCF is continuously working to help manufacturers achieve these capabilities via open source reference implementations, developer workshops, interface specifications, and certification regimes. The OCF is committed to secure IoT interoperability today and into the future.