In the final release of the IoT Device Cybersecurity Capability Core Baseline, NIST has identified OCF as an example reference for each of the six core cybersecurity baseline capabilities. This is a reflection of OCF’s continued commitment to developing and driving secure interoperability for IoT devices through not only an open interface specification, but also with IoTivity, the open source implementation, and certification and developer programs. Critically, OCF has incorporated the needed and expected cybersecurity capabilities as articulated and recognized by government agencies into its specification and open source implementation. This is made evident in NIST’s inclusion of OCF as an example reference to help IoT manufacturers develop a deeper understanding of each of the following core capabilities:
- Device Identification: The IoT device can be uniquely identified logically and physically.
- Device Configuration: The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.
- Data Protection: The IoT device can protect the data it stores and transmits from unauthorized access and modification.
- Logical Access to Interfaces: The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.
- Software Update: The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism.
- Cybersecurity State Awareness: The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.
For each baseline capability, NIST includes the relevant section of the OCF specification that supports the capability, further substantiating OCF’s security approach. In addition to OCF, NIST includes reference examples from a number of other organizations. These other examples largely take the form of guidance or best practices, but unlike OCF, these other examples do not provide an actual implementation of the baseline cybersecurity capabilities. Through its specification and open source implementation, OCF provides a ready-to-use, secure interoperability solution for IoT manufactures.
With its Core Baseline, NIST also released a companion document – “Foundational Cybersecurity Activities for IoT Device Manufacturers,” in which NIST lays out a series of pre-market and post-market activities that an IoT manufacture should undertake to improve the security of its IoT devices.
- Pre-Market
- Activity 1: Identify Expected Customers and Define Expected Use Cases
- Activity 2: Research Customer Cybersecurity Needs and Goals
- Activity 3: Determine How to Address Customer Needs and Goals
- Activity 4: Plan for Adequate Support of Customer Needs and Goals
- Post-Market
- Activity 5: Define Approaches for Communicating to Customers
- Activity 6: Decide What to Communicate to Customers and How to Communicate It
Beyond just supporting the necessary core cybersecurity capabilities, OCF also significantly streamlines an IoT manufacture’s efforts in undertaking the recommended cybersecurity activities, in particular, those for pre-market. In developing a secure interoperability solution, OCF had to undertake much of the work to define expected use cases, determine cybersecurity needs and goals, and address those needs and goals – at least with respect to smart home IoT applications. These activities were not undertaken in a vacuum, but rather through collaboration and debate across over 500 member organizations that each brings its unique perspective and experience to the table to ensure a robust approach to OCF security.
Beyond the NIST baseline, OCF security also stacks up well to a broad array of other IoT security baselines from across the globe, including those released by the European Union Agency for Cybersecurity (ENISA) Baseline Security Recommendations for IoT, the United Kingdom’s Code of Practice for Consumer IoT Security, ETSI’s Cyber Security for Consumer Internet of Things: Baseline Requirements, and Council to Secure the Digital Economy’s C2 Consensus on IoT Device Security Baseline Capabilities. OCF has mapped its specification to each of these security baselines and can readily support relevant security requirements from each.
A full mapping of the OCF spec to the NIST baseline as well as these others can be found at https://openconnectivity.org/technology/ocf-security/.