Search Results for: upnp+/wp-content/uploads/2016/03/iot
footer-logo-2016
IoT Cybersecurity Improvement Act: New Guidelines to Solve IoT Security Challenges
As the Internet of Things (IoT) continues to become more prevalent in our everyday lives – both at home and in the workplace – security of connected devices remains an ongoing priority of Open Connectivity Foundation specifications (OCF). OCF technology is at the forefront of IoT security and OCF members regularly monitor industry cybersecurity guidelines to remain abreast of new trends, guidelines and regulations. This is made evident by OCF’s alignment with five key industry security baselines.
One such regulation OCF is closely following this year is the IoT Cybersecurity Improvement Act. Passed in late 2020 with bipartisan support, the law requires device manufacturers or OEMs selling to US government agencies to demonstrate compliance with cybersecurity guidelines. Although the act currently only applies to federal government agencies, the regulations are expected to trickle down to the private sector.
The Countdown Has Started on Secure IoT Compliance
By Kyle Haefner, Lead Security Architect, CableLabs
Bruno Johnson, CEO, Cascoda
Joe Lomako, Cybersecurity Lead, TÜV SÜD UK test lab
Internet of Things (IoT) security, like global warming, is one of the few things that can be said to have global awareness, global initiative, and a growing but disjointed global consensus. Governments of the world have recognized that IoT security is a priority problem. In response, they’ve developed security baseline guidance, and drafted and passed legislation to increase IoT security. Manufacturers have realized that building security and privacy into devices adds real value to their brand. This is since consumers are increasingly aware of the importance of security and privacy in the devices they own and, as such, will make purchase decisions based on enhanced security and privacy features.
The challenges facing the industry now lie in navigating a patchwork of regulations that are currently vaguely defined with no clear guidance for certification of compliance. The countdown timer for compliance has already started.
Requirements and Provisions to Be Considered
Legislators in North America and Europe have been developing standards for IoT security. For example, the European Telecommunications Standards Institute (ETSI) has updated the Radio Equipment Directive (RED), which establishes a regulatory framework for placing radio equipment on the market. ETSI adopted a Delegated Act of the RED, activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy.
The update mandates cybersecurity, personal data and privacy protection for devices that can:
- 3d: communicate over the internet, either directly or via any other equipment;
- 3e: process personal data, traffic data or location data;
- 3f: enable users to transfer money, monetary value or virtual currency.
These provisions become mandatory on 1st August 2024, at which point manufacturers of radio connected devices must be compliant or face potential action.
In the U.S., the National Institute for Standards and Technology (NIST) has released a three-pronged approach split between manufacturers, federal agencies and consumers.
For manufacturers, NIST provides guidance in the form of the NISTIR 8259 series. NISTIR 8259A is the IoT device cybersecurity core baseline that focuses on capabilities such as device identification, device configuration, data protection, logical access to interfaces, software update and a catch-all for logging and cybersecurity state awareness. NIST 8259B covers non-technical requirements such as documentation, information queries from customers, information dissemination, and education and awareness.
For federal agencies, NIST provides guidance in SP 800-213A on the use and management of IoT devices. This publication provides detailed requirements similar to categories in NISTR 8259A, however with more specific requirements under each device capability.
For consumers, NIST, in coordination with the Federal Trade Commission (FTC), has been assigned by President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity to provide criteria on consumer IoT device labeling. This aims to give manufacturers guidance and standards on how to label consumer devices in terms of their capabilities both physical and cyber.
Additionally, the U.S. Federal Communications Commission (FCC) in June of 2021, released a notice of proposed rulemaking and notice of inquiry with the focus of improving the adoption of cybersecurity best practices in consumer electronics.
While there has not been an official call for a cybersecurity certification in the U.S. similar to the RED in Europe, judging by releases from NIST, FTC and the FCC, signs are beginning to point in that direction.
The primary requirement categories seen in Figure 1. below.
Figure 1. IoT Security Landscape
These legislations cause challenges for manufacturers, operators, and installers of IoT devices.
The Secure Device Lifecycle
A secure device lifecycle is the foundation of all secure device ecosystems. Manufacturers, operators, and installers of IoT devices will need to build upon this foundation to comply with the guidelines and regulations listed above. Stakeholders should be incorporating the secure device lifecycle into their business plans and processes now.
A secure IoT device lifecycle involves both hardware, software, and the ecosystem infrastructure required to support the device and associated services. Secure device lifecycle management shown in Figure 2. below encompasses all of the processes from the manufacture of the device where cryptographic identity is fused at the factory①, to provisioning operational credentials onto the device②, configuration at deployment site③, ongoing secure updates during normal operation④, and finally secure data wipe⑤ at decommissioning⑥.
Figure 2. The OCF Secure Device Lifecycle
Challenges for Manufacturers
For manufacturers, the timeline for meeting the EU’s RED provisions is short, especially given that the average hardware time-to-market is one and a half to two years – and this is without ongoing supply chain issues. Additionally, developing embedded devices with protections for keying material can take extra time and some manufacturers will need to retool their production lines to accommodate the extra steps of burning key material to the chips.
Challenges for Operators
Consumers expect that their smart devices are manageable wherever, whenever and on any device. To meet this expectation, manufacturers should ensure that their ecosystem offering includes secure communication both proximally, but also to the cloud and over multiple IP segments. Operators should build out and refine security technologies such as Public Key Infrastructure (PKI) to authenticate, authorize and account for devices within their ecosystems – and do so in a way that creates simple and seamless user experiences.
Challenges for Installers
Depending on the use case, the installation process can include a mix of the system integration, application engineering, and the IT administration function. As with manufacturers and operators, installers need to develop suitable technical training and management processes to allow for the appropriate provisioning of secure devices. The provisioning process ensures access rights and privileges for individual users so as to ensure a seamless user experience while maintaining security.
Answering the Call
For several years, manufacturers, vendors and internet operators have been working through various standards organizations to build secure IoT specifications that bring much of the best practices of running secure connected systems into the domain of secure connected and constrained systems.
There are now mature internationally recognized secure IoT communications standards that can help support the requirements set forth by the EU RED and the US NIST. By using such protocol standards, many of the challenges related to IoT security can be overcome.
However good the communications standard, organizations at every level of the IoT supply chain still need to implement appropriate management processes and ensure that their workforce has sufficient training to facilitate a seamless transition to a more secure world.
Governments are moving at an increasing pace to protect the security of networks from vulnerable and insecure devices – as can be seen with the above directives and guidelines coming from both the EU and US. Specific requirements directly tied to legislation are at best poorly defined and vague, and yet at the same time specific deadlines for conformance have already been set. This puts manufacturers in a difficult position in determining conformance of product lines with lead times that can stretch into multiple years.
The best option right now is to plan to build devices that can meet a majority of the requirements established in ETSI and NIST. It is impossible to foresee what legislation will require, but it is easy to guess that it will be based at least in part on currently established IoT security baselines. Manufacturers must not delay; the clock is ticking.
First published on Cyber Defense Magazine
References
“EN 303 645 – V2.1.0 – CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements.” 2020. ETSI. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf
“Executive Order on Improving the Nation’s Cybersecurity.” 2021. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
“Federal Communications Commission FCC 21-73 Before the Federal Communications Commission Washington, DC 20554 In the Matter of.” 2021. Federal Communications Commission. https://docs.fcc.gov/public/attachments/FCC-21-73A1.pdf
“NIST Internal or Interagency Report (NISTIR) 8259A, IoT Device Cybersecurity Capability Core Baseline.” 2020. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/nistir/8259a/final
“NIST Internal or Interagency Report (NISTIR) 8259B, IoT Non-Technical Supporting Capability Core Baseline.” 2021. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/nistir/8259b/final
“NIST Special Publication (SP) 800-213A, IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog.” 2021. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-213a/final
“OCF – Specifications.” n.d. OPEN CONNECTIVITY FOUNDATION (OCF). Accessed March 3, 2022. https://openconnectivity.org/developer/specifications/
About the Authors
Kyle Haefner, PhD is a Lead Security Architect at CableLabs. He also chairs the Core Security work group of the Open Connectivity Foundation (OCF).
Bruno Johnson is the CEO of Cascoda. He also chairs the Marketing and Communications work group of the Open Connectivity Foundation (OCF).
Joe Lomako heads the cybersecurity team in TÜV SÜD’s UK test lab. He has a 25-year background in IoT and wireless connectivity compliance and certification.
Healthcare FAQ
Learn More Here
OCF: The Crucial First Step to Securing your IoT Product
As new IoT security reports reveal staggering data points, it is becoming essential that the IoT community bands together to improve upon the security of IoT devices. Palo Alto Networks’ global threat intelligence team, Unit 42, recently published its 2020 Unit 42 IoT Threat Report. This report analyzed 1.2 million IoT devices to evaluate the full scope of the current IoT threat landscape, discovering that 98 percent of all IoT device traffic is unencrypted and 57 percent of IoT devices are vulnerable to medium or high-severity attacks. While these numbers may seem unnerving, there remains potential for proper widespread IoT security strategy and implementation.
At first glance, IoT security may seem daunting, however, it is possible to properly secure devices with the right protocols and cybersecurity measures in place. Any IoT security solution must be wholistic in its approach, and company IoT deployments must plan to implement security measures across multiple layers that include hardware, network and software security. Open Connectivity Foundation’s focus on the software application layer is a crucial first step in the IoT design process.