NIST - National Institute of Standards and Technology

11/21/2024 | News release | Distributed by Public on 11/21/2024 08:08

Kicking-Off with a December 4th Workshop, NIST is Revisiting and Revising Foundational Cybersecurity Activities for IoT Device Manufacturers, NIST IR 8259!

In May 2020, NIST published Foundational Cybersecurity Activities for IoT Device Manufacturers (NIST IR 8259), which describes recommended cybersecurity activities that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices. In the nearly 5 years since this document was released, it has been published in three languages (English, Spanish, and Portuguese), downloaded over 40,000 times, and was complimented by two additional entries in the series: IoT Device Cybersecurity Capability Core Baseline (NIST IR 8259A) and IoT Non-Technical Supporting Capability Core Baseline (NIST IR 8259B). NIST IR 8259A and NIST IR 8259B complement the activities described in NISTIR 8259 with specific technical capabilities and non-technical supporting activities that manufacturers should consider in their product designs and support plans to help ensure they are addressing customers' cybersecurity needs and goals.

The NIST IR 8259 series introduced concepts to help manufacturers and customers consider the cybersecurity of IoT devices intended to be connected to a network or system to function. However, additional IoT concepts have come to our attention through NIST's efforts to build upon the foundations of the NIST IR 8259 series that may be useful in adding to NIST IR 8259. NIST seeks discussions with and feedback from the community as we begin the effort of updating NIST IR 8259 at our upcoming workshop on December 4th…and beyond!

Our team has built upon the concepts introduced in the IR 8259 series in subsequent publications to elaborate on cybersecurity for several sectors and use cases (e.g., federal agency use cases and the U.S. Cyber Trust Mark). NIST IR 8259 serves as a foundational document for all of these publications-providing the conceptual and contextual basis for their guidance. But in their extension of the guidance, these subsequent publications also introduce new concepts. These publications include:

  • IoT Device Cybersecurity Guidance for the Federal Government (NIST SP 800-213)- An application of the NIST IR 8259 series to the Federal Government, incorporating product cybersecurity into NIST's various information system risk management guidance. This document discusses the relationship between product cybersecurity and risk assessment. Additionally, the companion IoT Device Cybersecurity Requirement Catalog (NIST SP 800-213A), provides the most detailed list of capabilities that could be needed from devices and their manufacturers to make those devices securable. This catalog provides many additional capabilities, going well beyond the baselines, including a new technical capability (i.e., device security).
  • Profile of the IoT Core Baseline for Consumer IoT Products (NIST IR 8425) - A profile of NIST IR 8259A and NIST IR 8259B for consumer IoT products. This consumer baseline document prompted the explicit expansion of concepts to directly consider a product and all its necessary components, such as a mobile app, gateway, or remote backend.
  • Recommended Cybersecurity Requirements for Consumer-Grade Router Products (NIST IR 8425A) - This report includes cybersecurity outcomes for consumer-grade router products and associated requirements from router standards, demonstrating how standards and other guidance can provide the basis for requirements that demonstrate satisfaction of cybersecurity capability or outcome statements.
  • Product Development Cybersecurity Handbook: Concepts and Considerations for IoT Product Manufacturers (Draft CSWP 33). A discussion of concepts important to developing and deploying secure IoT products for any sector or use case, including IoT Product architecture, deployment, roles, and cybersecurity perspectives.

NIST proposes revising NIST IR 8259 to better align with the concepts introduced in these publications. Additionally, some topics have consistently come up in our discussions with the community that we consider potential areas to add to a revised NIST IR 8259, including:

  • Broaden the discussions from a focus on individual IoT devices to considerations of entire IoT products (and connected products) to better reflect the wide variety of applications and use cases that exist.
  • Develop the relationship between risk assessment and threat modeling activities.
  • Address the different cybersecurity considerations between IT, IoT, OT, and IIoT
  • Identify insights, considerations, approaches, etc. for IoT based on the NIST Privacy Framework, NIST Cyber Physical Systems/IoT Framework, NIST Cybersecurity Framework 2.0, and the NIST Secure Software Development Framework.
  • Incorporate lessons learned and techniques developed in the execution of several IoT-related NCCoE projects.
  • Address emerging connected product technologies more directly (i.e., Immersive Tech, Artificial Intelligence).
  • Discuss any relationship that may exist between the repairability of connected products and cybersecurity.
  • Provide guidance on balancing cybersecurity with device support considerations, especially when there is a significant mismatch between the expected end of support of the IT components and the end of life of the mechanical components of the connected products.

These topics are just a few examples of considerations that NISTIR 8259 could incorporate or expand on in a revision. We are in the early stages of this effort and look to the community for thoughts and feedback. If you'd like to engage with the team or share your ideas, please email us at iotsecurity[at] nist.gov(iotsecurity[at]nist[dot]gov).

Want to learn more?

Join us on December 4th, 2024 at the NIST National Cybersecurity Center of Excellence (NCCoE) to discuss these topics at an all-day event. The morning will consist of a colloquium of speakers from the public and private sector, while the afternoon will consist of guided breakout sessions to facilitate interactive discussions between attendees.

Register HEREby Friday, November 22nd to attend in-person.