IoT Device Cybersecurity Guidance for Manufacturers

IoT Device Cybersecurity
IoT Device Cybersecurity

The National Institute of Standards and Technology (NIST) has released a baseline guidance for IoT device Cybersecurity. Internet of Things (IoT) refers to computing devices that integrate physical and/or sensing capabilities and network interface capabilities.  Providing security for these devices becomes more challenging as they become smaller, more prevalent, and capable.

The Growth of IoT

IoT devices can be found in every sector of society.  This is due to the fact that IoT solutions are cost effective means of achieving integration of connected devices.  IoT include smart home products, wearable technology, health monitoring devices, alarm systems, and transportation equipment.  They can also be found in industrial controls technology, agriculture, military, and infrastructure applications. 

IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Presently the global market value in the trillions of dollars.  It is estimated that 31 billion IoT devices will be installed around the world by the end of 2020.

IoT Device Core Baseline Cybersecurity

The NIST publication gives manufacturers recommendations for improving how securable the IoT devices they make are.   It provides six actionable items, four that should be conducted to assess pre-market impact, and two activities with primarily post-market impact.  Because these activities affect the process by which design specifications should be created, the document is primarily intended for the development of new devices.

Pre-Market Activities for Baseline IoT Security

IoT product manufacturers should consider the security of a product throughout its life cycle.  This includes an examination of integration into the customers probable usage and overall system requirements.  Because these factors will widely vary from product to product the following steps should be conducted:

  1. Identify expected customers and users, and define expected use cases.
  2. Research customer cybersecurity needs and goals.
  3. Determine how to address customer needs and goals.
  4. Plan for adequate support of customer needs and goals.

IoT Considerations After Product Release

It is important to define methods for communicating cybersecurity risks and recommended protocols.  These considerations should include a declaration of risk related assumptions.  It is important to remember that both the manufacturer and the consumer share a responsibility in implementing and maintaining security.

NIST has provided a list of six recommended security features that manufacturers should build into IoT devices.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

Additional Protective Steps

Because IoT devices often do not allow access to their built in management tools, implementing IoT devices can provide access points into networks that contain sensitive data.  Additionally, preventing access to devices from unauthorized persons can be a challenge in large industrial settings.  Therefore, segregation and isolation of these devices by using Virtual Local Area Networks (VLAN) should be considered when installing devices in a business setting.  

Cybersecurity of Increasing Concern for Businesses

Because many incidents go unreported, real losses to U.S. manufacturing from cybercrime are difficult to assess.  Even the most statistically reliable data is derived from a small survey of businesses conducted by the Bureau of Justice Statistics.   In a recent report from Douglas Thomas of NIST, estimated losses for all industries could be as high as between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion.

CVG Strategy Cybersecurity

As IoT devices continue to proliferate they present challenges to even the smallest manufacturing concerns.  Most manufacturers implement many such devices to control processes and gather critical data.  Because of this the risk they present should be taken into consideration by an effective Information Security Management System (ISMS).  CVG Strategy can help your business implement ISO 27001 to exercise due diligence and compliance with contractual and regulatory data security.  Contact Us today to see how we can help.

Canada to Suspend Exports to Turkey

Canada suspends exports to Turkey
Canada suspends exports to Turkey

Foreign Affairs Minister Francois-Philippe Champagne has announced that Canada will suspend export of arms to Turkey over concerns of human right violations.  Champagne stated on October 5, 2020 that “Canada continues to be concerned by the ongoing conflict in Nagorno-Karabakh resulting in shelling of communities and civilian casualties.”  The suspension will allow Canada’s export regime to conduct an assessment of this situation.

Background on the Nagorno-Karabakh Conflict

The Nagorno-Karabakh region is composed primarily of ethnic Armenians, who have attempted to separate from Azerbaijan.  This has led to a war between Armenia and Azerbaijan in 1988 through 1994.  Although a cease fire has held between the two countries, no settlement has been reached over the Nagorno-Karabakh issue. 

Officially, no nation currently recognizes Nagorno-Karabakh as an independent state.  Recent resumptions of hostilities has raised concerns that a dramatic escalation of the conflict might ensue.  During the latest Azerbaijani offensive more that 220 people have been killed.

Canadian Concerns of Turkish Involvement

Canada is concerned that Turkey may be involved in backing Azerbaijan by supplying technology in the conflict.  Of special concern is the possible use of Canadian drone technology by Azerbaijani forces.  Project Ploughshares, a Canadian peace institute, claims in a recent report that UAVs with Canadian supplied  WESCAM EO/IR sensors were used in recent airstrikes.  Turkey may have also exported UAVs with these sensors to Libya.

Turkey has openly supported Azerbaijan in this conflict  It has however, denied accusations of involvement in recent events.  It has also claimed that Canada is employing double standards in its actions, siting Canada’s export of arms to countries with military involvement in Yemen.

Turkey has only recently imported Canadian military goods.  In 2019 Turkey purchased over $150 million of defense goods making it Canada’s third largest customer.

Canada’s Next Move

Following the announcement that Canada will suspend arm exports to Turkey Prime Minister Justin Trudeau has requested Champagne to work with European allies on the escalation of military action in the area.  It has called upon Armenia and Azerbaijan to negotiate through the Organization for Security and Co-operation in Europe. 

The export of defense goods and technology is a complex issue given the number of international conflicts and potential conflicts.  Canada has justifiable reasons for concern for its export policies regarding Turkey, though some might argue that this should have been conducted earlier.

Clearly Canada is not alone in its concern about the Nagorno-Karabakh conflict.  Russia, France, and the United States have called for cessation of hostilities in the region and have asked involved parties to resume negotiations.

CVG Strategy Export Compliance Consultants

Negotiating export of goods requires constant diligence of businesses in both Canada and the United States.  CVG Strategy has over a decade of experience assisting organizations develop and maintain effective export compliance programs.  Our experts can help you with both U.S. and Canadian export law. 

We provide export control classification, program audits, and export compliance team training.  We also offer a wide variety of ITAR signs, badges and accessories to defense goods suppliers that help ensure facility security.