IoT Device Cybersecurity Guidance for Manufacturers

IoT Device Cybersecurity

The National Institute of Standards and Technology (NIST) has released a baseline guidance for IoT device Cybersecurity. Internet of Things (IoT) refers to computing devices that integrate physical and/or sensing capabilities and network interface capabilities.  Providing security for these devices becomes more challenging as they become smaller, more prevalent, and capable.

The Growth of IoT

IoT devices can be found in every sector of society.  This is due to the fact that IoT solutions are cost effective means of achieving integration of connected devices.  IoT include smart home products, wearable technology, health monitoring devices, alarm systems, and transportation equipment.  They can also be found in industrial controls technology, agriculture, military, and infrastructure applications. 

IoT devices are functional, inexpensive, and easy to implement.  As a result there has been an amazing growth in this market.  Presently the global market value in the trillions of dollars.  It is estimated that 31 billion IoT devices will be installed around the world by the end of 2020.

IoT Device Core Baseline Cybersecurity

The NIST publication gives manufacturers recommendations for improving how securable the IoT devices they make are.   It provides six actionable items, four that should be conducted to assess pre-market impact, and two activities with primarily post-market impact.  Because these activities affect the process by which design specifications should be created, the document is primarily intended for the development of new devices.

Pre-Market Activities for Baseline IoT Security

IoT product manufacturers should consider the security of a product throughout its life cycle.  This includes an examination of integration into the customers probable usage and overall system requirements.  Because these factors will widely vary from product to product the following steps should be conducted:

  1. Identify expected customers and users, and define expected use cases.
  2. Research customer cybersecurity needs and goals.
  3. Determine how to address customer needs and goals.
  4. Plan for adequate support of customer needs and goals.

IoT Considerations After Product Release

It is important to define methods for communicating cybersecurity risks and recommended protocols.  These considerations should include a declaration of risk related assumptions.  It is important to remember that both the manufacturer and the consumer share a responsibility in implementing and maintaining security.

NIST has provided a list of six recommended security features that manufacturers should build into IoT devices.  These features should be considered when consumers are selecting a device.

  • Device Identification: The IoT device should have a unique identifier when connecting to networks. 
  • Device Configuration: An authorized user should be able to change the device’s configuration to manage security features.
  • Data Protection: Internally stored data should be protected by a device.  This can often be accomplished by using encryption.
  • Logical Access to Interfaces: The device should limit access to its local and network interfaces by using authentication of users attempting to access the device.
  • Software and Firmware Update: A device’s software and firmware should be updatable using secure protocols.
  • Cybersecurity Event Logging: IoT devices should log cybersecurity incidents and provide this information to the owner and manufacturer.

Additional Protective Steps

Because IoT devices often do not allow access to their built in management tools, implementing IoT devices can provide access points into networks that contain sensitive data.  Additionally, preventing access to devices from unauthorized persons can be a challenge in large industrial settings.  Therefore, segregation and isolation of these devices by using Virtual Local Area Networks (VLAN) should be considered when installing devices in a business setting.  

Cybersecurity of Increasing Concern for Businesses

Because many incidents go unreported, real losses to U.S. manufacturing from cybercrime are difficult to assess.  Even the most statistically reliable data is derived from a small survey of businesses conducted by the Bureau of Justice Statistics.   In a recent report from Douglas Thomas of NIST, estimated losses for all industries could be as high as between 0.9% and 4.1% of total U.S. gross domestic product (GDP), or between $167.9 billion and $770.0 billion.

CVG Strategy Cybersecurity

As IoT devices continue to proliferate they present challenges to even the smallest manufacturing concerns.  Most manufacturers implement many such devices to control processes and gather critical data.  Because of this the risk they present should be taken into consideration by an effective Information Security Management System (ISMS).  CVG Strategy can help your business implement ISO 27001 to exercise due diligence and compliance with contractual and regulatory data security.  Contact Us today to see how we can help.

Kevin Gholston

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email