NIST report states that IoT devices must be able to verify software, firmware, and information integrity in order to stay secure.
The world of Internet of Things (IoT) devices is vast and presents a wide range of security and privacy challenges for operators without a direct equivalent in the world of conventional IT, according to a US government report issued in late June.
The report, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” was prepared by the US Department of Commerce’s National Institute of Standards and Technology (NIST) to “help federal agencies and other organizations, better understand and manage the cybersecurity and privacy risks associated with their individual devices throughout the devices’ lifecycles.”
The sheer number and variety of IoT devices means that organizations may need to update their cybersecurity and privacy risk mitigation practices, according to the report. This is largely because IoT devices tend to be single purpose in nature, which may require organizations “to determine how to manage risk for hundreds or thousands of IoT device types.”
Cybersecurity measures “such as network-based intrusion prevention systems, antimalware servers, and firewalls, may not be as effective at protecting IoT devices as they are at protecting conventional IT,” the report states, adding that IoT devices also often use protocols that conventional IT cybersecurity and privacy controls can’t identify and can communicate directly with each other without using a monitored infrastructure network.
The report highlights some of the risks posed by these products, saying that “IoT devices with actuators have the ability to make changes to physical systems and thus affect the physical world. The potential impact of this needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. In a worst-case scenario, a compromise could allow an attacker to use an IoT device to endanger human safety, damage or destroy equipment and facilities, or cause major operational disruptions.”
According to NIST, IoT operators must understand how these devices work differently than traditional IT devices, how they handle data and privacy differently, and how cybersecurity controls placed on such devices can hinder their performance, including in ways that can affect the safety of systems operations.
The challenges are clear, so what does security for IoT devices entail? According to the report, safeguarding these devices requires protecting device security, data security, and individual privacy. These goals require preventing the device from being used as a gateway to attack the wider company network and stopping it from transmitting data and private user details.
When it comes to cybersecurity risks, the report states that operators must ensure “that the device can facilitate the detection of potential incidents by internal or external controls such as intrusion prevention systems, anti-malware utilities, and file integrity checking mechanisms.”
These mechanisms must be able to verify software, firmware, and information integrity, according to the report.
A major problem of IoT security is the fact that IoT products are closed systems. The buyer usually can’t add new cybersecurity programs to the device, and any and all cybersecurity software must be placed on the device by the vendor. What this means is that the end user (typically an IT security professional) must formulate a series of cybersecurity guidelines for their company’s devices and demand that these security measures be built into the product by the manufacturer.
Together, end users and vendors can create a system where more and more IoT devices hit the market with powerful cybersecurity protection such as control flow integrity and runtime integrity built into them. These measures can stop remote code execution attacks and must be coupled with sophisticating reporting mechanisms that can record attack attempts and extrapolate the data needed to improve security and stay a step ahead of hackers.
The mass adoption of IoT products is still in its early stages and it has the potential to change the very nature of industry and have a watershed effect on our daily lives. It is the responsibility of end users to adopt guidelines like those published last month by NIST, and to demand that vendors put IoT product cybersecurity front and center during the build process.
