New NIST recommendations offer voluntary activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers.
The National Institute of Standards and Technology (NIST) has published a second draft of its recommendations for Internet of Things (IoT) device manufacturers.
In it, the federal agency asks a series of questions and assessments to be carried out before commercialization, aimed at “reducing the prevalence and severity of IoT device compromises”.
The main highlights include:
- Identify expected customers and define expected use cases for IoT devices: This is the first point made by NIST, and it’s very important. By figuring out what the device will be used for, where it will be used, and what it will be connected to, the manufacturer may be able to identify the weak spots and shore them up before sale.
- Research customer cybersecurity goals: This follows on from the first point, identifying weak spots before the device ships. NIST ask how the device will interact with the physical world, how it will be accessed, who will monitor it, what data will it hold, and what regulations must it follow. California recently enacted a state law for IoT security, we can expect more states and countries will do the same this year.
- Determine how to address customer goals: After figuring out external threats, device manufacturers should look at enhancing on-board security by figuring out device identification, configuration, data protection, logical access restrictions, software and firmware updates.
- Define approaches for communicating with customers: Once a product is on sale, manufacturers need to be able to communicate with customers on any issues. NIST recommends that manufacturers make the information as easy as possible to understand and access.
- Decide what to communicate to customers and how to communicate it: One of the biggest worries buyers have is that their device will lose all functionality once the manufacturer ends support. NIST recommends that the manufacturer be clear with the customer how long it intends to provide support and what functionality the device will have after support ends.