WIXLIB

NIST Cybersecurity for IoT:Katerina MegasProgram Manager,NIST Cybersecurity for IoT ProgramISPAB 04 March 2021

The IoT Cybersecurity Program coordinates across NISTon IoT securityIoT cybersecurity related initiatives Non-Regulatory agency and technical armof the U.S. Department of Commerce NIST’s mission is to promote U.S.innovation and industrial competitivenessby advancing measurement science,standards, and technology in ways thatenhance economic security and improveour quality of life. In accordance with the FederalInformation Security Modernization Act(FISMA), NIST develops informationsecurity standards and guidelines forfederal information systems.Special PublicationsAppliedResearch/Reports BLE Bluetooth Galois IoT Authentication & PDS Pilot Mitigating IoT-Based DDoS/Botnet Report Cloudsecurity GSMA Trusted Identities Pilot Cybersecurity for Cyber Physical Systems DigitalIdentityGuidelines National Vulnerability Database Cybersecurity Framework Guide to Industrial Control Systems Securing the Industrial IoT (IIoT) Cybersecurity Framework Manufacturing(ICS) Security IIoT-Based Automated DistributedProfile RFIDSecurityGuidelinesThreats Cybersecurity for Smart Grid Systems SoftwareAssessmentManagement CapabilitiesAssessment for Securing Cyber Threat Information SharingStandards and GuidelinesManufacturing Industrial Control Systems Lightweight Encryption Supply Chain Risk Management Security Review of Consumer Home IoT Low Power Wide Area IoTProducts Security Content Automation Protocol Network of Things Security for IoT Sensor Networks(SCAP) Standards and Guidelines Report on State of International Cybersecurity Security Systems Engineering Healthcare Sector ProjectsStandards for IoT ABCs of Conformity Assessment Wireless Infusion Pumps Security and privacy concerns of intelligent Conformity Assessment Considerations Securing Telehealth Remote Patientvirtual assistancesfor Federal AgenciesMonitoring Ecosystem Security of Interactive and Automated Access PrivacyEngineering ProgramManagement Using Secure Shell (SSH) ZeroTrustArchitecture Project Considerations for Managing IoT IoT Device Network-Layer OnboardingCybersecurity and Privacy RisksTaxonomy Core Cybersecurity Feature Baseline forSecurable IoT Devices Trustworthy Network of Things

Program Principles Guiding Our EffortsFocus on how IoTcharacteristicsaffect system andorganizationalcybersecurity riskRisk-BasedUnderstandingEcosystem ofThingsNo device existsin a vacuum, solook at entireecosystem notjust IoTendpointsNo One-SizeFits-AllCybersecurityfor IoTProgramPrinciplesAllow for diversity ofapproaches andsolutions acrossindustries, verticals,and use casesStakeholderEngagementOutcome-Based ApproachSpecify desired outcomes, and allowproviders and customers to choosebest solutions for their devices andenvironmentsCollaborate withdiverse stakeholdersregarding tools,guidance, standards,and resources

Key Events In the IoT Cybersecurity ProgramNISTIR 8201(Dec 2017) NIST IR 8200 Takeaways from Oct 2017Colloquium IoT did introduce new risksand challenges No one size fits all Would require anecosystem approach Risk based understanding Outcome basedNISTIR 8228(June 2019) Focuses on what is differentabout managing risksassociated with the use of IoT Frames IoT risks andchallenges in the context ofimplementation of SP800-53controls and CybersecurityFramework Customers dependent onsecurity capabilities of IoTdevicesNISTIR 8259 / 8259A(May 2020) Three public workshops, twopublic comment periods andover 600 comments Cybersecurityrecommendations for IoTdevice manufacturers Activities for manufacturersto incorporate into productdevelopment lifecycle Six core Cybersecuritycapabilities for IoT devices Lots of existing guidanceapplicable Focus on the gaps Provide guidance to help tietogether all the guidanceBotnet Report (MayXXXX2018)Botnet Roadmap (Nov2018)Federal Profile Workshop(Jul 2020) Published on GitHub analysisof SP 800-53 controlsdependencies on IoT devicecapabilities. Suggested this tobe a ‘catalogue’ for agencyuse Takeaways Confirmed device centricapproach useful Confirmed that nontechnical dependenciesneed to be identified Confidence mechanismsdesired for the market butmore discussions requiredBotnet Report Update(July 2020)4 Public Drafts(Dec 2020) Non-Technical SupportingActivities Baseline recommendedfor all IoT device manufacturers NIST published the process NISTfollowed to adapt the baseline toFederal agency use case Starting point for agencies in aFederal profile identifying the keycapabilities likely needed tosupport agency implementationof Low baseline Guidance for Federal Agencieswith considerations for IoT risk inagency RMF processes and howto develop requirements for IoTdevices leveraging catalogue andFederal profileIoT CybersecurityImprovement Act(Dec 2020)

Existing NIST cybersecurity-related guidance is technologyneutral and applicable to IoTThe Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (Public Law (PL) 116 207)directs NIST to publish “standards and guidelines for the Federal Government on theappropriate use and management by agencies of Internet of Things devices” NIST has developed cybersecurityrelated guidance that is device-neutraland highly applicable to all IoT devices. IoT device cybersecurity should beaddressed within a risk managementhierarchy from enterprise-level throughorganization, system, and finallycomponent level, where IoT devicesare understood as system componentswith a distinctive set of riskCybersecurity FrameworkIntegrating Cybersecurity and Enterprise RiskManagementNIST Risk Management FrameworkSecurity and Privacy Controls for InformationSystems and OrganizationsSupply Chain Risk Management Practices forFederal Information Systems

In June 2020 we published a working description of IoT toframe our publication NISTIR 8259 described IoT devices as having:At least one transducer for interacting directly with the physical world(e.g., a sensor or actuator)&At least one network interface for interfacing with the digital world(e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB])This is the definition used in U.S. Public Law 116-207,IoT Cybersecurity Improvement Act of 2020

NIST published recommendations which can be used across a widerange of IoT devices in NIST IR 8259A (May 2020)Program Principles Risk-Based Understanding: Our approach to managingrisk is rooted in an understanding of how IoT can affectcybersecurity. Ecosystem of Things: Recognizing that no device existsin a vacuum, NIST takes an ecosystem approach to IoTcybersecurity. Outcome-Based Approach: Specify desired cybersecurityoutcomes, allowing organizations to choose the bestsolution for each IoT device. No One Size Fits All: There is no one-size-fits-all approachto managing IoT cybersecurity risk. Stakeholder Engagement: NIST works with diversestakeholders to advance IoT cybersecurity.Profiles can be developed building on the core baseline to define the market or vertical specific needs

Four new publications create a framework for profilingrequirements for devicesPreviously PublishedNew Public Drafts

Identified non-technical capabilities that might bebroadly applicable and could be considered ‘core’NISTIR 8259A (May 2020)Technical BaselineDeviceIdentificationLogical Accessto tectionCybersecurityState AwarenessDraft NISTIR 8259B (Dec 2020)Non-Technical BaselineDocumentationInformation &Query ReceptionInformationDisseminationEducation &AwarenessCybersecurity controls consist of People, Processes, and Technology

Some examples of non-technical capabilities that amanufacturer can consider during IoT product development

NIST IR 8259D profiles and adapts the Core Baseline in8259B to Federal agency needsNISTIR 8159D, Profile Usingthe IoT Core Baseline and NonTechnical Baseline for theFederal GovernmentThe Federal Profile provides astarting point for agencies toconsider as they identifyrequirements for IoT devices

Step 1. Primary Source Documents

2. Assess How Documents Support Device Centricity Many documents are at theorganization/system level Extract device centric requirementsimplied by organization level documents Most documents are device neutral Cybersecurity focused documents selected Minimal Securability Focus on Low impact baseline from NISTSP 800-53B: Control Baselines forInformation Systems and Organizations

3. Apply the Three Concepts to Source Documents Device Centricity Elaborated on the core baseline and non-technical baseline with a catalogof device-centric, cybersecurity- focused capabilities that would typicallybe needed by federal government organizations to implement 800-53controls Identified cluster of capabilities which did not fit within core technicalbaseline Focus on device capabilities needed for cybersecurity Minimal Securability Using the controls from the low-impact RMF baseline from SP 800-53B asguidance, device cybersecurity capabilities and non-technical supportingcapabilities were selected from the catalog for inclusion in the federalprofile

We identified an additional technical capability forIoT devices Device Securability The IoT device can operate securely by protecting its hardware and software integrityand securely utilizing system resources, managing communications, and executing code.

Draft Special Publication 800-213 provides guidance forfederal agencies to consider as they establish requirementsSP 800-213, IoT Device Cybersecurity Guidancefor the Federal Government:Establishing IoT Device CybersecurityRequirements When agencies determine that the risk ortype of device requires additional controlsbeyond minimal securability ormodification, agencies should consult theIoT Device Security Capabilities Catalogueto select additional capabilities to require ofthe device.

Profiling: Process For Applying The BaselinesNISTIR 8159C, Creating aProfile Using the IoT CoreBaseline and NonTechnical Baseline

NIST rolled out first OLIR mapping of NISTrecommendations to standard. more to come

NIST mapping NCCoE projects implementation guidance toNIST recommendations for capabilities in IoT devicesSecuring Telehealth Remote Patient MonitoringConsumerHome IoTProductSecurityMitigatingIoT-BasedDDOS Protecting Information and System Integrityin Industrial Control Systems Securing Wireless Infusion Pumps Securing Picture Archiving andCommunication System Securing Property Management Systems Security for 5G Securing the Industrial IoT: Distributed

NIST is expanding work on key areasConsumer devices applying the guidance in NIST IR 8259 Updates to NIST IR 8267 Security Survey ofConsumer Home Internet of Things (IoT) Productsand Workshop on Cybersecurity Risks in ConsumerHome IoT Products (October 2020)Confidence mechanisms for themarketplace A white paper: We want tohave confidence in thesecurity of IoT Devices: Howto get there?CONFORMANCECA PROCESSSTANDARDS plug-n-play to the internet20

Next stepsHeld a public webinar and a number of roundtable discussions with stakeholders pre-closing of the publiccomment period. Public comments closed: February 26, 2021 Preliminary high level themes in comments: What is the risk of adding an IoT device to a government network? Various views of how this risk should be characterized. Various views on the problem of fragmentation: Market fragmentation Policy fragmentation Different agencies defining IoT cybersecurity requirements differently Many IoT devices are too constrained to be able to support the requirements Precluding use of large numbers of IoT devices by government Templates of requirements for different types of devices are needed Call to make distinctions among device “types” Tentative public workshop: April 202021

Have a question or an idea? We want to hear from you!We’re always accepting thoughtful feedback atiotsecurity@nist.gov@NISTcyber#IoTSecurityNISTWe welcome your writtenfeedback -iot-program