Post on 31-Dec-2020
WorkshoponCoreIoTCybersecurityBaseline
August13,2019
FollowtheconversationonTwitter!
@NISTcyber#IoTBaseline
NotetoWebcastParticipants
• WewillbeusingSli.do tohelpfacilitatequestionsandanswersfromremoteparticipants
• ToaccessSli.do,visitwww.slido.com andentereventcode#IOTBASELINE
Agenda9:00– 9:20WelcomeRemarks
9:20– 9:50OverviewofNISTInformationTechnologyLab’sworkinIoTcybersecurity
9:50– 10:15OverviewCybersecurityforIoTProgramandbackgroundonDraftNISTIR8259
10:15– 11:15NextStepsontheRoad
11:15– 11:30InstructionsforBreakouts
11:30– 12:30Lunch
12:30– 2:30 CoreBaselineFeedbackBreakout
2:30– 2:45Break
2:45– 3:30FeedbackSummaryPanel
3:30– 4:00Closingremarks
WelcomeRemarks
• KaterinaMegas,ProgramManager,CybersecurityforIoTProgram,NIST
• JimSt.Pierre,DeputyDirector,InformationTechnologyLaboratory,NIST
OverviewofITL’sworkinIoTcybersecurity
• KevinStine,Chief,AppliedCybersecurityDivision,NIST
• MaryTheofanos,ComputerScientist,MaterialMeasurementLaboratory,NIST
OverviewCybersecurityforIoTProgramandbackgroundonDraftNISTIR8259
• KaterinaMegas,ProgramManager,CybersecurityforIoTProgram,NIST
• MichaelFagan,ComputerScientist,CybersecurityforIoTProgram,NIST
Research/Reports• MitigatingIoT-BasedDDoS/BotnetReport• Vehicle-to-vehicletransportation• CybersecurityforCyberPhysicalSystems• CybersecurityFramework• CybersecurityFrameworkManufacturingProfile
• CybersecurityforSmartGridSystems• CyberThreatInformationSharing• LightweightEncryption• LowPowerWideAreaIoT• NetworkofThings• ReportonStateofInternationalCybersecurityStandardsforIoT
• Securityandprivacyconcernsofintelligentvirtualassistances
• SecurityofInteractiveandAutomatedAccessManagementUsingSecureShell(SSH)
SpecialPublications• BLEBluetooth• Cloudsecurity• DigitalIdentityGuidelines• GuidetoIndustrialControlSystems(ICS)Security
• RFIDSecurityGuidelines• SoftwareAssessmentManagementStandardsandGuidelines
• SupplyChainRiskManagement• SecurityContentAutomationProtocol(SCAP)StandardsandGuidelines
• SecuritySystemsEngineering• ConformityAssessmentConsiderationsforFederalAgencies
TheNISTCybersecurityforIoTProgramcoordinatesacrossNISTonIoTcybersecurity.
Applied• GaloisIoTAuthentication&PDSPilot• GSMATrustedIdentitiesPilot• NationalVulnerabilityDatabase• ProjectsatNationalCybersecurityCenterofExcellence(NCCoE),someexamples:
• IoT-BasedAutomatedDistributedThreats• CapabilitiesAssessmentforSecuringManufacturingIndustrialControlSystems
• HealthcareSectorProjects• WirelessInfusionPumps,etc.• PrivacyEngineeringProgram
NoOneSizeFitsAllEachorganizationhasitsownrisktoleranceandmissionneeds,andnoonesetofcontrolswilladdressthewiderangeofcross-industryandcross-verticalneedsandusecases.Thereisnoone-size-fits-allapproachtomanagingIoTcybersecurityrisk.
CybersecurityforIoTProgramPrinciples
EcosystemofThingsRecognizingthatnodeviceexistsinavacuum,NISTtakesanecosystemapproachtoIoTcybersecurity.Formanydevices,muchofthefunctionalityhappensoutsidethedevice—notallthesecurityisonthedeviceitself.Assuch,welookattheentireecosystem,notjustendpoints.
Risk-BasedUnderstandingIoTcapabilities,behaviors,deploymentenvironments,andothercharacteristicscanaffectcybersecurityrisk.OurapproachtomanagingthisriskisrootedinanunderstandingofhowIoTcanaffectit.
Outcome-BasedApproach
Embraceanoutcome-basedapproach.Specifydesiredcybersecurityoutcomes,notnecessarilyhowtoachievethoseoutcomes,whichallowsorganizationstochoosethebestsolutionforeachIoTdeviceand/ortheirenterpriseenvironment.
StakeholderEngagementNISTworkswithdiversestakeholderstoadvanceIoTcybersecurity.Thisincludescollaboratingwithstakeholderstoprovidethenecessarytools,guidance,standards,andresources.
NISTIR8228:ConsiderationsforManagingIoTCybersecurityandPrivacyRisksNISTIR8228- FinalversionwaspublishedonJuly31,2019• NISTreceivedmorethan25setsofcommentsfromorgsincluding
Amazon,Boeing,ChamberofCommerce,CTA,CTIA,ITI,Microsoft,Raytheon,Symantec,andmanymoreonpreviousdraftrelease.
ApproachesriskmanagementfromtheorganizationaluseofIoT,butwhataboutthemanufacturersofdevices?• Multipleexistingefforts,domesticandinternationalwereanalyzed,and
15commonfeaturesidentifiedincludedindraftAppendix.• Keytakeawayandfollow-on:continuedengagementtodevelopstand-
alonecybersecuritybaselineforIoTdevices.
• InresponsetoExecutiveOrder13800issuedbythePresidentonMay11,2017,DoCandDHSdeliveredareporttothePresidentinMay,2018ontheResilienceoftheInternetagainstBotnetandotherthreats
• IoTsecurityidentifiedasakeyunpinningcomponent• TheRoadmapchartsapathforwardandsetsoutaseriesoftasksanddeadlineslaidoutintheReporttothePresident
• Theroadmapisaplanforcoordinatingeffortsamonggovernment,civilsociety,technologists,academics,andindustry sectorstodevelopacomprehensivestrategyforfightingthesethreats.
• Theroadmapisastartingpoint,andwilllikelyidentifynewtasksastheworkevolves.
ARoadmapTowardIoTSecurity
TheRoadmap’sIoTLineofEffortlaysoutanactionplantoestablisharobustmarketfortrustworthyIoTdevices
1.1DefineaCoreSecurityCapability
Baseline
1.1DevelopaConsumer/HomeIoT
Baseline
5.1ExploreLabellingforConsumer/HomeIoT
5.1SupportAssessmentProgramsforConsumerIoTDevices
5.1ImplementAwarenessStrategiesforTrustworthyHomeIoTDevices
5.5FederalSupportforHomeIoTDevices
2.3DevelopFederalBaseline 2.3DefineFederalIoTSecurityRequirements
2.3SpecifyFederalIoTSecurityBaseline
2.3EstablishFederalIoTProcurementRegulations5.2DevelopIndustrialBaseline(s)
5.2EstablishAssessmentProgramforIIoTDevices
5.2PromoteAdoptionof
AssessmentSchemebyCritical
Infrastructure5.2ExploreLabelingorotherTransparencySchemeforIIoTDevices
5.2SupportAwarenessforCustomersofIIoT1.5:EnableRiskManagementApproachtoIoTSecurity(NISTIR
8228)1.5:PublishBestPracticesforIoTDevice
Manufacturers
1.2:EstablishGloballyRelevantIoTStandards
2.3:IdentifyIncentivesforIoTAdoptionofSecurityStandards
Identifyingacorebaselineofsecuritycapabilitiesfordevices
1. Elaborationoffeaturesandinformativereferencestofurtherinformthemeaningofthefeatures.Intheessay,theyweretoohigh-level.
2. Optional featuresforconsideration:althoughsometechnologymaynotbecurrentlyavailable– e.g.,stakeholdersnotedstandardsexpectedinnearfuture.
3. Otherconsiderationsformanufacturersofdevicesbeyondthebaselineitems:.Thisincludesbutisnotlimitedto:devicedevelopmentandotherpre-marketbusinesspractices/processes;post-marketbusinesspractices/processes.
4. Considerationsinthebaselinefordeviceconstraintswhenadaptionmaybeappropriate.Somefeatures,evenatthehigh-level,arenotappropriateforallcases;devicesthatwill/mustbemanagedarealsodifferentthan“unmanaged”devices.
CriteriatoAssessCoreBaselineCandidates
• Utility:Howcriticalisthefeaturetowardsimprovingsecurity?
• Verifiability:CanthemanufacturereasilyverifyimplementationoffeatureinanIoTdevice?
• Feasibility:Arethereroadblockstoimplementingthefeature:cost,complexity,interoperability?
NISTpublishedanessayinvitingstakeholderfeedbacktoinformdevelopmentoftheCoreIoTBaseline
ProcessformanufacturerstodevelopsecurableIoTdevices
CybersecurityFeature
Identification
CybersecurityFeature
ImplementationCybersecurityCommunication
SecureDevelopmentPracticesforIoTDevices
CoreBaseline
NextStepsontheRoadModerator• AriSchwartz,ManagingDirectorofCybersecurityServices,VenableLLP
Panelists• PatriciaAdair,Director,RiskManagementGroup,USConsumerProduct
SafetyCommission• WilliamBarker,CybersecurityStandardsandTechnologyAdvisor,NIST• MichaelBergman,VicePresident,Technology&Standards,Consumer
TechnologyAssociation• RobertCantu,Director,Cybersecurity,CTIA• KevinMoriarty, Attorney,DivisionofPrivacyandIdentityProtection,
FederalTradeCommission
NISTIR8259definesaprocessmanufacturerscanusetodevelopinherentlymoresecurable IoTdevices
CybersecurityFeature
Identification
CybersecurityFeature
ImplementationCybersecurityCommunication
SecureDevelopmentPracticesforIoTDevices
CoreBaseline
First,manufacturersshouldidentify thecybersecurityfeaturestheircustomersmayneed
CybersecurityFeature
Identification
CybersecurityFeature
ImplementationCybersecurityCommunication
SecureDevelopmentPracticesforIoTDevices
CoreBaseline
Cybersecurity FeatureIdentification
Determineexpectedcustomersandusecases• Whowillusethedevice?• Howandwherewilltheyuseit?
Understandcustomers’cybersecuritywantsandneeds• Devicemanagement• Configurability• Networkcharacteristics• Natureofdevicedatacreated,stored,and/orused• Levelofaccesstodeviceswhendeployed
Corebaselineisastartingpointforfeatureidentification
TheIoTdevicecanbeuniquelyidentifiedlogicallyandphysically.
TheIoTdevice’ssoftwareandfirmwareconfigurationcanbechanged,andsuchchangescanbeperformedbyauthorizedentitiesonly.
TheIoTdevicecanprotectthedataitstoresandtransmitsfromunauthorizedaccessandmodification.
TheCoreCybersecurityFeatureBaselineisthesetoffeaturesneededbyageneric customer:
TheIoTdevicecanlimitlogicalaccesstoitslocalandnetworkinterfacestoauthorizedentitiesonly.
TheIoTdevice’ssoftwareandfirmwarecanbeupdatedbyauthorizedentitiesonlyusingasecureandconfigurablemechanism.
TheIoTdevicecanlogcybersecurityeventsandmakethelogsaccessibletoauthorizedentitiesonly.
TheCoreCybersecurityFeatureBaselineisthesetoffeaturesneededbyageneric customer:
Whenfeaturesareidentified,theirimplementationsshouldbeconsidered
CybersecurityFeature
Identification
CybersecurityFeature
ImplementationCybersecurityCommunication
SecureDevelopmentPracticesforIoTDevices
CoreBaseline
FeatureImplementation
Shouldconsiderthedeviceanditstechnicalspecifications• Selectorbuildadevicewithsufficienthardwareresourcestosupportthe
desiredfeatures• Beforward-lookingandsizehardwareresourcesforpotentialfutureuse
• Usehardware-basedcybersecurityfeatures• Disableunneededfeaturesprovidedbyhardware,firmware,and/orthe
operatingsystem• Donotforcetheuseoffeaturesthatmaynegativelyimpactoperations• ConsiderusingestablishedIoTplatforminsteadofacquiringand
integratinghardware,firmwareandsupportingsoftwarecomponents
FeatureImplementation
Shouldconsiderwherekeyelementsofcybersecurityfeaturesmaybeinheritedfromotherdevicesoraspectsoftheusecase• AnIoTdeviceintendedforuseinanenvironmentwithphysicalsecurity
controlsinplace• AnIoTdevicethatisdependentonanIoTgatewayorhubforits
communications• AnIoTdevicefullycontainedwithinanotherIoTdevice
Oncefeaturesaremorethoroughlydefined,attentionshouldstillbegiventocommunicationwithcustomers
CybersecurityFeature
Identification
CybersecurityFeature
ImplementationCybersecurityCommunication
SecureDevelopmentPracticesforIoTDevices
CoreBaseline
CybersecurityCommunication:Device&Features
Devicecybersecurityfeatures• Whichcybersecurityfeaturesthedeviceprovides• Howthesefeaturesmayaffectrisk• Featurescustomermayexpectthedevicetoprovidethatarenotprovided&
whynotprovidedDevicetransparency• Usableinformationoncybersecurity-relatedaspectsofthedevice• AninventoryoftheIoTdevice’scurrentinternalsoftwareandfirmware• AlistofsourcesofalloftheIoTdevice’ssoftware,firmware,hardware,and
services• SufficientinformationontheIoTdevice’soperationalcharacteristics• AlistofthefunctionstheIoTdeviceperforms
CybersecurityCommunication:Support&LifespanSoftwareandfirmwareupdatetransparency
• Ifandwhenupdateswillbemadeavailable• Circumstancesunderwhichupdateswillbeissued• Whowillberesponsibleforperformingupdates• Notificationifinstallinganupdatemayalterexistingconfigurationsettings• Updateavailabilityandcontents
Supportandlifespanexpectations• Timeframefortheendofproductsupport• Thetimeframeforproductend-of-life• Whatfunctionality,ifany,thedevicewillhaveaftersupportendsandatend-of-life
Decommissioning• Providesufficientinformationonwhetherthedevicecanbedecommissioned&
howtodecommissionit
Throughouttheprocess,securedevelopmentpracticescaninformandfacilitateeachstep
CybersecurityFeature
Identification
CybersecurityFeature
ImplementationCybersecurityCommunication
SecureDevelopmentPracticesforIoTDevices
CoreBaseline
HighlightedSecureDevelopmentPracticesforIoT
NISTwhitepaper,MitigatingtheRiskofSoftwareVulnerabilitiesbyAdoptingaSecureSoftwareDevelopmentFramework(SSDF),canhelpguideIoTdevicemanufacturers
• EnsureworkforcehasnecessaryskillstosecurelydevelopIoTdevices• Takestepstoprotectcode&givecustomersabilitytoverifysoftwareintegrity• TakestepstoreducevulnerabilitiesinIoTdevices• Acceptandrespondtovulnerabilityreports
InstructionsforBreakoutsAfterlunch,wewillgatherin4separateroomsbasedonthenumberwrittenonyourbadge,butallroomswillfocusonthesamekeyquestions:
• IstheproposedprocessinSection3formanufacturerstodeterminethecybersecurityfeaturestheirdevicesshouldhaveappropriateandreasonable?
• ArethepresentedCoreFeaturestherightFeaturesforagenericstartingpoint?• More,fewer,differentFeatures?
• AretheKeyElementstherightsetofKeyElements?• More,fewer,differentKeyElements?
• IsthetableoftheCoreBaselinehelpful(formattingandpresentation)?• Arethecommunicationconsiderationshelpfulforconsumersandmanufacturers?• WhatwouldyourecommendasnextstepsfortheIoTprogram?
LunchBreakoutrooms:
1. WestSquare2. Heritage3. Portrait4. LectureRoomA
LunchisavailableintheNISTCafeteria
Pleasereporttoyourassignedbreakoutroomby12:30pm
Breakoutswilllast2hoursandthenacoffeebreak
FeedbackFromBreakoutSessionsModerator• AdamSedgewick,SeniorInformationTechnologyPolicyAdvisor,NIST
Panelists• ChristineAbruzzi• JosephDrissel• MatthewBarrett• MatthewSmith
Thankyouforyourparticipation!
2019 2021Q4Q12019 Q2 Q3 Q4 Q1
2020 Q2 Q3
KickOffStakeholderEngagement– Releaseessayon
CoreBaselineRSACandotherstakeholder
events
NIST IoTworkshop
Publishdraftforpubliccomment
Close45daycommentperiod–CoreBaseline
PublishFinalCoreBaselineDocument
PublishFederalBaselineDraft
NISTFederalBaselineWorkshop
Releaseforpubliccomment
Release Federal Baseline
Thankyouforyourparticipation!• AccessDraftNISTIR8259,CoreCybersecurityFeatureBaselineforSecurableIoTDevices:AStartingPointforIoTDeviceManufacturersathttps://csrc.nist.gov/publications/detail/nistir/8259/draft
• CommentsDue:September30,2019
• EmailCommentsto:iotsecurity@nist.gov
• FollowtheconversationonTwitter using#IoTBaseline