Implementing NIST IoT Guidelines For Modern Network Security

What is NIST IoT?

The NIST IoT is a cybersecurity guidance developed to manage the use of IoT devices in organizations in response to the IoT Cybersecurity Improvement Act of 2020.

To fulfill these directives, NIST sought input from the public comment through position papers, feedback on draft documents, virtual workshops, and consultations with other federal systems. They also reviewed existing federal guidance for developing an IoT device cybersecurity guidance program.

What Are NIST IoT Guidelines?

The NIST IoT guidelines are standards established under NIST SP 800-213 to help organizations integrate IoT devices into their existing information systems. The publication covers IoT devices with at least one transducer (sensor or actuator) for physical interactions and at least one network interface for digital connectivity. 

These devices can operate independently but may rely on other tools or systems, such as IoT hubs or cloud services, for certain functions. The guidelines aim to ensure IoT devices’ secure and effective integration into broader IT environments.

The guidance section, NISTIR 8259, “Foundational Cybersecurity Activities for IoT Device Manufacturers,” guides manufacturers in improving the cybersecurity of IoT devices and provides additional non-technical supporting capability for an organization.

The NIST guidance outlines six key technical activities and three supporting activities that should be considered throughout the device’s cybersecurity lifecycle.

The established six technical activities are as mentioned below:

1. Secure Software Development. NIST highlights the need for secure coding practices, vulnerability testing, and secure software updates for IoT products.
2. Device Identification and Configuration. IoT devices must be uniquely identifiable and configurable, with secure communication protocols and update capabilities.
3. Logical Access to Interfaces. Implement strong authentication and authorization mechanisms to prevent unauthorized access to device interfaces.
4. Device Configuration and Management. Ensure secure default configurations and lifecycle management for IoT devices, including updates and patches.
5. Secure Communication. Use encrypted protocols to secure data transmission between IoT devices and systems.
6. Risk Management. Identify, manage, and monitor risks associated with IoT devices throughout their lifecycle.

Below are supporting activities linked to the main NIST IoT tasks:

• Stakeholder Engagement. Collaborate with government, industry, and academic stakeholders to enhance IoT cybersecurity and ensure device trustworthiness.
• Standards and Guidelines Development. NIST creates standards and guidelines for secure IoT development, including software and configuration practices.
• Cybersecurity Awareness and Training. Promote understanding and best practices for IoT security through awareness programs and training.

Why Were NIST IoT Security Guidelines Launched?

The NIST initiated its Cybersecurity for the IoT program to enhance the security of consumer IoT devices, products, and connected systems. The goal is to create and implement standards, guidelines, and tools that improve the security of IoT systems and their environments.

This was in response to the President’s Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” issued on May 12, 2021. It tasked various agencies, including NIST, with improving cybersecurity, particularly focusing on the security and integrity of the software supply chain. 

Since December 4, 2022, agencies have been prohibited from using or procuring IoT devices that do not comply with NIST standards.

Then, on September 19, 2022, NIST published NIST IR 8425, which outlines the IoT Core Baseline for Consumer Products based on pilot feedback. 

This served as the final version of NIST’s recommendations for cybersecurity in consumer IoT products. Following this, on July 18, 2023, the White House introduced the “U.S. Cyber Trust Mark” as part of the Cybersecurity Labeling Program for Smart Devices to safeguard American consumers.

This is because IoT devices are vulnerable to cyberattacks as they transfer large amounts of valuable and private data over the Internet. They often operate undetected by standard cybersecurity systems and transfer data unencrypted, making IoT security crucial to preventing data breaches.

The guidelines, including NIST 800-213 and NIST Interagency Reports (NISTIRs) IR 8259B, 8259C, and 8259D, address challenges from the IoT Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Act.

Together, these documents guide the federal government and IoT device designers in aligning on NIST’s Cybersecurity standards for federal agencies using IoT devices.

Ready to implement NIST guidelines without sifting through all the documents and resources? Yes, it’s possible. At IS Partners, our auditing team is well-versed in NIST IoT guidelines and can help you implement them quickly.

Schedule a call with us to know more.

Which Entities Do the NIST IoT Guidelines Apply To?

The NIST IoT security framework applies to federal organizations that own or manage IoT devices connected to a federal information system. This includes systems used or operated by executive agencies, contractors, third parties, or other organizations acting on behalf of an official government organization.

To give you a clear picture, examples of some secure IoT devices are:

• Smart Speaker
• Smart TV
• Smart Alarm
• Smart WiFi System
• Smart Medical Devices
• Smart Security
• Smart Lock
• Smart Watches

In addition, any other organizations that want to secure their use of IoT devices can comply with NIST IoT guidelines. Similar to the application of the NIST CSF, this program has a wide range of applications. 

Dive Deeper

NIST Cybersecurity Framework 2.0: Main Changes & Release Date

Read Article

What Are the Three Main Programs of NIST IoT?

The NIST IoT standards include three key programs to strengthen the cybersecurity of interconnected devices. These programs provide detailed guidance to help your company manage the challenges of integrating and maintaining software security. 

The three main programs of NIST IoT are the following:

NISTIR 8259

NISTIR 8259, “Foundational Cybersecurity Activities for IoT Device Manufacturers,” provides guidance for manufacturers to enhance the cybersecurity of IoT devices. It details six essential technical activities and three supporting activities to be integrated throughout the device’s cybersecurity lifecycle. 

NISTIR 8259A and 8259B

NISTIR 8259A, “IoT Device Cybersecurity Capability Core Baseline,” outlines the cybersecurity capabilities that IoT devices should have to ensure their security. This baseline represents the minimum standard for maintaining the IoT system’s security.

NISTIR 8259C (Draft)

NISTIR 8259C helps tailor cybersecurity requirements for IoT systems by using baseline frameworks like NISTIRs 8259A and 8259B. It explains how these frameworks can be adjusted to fit specific customers, applications, or environments. This customization process involves adding, changing, or removing requirements as needed. 

In addition, NISTIR 8259D provides a practical example of how to apply the NISTIR 8259C process.

Note: NIST Special Publication 800-82, “Guide to Industrial Control Systems (ICS) Security,” offers guidance on securing Industrial Control Systems. Although not specifically focused on IoT, its principles and recommendations are highly relevant due to the networked nature of modern industrial environments.

Principles of Cybersecurity for IoT Program

The main principle of cybersecurity for IoT programs is that no one size fits all. Just as each IoT device serves a unique purpose within its ecosystem, securing these devices must also be tailored to their specific contexts and requirements.

With this foundational understanding in mind, we discuss the five essential principles that underpin IoT cybersecurity guidance programs below.

Risk-Based Understanding

Understanding risk in IoT involves considering how IoT features can impact cybersecurity risks for both systems and organizations. For instance, if a company uses IoT devices to collect sensitive data, the risk of a data breach increases. 

NISTIR 8228 guides companies in applying the Risk Management Framework to address these risks. SP 800-213 offers further guidance on managing IoT-related risks.

Ecosystem of Things

Each IoT device operates within a larger system, so it’s necessary to consider the entire ecosystem, not just individual endpoints. For example, if a smart thermostat connects to a home network, the entire network’s security could be compromised if the thermostat is vulnerable.

NIST guidelines suggest that devices used for remote monitoring be protected from cyber threats to safeguard data and privacy. They also implement measures to safeguard critical infrastructure from cyber attacks that could disrupt operations or compromise safety.

Outcome-Based Approach

Taking an outcome-based approach means recognizing that different industries, verticals, and use cases may require varied solutions. Instead of prescribing specific methods, focus on defining desired outcomes and empowering providers and customers to select the best solutions for their unique devices and environments.

For example, consider the outcome of ensuring secure data transmission for IoT devices. While one manufacturer may achieve this through end-to-end encryption, another may opt for secure protocols. Both approaches achieve the same outcome of protecting data but offer flexibility in implementation.

No One-Size-Fits-All

When it comes to IoT management, there’s no one-size-fits-all solution. Different industries, verticals, and use cases require diverse approaches and solutions. For example, the difference between securing a smart healthcare device with health information and a connected car is just huge.

This is why the NISTIR 8259 Series recognizes this diversity and recommends six key activities for manufacturers throughout the IoT product life cycle. These activities help ensure that IoT devices are built with security in mind from start to finish.

To further tailor these recommendations, profiles of baseline recommendations have been created for different industries, use cases, and types of devices. For example, the cybersecurity needs of a medical IoT device may differ significantly from those of a smart home appliance.

Stakeholder Feedback & Engagement

Engage stakeholders from various backgrounds to discuss tools, guidance, standards, and resources. Experts, policymakers, and industry representatives should be involved in discussions about any IoT cybersecurity profile.

Ready to comply with NIST IoT guidelines but need more time to go through all the principles mentioned in the above section? IS Partners can assist. Our auditing team is proficient in NIST IoT guidelines and can help you implement them in no time.

Mitigating Risks Through Proper Assessments and the NIST IoT Guidelines

Companies can effectively mitigate risks associated with IoT devices by conducting thorough risk assessments and aligning with the NIST IoT cybersecurity guidelines. The first step in mitigating IoT risks is to conduct a comprehensive risk assessment.

This step is multi-tiered and involves a structured approach. 

• Prepare for the assessment. Establish the context and scope, identify assumptions and constraints, and determine information sources.
• Conduct the assessment. Identify threat sources and events, vulnerabilities, and potential impacts. Determine the likelihood and level of risk.
• Communicate the results. Document and report the risk assessment findings to stakeholders and decision-makers.
• Maintain the assessment. Monitor risk factors and update the assessment as needed based on changes.

After identifying risks through the assessment process, companies can mitigate them by implementing the NIST IoT cybersecurity guidelines. Based on the guidelines, organizations can address identified risks through the following steps:

1. Asset identification. Maintain an up-to-date inventory of all IoT devices and their relevant characteristics.
2. Access control. Implement strong authentication and authorization mechanisms to prevent unauthorized access.
3. Data protection. Use encryption to protect data at rest and in transit and ensure secure storage and disposal.
4. Incident detection. Monitor IoT devices and systems for anomalies and potential security incidents.
5. Vulnerability management. Regularly scan for and patch known vulnerabilities in IoT devices and their software/firmware.
6. Security updates. Ensure IoT devices can receive timely security updates throughout their lifecycle.
7. Secure default configuration. Ship IoT devices with secure default settings and disable unnecessary features.

With the help of expert auditing firms, like IS Partners, organizations can effectively apply the NIST IoT guidelines based on identified risks. The process can be streamlined by employing our services as we provide concrete risk assessments that can be seamlessly integrated with the NIST IoT mitigation strategies. 

Implement NIST IoT Guidelines with IS Partners

As IoT devices become more common and integrate AI and machine learning, they bring both benefits and risks to various sectors.

To combat this, NIST has developed strong guidelines prohibiting United States government agencies or other businesses from using or procuring IoT devices that do not comply with NIST standards.

Understanding and adapting to these changes can be tricky, especially if you’re not in tech. That’s where the IS Partners’ auditing team comes in. We specialize in guiding companies like yours through the latest NIST-specific guidance, ensuring you understand what’s needed and how to implement it. 

From start to finish, we’re here to help you build strong security measures that fit your business. IS Partners highlight the NIST IOT guidelines and discuss how a company can mitigate its risk through a risk assessment as it relates to the guidelines themselves.

Let’s work together to keep your operations safe and secure with the best NIST recommendations. Contact us today to find out how we can help.

FAQs

About The Author

Eric Robuck

Eric has both a military and business leadership background. Eric's military background as a Warrant Officer focused on information technology and security has honed his expertise in handling even the most complex cybersecurity challenges. With a deep understanding of programming, database design, electronic information transfer, and project management, Eric is well-equipped to develop and implement effective cybersecurity strategies for his clients. Eric's list of professional certifications is
impressive, including the CISSP, CEH, Security+, and AWS Practitioner. He has also pursued advanced education with master's work in Cybersecurity and leadership in Cyber Security, constantly striving to enhance his skills and knowledge.

In addition to his expertise in cybersecurity, Eric is also a passionate educator. He teaches Cybersecurity, Programming, and Database Design at Alvernia University, sharing his knowledge and experience with the next generation of cybersecurity professionals.