Workshop Shines Light on Role of Standards in Cybersecurity for IoT
What do Chief Product Security Officers (CPSOs) want to make their job easier? As it turns out, standards. This insight was one of many shared at a public virtual workshop NIST held June 22, 2022, to discuss the next steps for the Cybersecurity for the Internet of Things (IoT) program.
As we move forward in developing cybersecurity guidance for IoT products, NIST remains committed to an open and transparent process that builds on input from stakeholders, including industry and the broader public. Our June 22 workshop explored specific considerations around cybersecurity in IoT products, which have broad applicability across sectors, including consumer products. As Kevin Stine, Chief of the Applied Cybersecurity Division, pointed out, transparency and an open process lead to greater trust, and trust in IoT is essential to the technology’s ability to reach its full potential.
Katerina Megas, Program Manager for the Cybersecurity for IoT Program, kicked off the workshop, which featured keynote addresses from two industry representatives: David Barzilai, Vice President for Sales & Marketing and Co-Founder of Karamba Security, and Jasyn Voshell, Director of Product and Solutions Security at Zebra Technologies.
Karamba Security recently surveyed CPSOs and their equivalents to better understand their biggest challenges. They found that standards and regulations are very useful to CPSOs because it is so difficult for manufacturers to ensure that security practices are employed all along their lengthy supply chains. Barzilai explained how the auto industry is driving change in this area, creating a lifecycle framework with mandatory processes. Original equipment manufacturers (OEM) are ultimately responsible for the final products. OEMs must be able to show regulators that cybersecurity requirements have been met throughout the supply chain and must address critical issues prior to production.
Zebra Technologies provides an array of IoT and IT products, including mobile products, for a broad range of industries. As the company’s director of Product and Solutions Security, Voshell guides the efforts of development teams across multiple business units. His mantra, “Secure by Design, Secure in Use, and Secure Through Trust,” is supported by mechanisms that include maturity models and standards, such as the Software Assurance Maturity Model (SAMM). He pointed out that although the roles of the CPSO and CISO are related, the respective domains of product security and security of business operations are distinct.
In addition to the keynote addresses, the workshop featured three panel discussions led by NIST’s own Jeff Marron, Michael Fagan, and Kevin Brady. The following are some of the ideas shared during the discussions. This is by no means a comprehensive list – a recording of the workshop is available here.
Panel 1: What’s next for the consumer IoT baseline: Considerations we heard for the Consumer IoT Cybersecurity Criteria
- There is support for including the entire IoT product in the scope of the criteria and support for the outcome-oriented presentation.
- There is an understanding of the growing convergence of IoT cybersecurity standards internationally and of the need for worldwide cooperation and mutual recognition of conformance assessment.
- IoT product developers rely on global supply chains, against which it is difficult to enforce security requirements. Increasingly, organizations view the availability of software bills of materials (SBOMs) as a necessary component of cybersecurity risk management.
- We need security labels to incorporate a “live” aspect that can be kept up-to-date to reflect the current state of a product.
- It is important to tailor documentation to the needs of the intended audience.
Panel 2: Product cybersecurity strategy: How do cybersecurity requirements fit into IoT product development?
- IoT spans a broad and continually expanding variety of use cases, and nearly all are characterized by ever-increasing connectivity among IoT product components and growing customer expectations of greater responsiveness and security.
- Risk assessment is a challenge for manufacturers and customers. The challenge is increased by supply chain security concerns and the frequency of changes in the underlying implementation of hardware and software components and back-end services.
- The ability to assess risk is further challenged when IoT products are used or interconnected in unexpected ways and when manufacturers lack methods to notify customers when they are using IoT products in unsupported ways.
- Cybersecurity requirements are important to organizations using IoT products because they must be able to meet their legal requirements. Customer awareness of cybersecurity concerns is growing, but it is not a driver for IoT manufacturers.
- Long-term support and operation of IoT products is a significant concern.
Panel 3: The S in NIST: Using standards to support product cybersecurity outcomes
- The NIST IoT cybersecurity criteria provide a baseline, described by a panel member as an “anchor,” that other, more sector- or application-specific standards can point to. Those more specific standards, in turn, are useful for conformity assessment. Manufacturers would prefer fewer standards to simplify their conformance activities.
- Mapping among standards is valuable but challenging. Standards are written at different levels of specificity, and there is a lack of structured language used in the construction of different standards.
Send Us Your Feedback
We thank all of the workshop participants and attendees for a lively and interesting discussion. We will be publishing a workshop summary report soon. In the meantime, if you have feedback on the event, please send comments to iotsecurity [at] nist.gov. Comments on our recently released draft documents are due July 31, 2022.