NIST report presents overview of international cybersecurity standardisation for IoT
The National Institute of Standards and Technology in the US recently released an interagency report on cybersecurity for the Internet-of-Things (IoT).
The Interagency International Cybersecurity Standardization Working Group (IICS WG) was established in December 2015 by the National Security Council's Cyber Interagency Policy Committee. The purpose of the IICS WG is to coordinate on major issues in international cybersecurity standardisation and thereby enhance U.S. federal agency participation in international cybersecurity standardization.
The Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) examines the current state of international cybersecurity standards development by voluntary consensus standards bodies for IoT.
The Report is meant to inform and enable policymakers, managers, and standards participants as they seek timely development of and use of cybersecurity standards in IoT components, systems, and services.
The Report notes that trustworthiness of IoT systems will require active management of risks for privacy, safety, security, etc. Traditional IT security focuses on CIA (confidentiality, integrity, and availably). As many IoT components interact the physical world through sensors and actuators, IoT security is also connected to physical security involving threats to people, their objects, and their environment.
IoT also connects traditional Internet and mobile capabilities and industrial control systems, leading to risks for critical information infrastructure.
Traditional information systems generally prioritise Confidentiality, then Integrity, and lastly Availability, while control systems and IoT systems usually prioritise Availability first, then Integrity and lastly Confidentiality.
Risks and threats
Connected Vehicle (CV) technology is expected to enable vehicles, roads, and other infrastructure to communicate and share vital transportation information. CVs would be subject to physical safety, as well as privacy concerns.
V2V (vehicle-to-vehicle), V2I (vehicle-to-infrastructure), and V2X (combination of V2V and V2X) communications lead to an increased attack surface for connected cars.
In addition, users may connect and have access to their vehicles through their smartphones, and personal information on these components need to be protected from unauthorised access through the vehicle. Similarly, the vehicle must be protected from threats that may come through the mobile device.
Potential safety-critical risks include driver distractions (volume, wipers, etc.) and engine shutoff or degradation. Internet connectivity in infotainment consoles has introduced threats to passenger safety as a result of intercommunications between vehicle controls and entertainment. spoofed, manipulated, damaged, and missing sensors and actuators, could cause vehicles to behave unpredictably.
Here, ensuring the confidentiality, integrity, availability of consumer data and services is the primary challenge. Hackers compromise the data integrity and operation of other electronic components on the same network, using the Consumer IoT device as a conduit. As connected IoT technologies extend their reach to consumer components critical to basic home functions (e.g., thermostat), cyber criminals could target them in ransomware attacks or other traditional cyberattacks directed to collecting highly-sensitive personal information.
Moreover, the rising popularity of connected consumer components also makes them ripe targets for criminals who seek to execute coordinated, widespread cyberattacks causing systemic harm across the Internet. A prominent example is the disruption of Domain Name System (DNS) provider Dyn and associated Internet services in October 2016.
The Report recommends that consumer components should use strong and readily updatable firmware and robust authentication practices, such as strong password requirements. Using encryption or a virtual private network (VPN) connection to the local network may provide protection against unauthorised eavesdropping and protect the login credentials of the IoT consumer components.
In addition to data security and privacy impacts, attacks on medical devices and the IT networks they connect may physically affect patients, causing illness, injury, or even death. This harm may stem from the performance of the device itself, impeded hospital operations, or the inability to deliver care.
Major security objectives in this area include: Protect patient safety from network originated inauthentic commands to actuators; Protect patient sensor data from tampering to allow correct algorithmic response; Protect medical device processing capability; Protect patient data where the data forms part of a treatment and monitoring regime; Protect patient information from unauthorized disclosure or modification; Ensure patient information is available to authorized entities when it is needed; Ensure prompt and secure patch delivery to medical devices; Ensure continuous security risk management throughout the device lifecycle.
Smart buildings may contain several sets of IoT components that each have their own security objectives, risks, and threats. Here the primary objective is preventing unauthorised access to any building control system and preventing a domino effect caused by the compromise of one system leading to the compromise of another. Robust modelling and testing are required to handle foreseeable situations.
There are several challenges with securing smart buildings. Interoperability between systems and components from different vendors could introduce weaknesses for an attacker to exploit. Once one system becomes compromised, it may serve as an avenue for an attacker to traverse laterally into another. Moreover, employees and visitors moving around inside and around the building, and carrying components connected to various networks introduces further vulnerabilities.
Industry 4.0 comprises a system built on automation, cyber-physical systems, cloud computing, and the Industrial Internet of Things (IIoT).
Challenges in this area arise from fundamental differences between IT and OT (operational technology). Organisational structure separate engineering, management and decision-making processes for enterprise business operations and the production environment. In recent decades, advanced technologies involving computer-based systems have been progressively integrated into manufacturing
Successful malicious actors could extort ransom from a company to release the system from their control, copy sensitive proprietary information that can be sold to other companies or other governments, or install software that can affect a product’s performance.
There have been state-sponsored efforts to infiltrate and steal information from companies involved in defence manufacturing.
Attackers who successfully penetrate the security systems in processes used to produce arms and equipment for the military may have the capability to alter or halt production processes to affect these items’ reliability, safety, or security, putting the lives of service personnel at risk.
Current standards landscape
The Report identifies several challenges in the development of standards for IoT cybersecurity.
Some IoT systems have direct connections to owner networks, while others directly connect to non-owner networks and some have direct connections to both.
IoT systems could comprise highly distributed IoT components that have a variety of owners or may effectively have no defined owner. Some IoT systems are intended for use by or association with a particular person or group of people, while others are autonomous.
IoT components sometimes are largely static. Their software cannot be updated and configuration cannot be changed as needed.
Some IoT components process data locally, while others have their data processed remotely, and some do both.
IoT components are also highly heterogeneous in terms of operating systems, network interfaces/protocols, functions, etc. Many IoT systems rely on proprietary protocols for data communication.
IoT systems are often deployed as part of highly dynamic systems and system environments. Many IoT systems do not provide centralised management capabilities for the owner, while many others can be remotely controlled by first parties (e.g., manufacturers).
Some IoT components are deployed in physically unrestricted locations. This could imply inability to provide physical security.
Annex D of the Report (page 63) presents a listing of international cybersecurity standards that the IoT Task Group has identified to be IoT relevant. The authors caution that it is not a complete list and it is also a one-time, static listing.
The standards have been organised by the eleven core areas of cybersecurity described in the Report: Cryptographic Techniques, Cyber Incident Management, Hardware Assurance, Identity and Access Management, Information Security Management Systems, IT System Security Evaluation, Network Security, Security Automation and Continuous Monitoring, Software Assurance, Supply Chain Risk Management and System Security Engineering.
In some areas standards are available, while in others standard have not been developed yet. Further development is required in certain areas. For instance, there are many cryptographic standards being used to protect data in transit and at rest and to provide for strong authentication. Many of these standards can support IoT systems. There are also standards developed specifically to support IoT systems. However, cryptographic techniques will need adjustments and innovations to accommodate the IoT. Scalability, performance, memory- and power-limited devices, and constrained communication channels pose cryptographic challenges in the context of IoT.
The Report also identifies possible gaps in standards; for example, the application of blockchain in cryptographic techniques, the inability to use software patches to fix flaws in cyber incident management and the requirement of new standards to address IoT networks that have the potential for spontaneous connections in the realm of network security.
The uptake of available standards, even when available, has been slow. The Report notes that in view of the continuing, rapid innovation of IT, the inventory of IoT relevant cybersecurity standards will remain dynamic.
The Report recommends that agencies should further review possible standards gaps and work with industry to initiate new standards projects in SDOs to close gaps. The Report also says that agencies should support the development of appropriate conformity assessment schemes to the requirements in such standards. The type, independence and technical rigor of conformity assessment should be risk-based, taking into consideration the cost to the public and private sectors, including their international operations and legal obligations.
Read the Report here.