refirm labs
  • Company
    • Leadership
    • Partners
    • Careers
    • News
    • Announcements
  • Products
    • Binwalk Enterprise (Centrifuge)
    • Binwalk Open Source
    • Product Comparison
  • Solutions
    • Enterprise IT
    • Industrial IoT
    • Telecom Providers
    • Device Manufacturers
    • Binwalk for Educators
  • Resources
  • Blog
  • Contact
  • Login
    • Binwalk Enterprise
    • Partner Portal
  • Get a DemoNew
refirm labs
refirm labs
  • Company
    • Leadership
    • Partners
    • Careers
    • News
    • Announcements
  • Products
    • Binwalk Enterprise (Centrifuge)
    • Binwalk Open Source
    • Product Comparison
  • Solutions
    • Enterprise IT
    • Industrial IoT
    • Telecom Providers
    • Device Manufacturers
    • Binwalk for Educators
  • Resources
  • Blog
  • Contact
  • Login
    • Binwalk Enterprise
    • Partner Portal
Get a Demo

IoT Security Compliance and Enforcement

January 4, 2021

Introduction

Subsequent to our last blog post, the IoT Cybersecurity Improvement Act of 2020 was signed into law on December 4, 2020. The law requires the US National Institute of Standards and Technology (NIST) to publish IoT security standards and guidelines for IoT devices used within the US Federal Government.

 

Your Chance to Comment

NIST didn’t waste any time. On December 15th, they published draft guidelines which are open for public comment through February 12, 2021. The Press Release and Blog provide good background on NIST’s work in this area.

SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government, provides NIST’s view on IoT security, policy, and how to map it to existing risk management frameworks.

The NISTIR 8259D – Draft IoT Baseline for the Federal Government is the actual core baseline being proposed for agencies to evaluate when looking to place IoT devices on their networks.

 

Time for IoT Security to face the music

A review of the proposed requirements of the 8259D Federal Profile would fill pages. So the tl;dr summary is that IoT devices will need to adopt the same basic security requirements and compliance that you see in traditional IT systems. For example:

  • Being able to uniquely identify a given device on the network, determine the version of firmware deployed, and securely update it
  • Modernizing and having fairly fine-grained control of the device’s security settings, user management, and authentication capabilities
  • Cybersecurity event identification, monitoring, notification (including audit logging)
  • ..and there are many non-technical requirements as well (think mandatory vulnerability disclosure program)

Some of these security requirements will involve significant work by manufacturers based on the devices we analyze today at ReFirm Labs. But these security requirements are basic things that have been required in IT systems for quite a while so it shouldn’t be a high bar.

 

Forced Compliance

As we’ve said before, enforcing IoT security requirements and standards in the US Federal space will inevitably force adoption in other industries. In fact NISTIR 8259C describes how NISTIR 8259D was developed so the process can be applied to Profiles in other industries.

IoT device manufacturers should track both technical & non-technical requirements to inform their product roadmaps. These requirements will increasingly become mandated across many industries and not just the US Federal Government.

IoT device operators should implement these standards sooner rather than later. Doing so demonstrates a commitment to implementing IoT standards and compliance best practices within their own organizations.

 

But These are Draft IoT Standards

Yes, they are drafts. Yes, it will take time for agencies to enforce them. And yes, those agencies will be able to implement compensating controls / justifications to work around IoT devices that don’t fully meet all these requirements. But agencies will need to report and provide justification why they put non-compliant, insecure IoT devices on their networks.

The writing is on the wall. The era of deploying poorly secured IoT devices with 10-year old unpatched network services is coming to an end. The risks are too high.

Share Post
ReFirm Labs Joins IoXt Allianc...
RSA Blog Logo
Lack of IoT Security Could Und...

Recent Posts

  • IoT Cybersecurity Act 2020

    November 24, 2020

    Last week the US Senate unanimously approved the IoT Cybersecurity Improvement Act of 2020, passing the bill onto the President for his signature. Why ...
  • Embrace IoT Security Compliance or Die a Slow Death

    July 29, 2020

    IoT Security Compliance. IoT Security Standards. IoT Security Frameworks. All new buzzwords that are picking up steam. So imagine our surprise when we talk to ...
  • How to Compare Two Different Binary Files

    June 23, 2020

    One of our favorite new capabilities in the Centrifuge Spring ‘20 release is Firmware Differencing. This is how to compare two binary files quickly and ...
See All >
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • ...
  • 9
  • >>

refirm labs Logo

8110 Maple Lawn Blvd.
Suite 200
Fulton, MD 20759

[email protected]
Call +1 (240) 389-2443
Popular
  • About Us
  • Products
  • Resources
  • Blog
Solutions
  • Enterprise IT
  • Industrial IoT
  • Telecom Providers
  • Device Manufacturers

Facebook

  • Privacy Policy
  • Terms of Use

ReFirm Labs, Inc.