Skip to content

Illustration by Security Management

NIST Releases Draft Security Recommendations for IoT Devices

​​The National Institute of Standards and Technology (NIST) released draft security recommendations for Internet of Things (IoT) devices.

“This ‘Core Baseline’ guide offers some recommendations for what an IoT device should do and what security features it should possess,” said Mike Fagan, a NIST computer scientist and one of the guide’s authors, in a press release. “It is aimed at a technical audience, but we hope to help consumers as well as manufacturers.”

The guide complements NIST’s previous resource, Considerations for​ Managing Internet of Things Cybersecurity and Privacy Risks (NISTIR 8228), and provides best practices for mitigating risks to IoT security.

“IoT devices can provide tremendous benefits (e.g. smart medical devices), as well as a host of conveniences, like checking our refrigerator’s contents from the grocery store,” according to NIST. “They also create a new type of cybersecurity risk for a society that already suffers newsworthy hacks and data breaches on a regular basis. While a conventional computer might require a password entered from a keyboard, a network-capable coffee maker might have no keyboard at all—but would still appear on a home or office wireless network. This and countless other small electronic devices cold be vulnerable to hacking if they do not possess security features that an owner understands and uses.”

Among the guide’s recommendations are requiring IoT devices to identify themselves when connected to networks; allowing authorized users to change devices’ software and firmware configurations; clarifying how the device protects the data it stores and transmits across the network; and requiring devices to log cybersecurity events.

“Securing devices is a group effort,” Fagan said. “The manufacturer has to supply options and software updates, and the user has to apply them. Both sides have roles to play.”

NIST is releasing the draft guide after years of critics raising concerns about the vulnerability of IoT devices and the impact they can have if compromised. For instance, thousands of IoT devices have been compromised in the past to conduct some of the largest DDoS attacks ever seen.

“There are more than 25 billion connected devices in use worldwide now, and the amount is expected to increase to 50 billion by 2020 as consumer goods companies, auto manufacturers, healthcare providers, and other businesses invest in IoT devices,” according to an analysis of Federal Trade Commission findings Security Management previously reported on. “But many of the devices already on the market are not designed with security in mind. Many do not allow consumers to change default passwords on the devices or patch them to prevent vulnerabilities.”

To improve the draft guide, NIST is hosting a w​​orkshop on 13 August 2019 on IoT security measures. Attendees must register by 6 August to reserve their spot. Comments received in this workshop will be used to shape the final guide after the public comment period ends on 30 September 2019.