WorkshoponCoreIoTCybersecurityBaseline

August13,2019

FollowtheconversationonTwitter!

@NISTcyber#IoTBaseline

NotetoWebcastParticipants

• WewillbeusingSli.do tohelpfacilitatequestionsandanswersfromremoteparticipants

• ToaccessSli.do,visitwww.slido.com andentereventcode#IOTBASELINE

Agenda9:00– 9:20WelcomeRemarks

9:20– 9:50OverviewofNISTInformationTechnologyLab’sworkinIoTcybersecurity

9:50– 10:15OverviewCybersecurityforIoTProgramandbackgroundonDraftNISTIR8259

10:15– 11:15NextStepsontheRoad

11:15– 11:30InstructionsforBreakouts

11:30– 12:30Lunch

12:30– 2:30 CoreBaselineFeedbackBreakout

2:30– 2:45Break

2:45– 3:30FeedbackSummaryPanel

3:30– 4:00Closingremarks

WelcomeRemarks

• KaterinaMegas,ProgramManager,CybersecurityforIoTProgram,NIST

• JimSt.Pierre,DeputyDirector,InformationTechnologyLaboratory,NIST

OverviewofITL’sworkinIoTcybersecurity

• KevinStine,Chief,AppliedCybersecurityDivision,NIST

• MaryTheofanos,ComputerScientist,MaterialMeasurementLaboratory,NIST

OverviewCybersecurityforIoTProgramandbackgroundonDraftNISTIR8259

• KaterinaMegas,ProgramManager,CybersecurityforIoTProgram,NIST

• MichaelFagan,ComputerScientist,CybersecurityforIoTProgram,NIST

Research/Reports• MitigatingIoT-BasedDDoS/BotnetReport• Vehicle-to-vehicletransportation• CybersecurityforCyberPhysicalSystems• CybersecurityFramework• CybersecurityFrameworkManufacturingProfile

• CybersecurityforSmartGridSystems• CyberThreatInformationSharing• LightweightEncryption• LowPowerWideAreaIoT• NetworkofThings• ReportonStateofInternationalCybersecurityStandardsforIoT

• Securityandprivacyconcernsofintelligentvirtualassistances

• SecurityofInteractiveandAutomatedAccessManagementUsingSecureShell(SSH)

SpecialPublications• BLEBluetooth• Cloudsecurity• DigitalIdentityGuidelines• GuidetoIndustrialControlSystems(ICS)Security

• RFIDSecurityGuidelines• SoftwareAssessmentManagementStandardsandGuidelines

• SupplyChainRiskManagement• SecurityContentAutomationProtocol(SCAP)StandardsandGuidelines

• SecuritySystemsEngineering• ConformityAssessmentConsiderationsforFederalAgencies

TheNISTCybersecurityforIoTProgramcoordinatesacrossNISTonIoTcybersecurity.

Applied• GaloisIoTAuthentication&PDSPilot• GSMATrustedIdentitiesPilot• NationalVulnerabilityDatabase• ProjectsatNationalCybersecurityCenterofExcellence(NCCoE),someexamples:

• IoT-BasedAutomatedDistributedThreats• CapabilitiesAssessmentforSecuringManufacturingIndustrialControlSystems

• HealthcareSectorProjects• WirelessInfusionPumps,etc.• PrivacyEngineeringProgram

NoOneSizeFitsAllEachorganizationhasitsownrisktoleranceandmissionneeds,andnoonesetofcontrolswilladdressthewiderangeofcross-industryandcross-verticalneedsandusecases.Thereisnoone-size-fits-allapproachtomanagingIoTcybersecurityrisk.

CybersecurityforIoTProgramPrinciples

EcosystemofThingsRecognizingthatnodeviceexistsinavacuum,NISTtakesanecosystemapproachtoIoTcybersecurity.Formanydevices,muchofthefunctionalityhappensoutsidethedevice—notallthesecurityisonthedeviceitself.Assuch,welookattheentireecosystem,notjustendpoints.

Risk-BasedUnderstandingIoTcapabilities,behaviors,deploymentenvironments,andothercharacteristicscanaffectcybersecurityrisk.OurapproachtomanagingthisriskisrootedinanunderstandingofhowIoTcanaffectit.

Outcome-BasedApproach

Embraceanoutcome-basedapproach.Specifydesiredcybersecurityoutcomes,notnecessarilyhowtoachievethoseoutcomes,whichallowsorganizationstochoosethebestsolutionforeachIoTdeviceand/ortheirenterpriseenvironment.

StakeholderEngagementNISTworkswithdiversestakeholderstoadvanceIoTcybersecurity.Thisincludescollaboratingwithstakeholderstoprovidethenecessarytools,guidance,standards,andresources.

NISTIR8228:ConsiderationsforManagingIoTCybersecurityandPrivacyRisksNISTIR8228- FinalversionwaspublishedonJuly31,2019• NISTreceivedmorethan25setsofcommentsfromorgsincluding

Amazon,Boeing,ChamberofCommerce,CTA,CTIA,ITI,Microsoft,Raytheon,Symantec,andmanymoreonpreviousdraftrelease.

ApproachesriskmanagementfromtheorganizationaluseofIoT,butwhataboutthemanufacturersofdevices?• Multipleexistingefforts,domesticandinternationalwereanalyzed,and

15commonfeaturesidentifiedincludedindraftAppendix.• Keytakeawayandfollow-on:continuedengagementtodevelopstand-

alonecybersecuritybaselineforIoTdevices.

• InresponsetoExecutiveOrder13800issuedbythePresidentonMay11,2017,DoCandDHSdeliveredareporttothePresidentinMay,2018ontheResilienceoftheInternetagainstBotnetandotherthreats

• IoTsecurityidentifiedasakeyunpinningcomponent• TheRoadmapchartsapathforwardandsetsoutaseriesoftasksanddeadlineslaidoutintheReporttothePresident

• Theroadmapisaplanforcoordinatingeffortsamonggovernment,civilsociety,technologists,academics,andindustry sectorstodevelopacomprehensivestrategyforfightingthesethreats.

• Theroadmapisastartingpoint,andwilllikelyidentifynewtasksastheworkevolves.

ARoadmapTowardIoTSecurity

TheRoadmap’sIoTLineofEffortlaysoutanactionplantoestablisharobustmarketfortrustworthyIoTdevices

1.1DefineaCoreSecurityCapability

Baseline

1.1DevelopaConsumer/HomeIoT

Baseline

5.1ExploreLabellingforConsumer/HomeIoT

5.1SupportAssessmentProgramsforConsumerIoTDevices

5.1ImplementAwarenessStrategiesforTrustworthyHomeIoTDevices

5.5FederalSupportforHomeIoTDevices

2.3DevelopFederalBaseline 2.3DefineFederalIoTSecurityRequirements

2.3SpecifyFederalIoTSecurityBaseline

2.3EstablishFederalIoTProcurementRegulations5.2DevelopIndustrialBaseline(s)

5.2EstablishAssessmentProgramforIIoTDevices

5.2PromoteAdoptionof

AssessmentSchemebyCritical

Infrastructure5.2ExploreLabelingorotherTransparencySchemeforIIoTDevices

5.2SupportAwarenessforCustomersofIIoT1.5:EnableRiskManagementApproachtoIoTSecurity(NISTIR

8228)1.5:PublishBestPracticesforIoTDevice

Manufacturers

1.2:EstablishGloballyRelevantIoTStandards

2.3:IdentifyIncentivesforIoTAdoptionofSecurityStandards

Identifyingacorebaselineofsecuritycapabilitiesfordevices

1. Elaborationoffeaturesandinformativereferencestofurtherinformthemeaningofthefeatures.Intheessay,theyweretoohigh-level.

2. Optional featuresforconsideration:althoughsometechnologymaynotbecurrentlyavailable– e.g.,stakeholdersnotedstandardsexpectedinnearfuture.

3. Otherconsiderationsformanufacturersofdevicesbeyondthebaselineitems:.Thisincludesbutisnotlimitedto:devicedevelopmentandotherpre-marketbusinesspractices/processes;post-marketbusinesspractices/processes.

4. Considerationsinthebaselinefordeviceconstraintswhenadaptionmaybeappropriate.Somefeatures,evenatthehigh-level,arenotappropriateforallcases;devicesthatwill/mustbemanagedarealsodifferentthan“unmanaged”devices.

CriteriatoAssessCoreBaselineCandidates

• Utility:Howcriticalisthefeaturetowardsimprovingsecurity?

• Verifiability:CanthemanufacturereasilyverifyimplementationoffeatureinanIoTdevice?

• Feasibility:Arethereroadblockstoimplementingthefeature:cost,complexity,interoperability?

NISTpublishedanessayinvitingstakeholderfeedbacktoinformdevelopmentoftheCoreIoTBaseline

ProcessformanufacturerstodevelopsecurableIoTdevices

CybersecurityFeature

Identification

CybersecurityFeature

ImplementationCybersecurityCommunication

SecureDevelopmentPracticesforIoTDevices

CoreBaseline

NextStepsontheRoadModerator• AriSchwartz,ManagingDirectorofCybersecurityServices,VenableLLP

Panelists• PatriciaAdair,Director,RiskManagementGroup,USConsumerProduct

SafetyCommission• WilliamBarker,CybersecurityStandardsandTechnologyAdvisor,NIST• MichaelBergman,VicePresident,Technology&Standards,Consumer

TechnologyAssociation• RobertCantu,Director,Cybersecurity,CTIA• KevinMoriarty, Attorney,DivisionofPrivacyandIdentityProtection,

FederalTradeCommission

NISTIR8259definesaprocessmanufacturerscanusetodevelopinherentlymoresecurable IoTdevices

CybersecurityFeature

Identification

CybersecurityFeature

ImplementationCybersecurityCommunication

SecureDevelopmentPracticesforIoTDevices

CoreBaseline

First,manufacturersshouldidentify thecybersecurityfeaturestheircustomersmayneed

CybersecurityFeature

Identification

CybersecurityFeature

ImplementationCybersecurityCommunication

SecureDevelopmentPracticesforIoTDevices

CoreBaseline

Cybersecurity FeatureIdentification

Determineexpectedcustomersandusecases• Whowillusethedevice?• Howandwherewilltheyuseit?

Understandcustomers’cybersecuritywantsandneeds• Devicemanagement• Configurability• Networkcharacteristics• Natureofdevicedatacreated,stored,and/orused• Levelofaccesstodeviceswhendeployed

Corebaselineisastartingpointforfeatureidentification

TheIoTdevicecanbeuniquelyidentifiedlogicallyandphysically.

TheIoTdevice’ssoftwareandfirmwareconfigurationcanbechanged,andsuchchangescanbeperformedbyauthorizedentitiesonly.

TheIoTdevicecanprotectthedataitstoresandtransmitsfromunauthorizedaccessandmodification.

TheCoreCybersecurityFeatureBaselineisthesetoffeaturesneededbyageneric customer:

TheIoTdevicecanlimitlogicalaccesstoitslocalandnetworkinterfacestoauthorizedentitiesonly.

TheIoTdevice’ssoftwareandfirmwarecanbeupdatedbyauthorizedentitiesonlyusingasecureandconfigurablemechanism.

TheIoTdevicecanlogcybersecurityeventsandmakethelogsaccessibletoauthorizedentitiesonly.

TheCoreCybersecurityFeatureBaselineisthesetoffeaturesneededbyageneric customer:

Whenfeaturesareidentified,theirimplementationsshouldbeconsidered

CybersecurityFeature

Identification

CybersecurityFeature

ImplementationCybersecurityCommunication

SecureDevelopmentPracticesforIoTDevices

CoreBaseline

FeatureImplementation

Shouldconsiderthedeviceanditstechnicalspecifications• Selectorbuildadevicewithsufficienthardwareresourcestosupportthe

desiredfeatures• Beforward-lookingandsizehardwareresourcesforpotentialfutureuse

• Usehardware-basedcybersecurityfeatures• Disableunneededfeaturesprovidedbyhardware,firmware,and/orthe

operatingsystem• Donotforcetheuseoffeaturesthatmaynegativelyimpactoperations• ConsiderusingestablishedIoTplatforminsteadofacquiringand

integratinghardware,firmwareandsupportingsoftwarecomponents

FeatureImplementation

Shouldconsiderwherekeyelementsofcybersecurityfeaturesmaybeinheritedfromotherdevicesoraspectsoftheusecase• AnIoTdeviceintendedforuseinanenvironmentwithphysicalsecurity

controlsinplace• AnIoTdevicethatisdependentonanIoTgatewayorhubforits

communications• AnIoTdevicefullycontainedwithinanotherIoTdevice

Oncefeaturesaremorethoroughlydefined,attentionshouldstillbegiventocommunicationwithcustomers

CybersecurityFeature

Identification

CybersecurityFeature

ImplementationCybersecurityCommunication

SecureDevelopmentPracticesforIoTDevices

CoreBaseline

CybersecurityCommunication:Device&Features

Devicecybersecurityfeatures• Whichcybersecurityfeaturesthedeviceprovides• Howthesefeaturesmayaffectrisk• Featurescustomermayexpectthedevicetoprovidethatarenotprovided&

whynotprovidedDevicetransparency• Usableinformationoncybersecurity-relatedaspectsofthedevice• AninventoryoftheIoTdevice’scurrentinternalsoftwareandfirmware• AlistofsourcesofalloftheIoTdevice’ssoftware,firmware,hardware,and

services• SufficientinformationontheIoTdevice’soperationalcharacteristics• AlistofthefunctionstheIoTdeviceperforms

CybersecurityCommunication:Support&LifespanSoftwareandfirmwareupdatetransparency

• Ifandwhenupdateswillbemadeavailable• Circumstancesunderwhichupdateswillbeissued• Whowillberesponsibleforperformingupdates• Notificationifinstallinganupdatemayalterexistingconfigurationsettings• Updateavailabilityandcontents

Supportandlifespanexpectations• Timeframefortheendofproductsupport• Thetimeframeforproductend-of-life• Whatfunctionality,ifany,thedevicewillhaveaftersupportendsandatend-of-life

Decommissioning• Providesufficientinformationonwhetherthedevicecanbedecommissioned&

howtodecommissionit

Throughouttheprocess,securedevelopmentpracticescaninformandfacilitateeachstep

CybersecurityFeature

Identification

CybersecurityFeature

ImplementationCybersecurityCommunication

SecureDevelopmentPracticesforIoTDevices

CoreBaseline

HighlightedSecureDevelopmentPracticesforIoT

NISTwhitepaper,MitigatingtheRiskofSoftwareVulnerabilitiesbyAdoptingaSecureSoftwareDevelopmentFramework(SSDF),canhelpguideIoTdevicemanufacturers

• EnsureworkforcehasnecessaryskillstosecurelydevelopIoTdevices• Takestepstoprotectcode&givecustomersabilitytoverifysoftwareintegrity• TakestepstoreducevulnerabilitiesinIoTdevices• Acceptandrespondtovulnerabilityreports

InstructionsforBreakoutsAfterlunch,wewillgatherin4separateroomsbasedonthenumberwrittenonyourbadge,butallroomswillfocusonthesamekeyquestions:

• IstheproposedprocessinSection3formanufacturerstodeterminethecybersecurityfeaturestheirdevicesshouldhaveappropriateandreasonable?

• ArethepresentedCoreFeaturestherightFeaturesforagenericstartingpoint?• More,fewer,differentFeatures?

• AretheKeyElementstherightsetofKeyElements?• More,fewer,differentKeyElements?

• IsthetableoftheCoreBaselinehelpful(formattingandpresentation)?• Arethecommunicationconsiderationshelpfulforconsumersandmanufacturers?• WhatwouldyourecommendasnextstepsfortheIoTprogram?

LunchBreakoutrooms:

1. WestSquare2. Heritage3. Portrait4. LectureRoomA

LunchisavailableintheNISTCafeteria

Pleasereporttoyourassignedbreakoutroomby12:30pm

Breakoutswilllast2hoursandthenacoffeebreak

FeedbackFromBreakoutSessionsModerator• AdamSedgewick,SeniorInformationTechnologyPolicyAdvisor,NIST

Panelists• ChristineAbruzzi• JosephDrissel• MatthewBarrett• MatthewSmith

Thankyouforyourparticipation!

2019 2021Q4Q12019 Q2 Q3 Q4 Q1

2020 Q2 Q3

KickOffStakeholderEngagement– Releaseessayon

CoreBaselineRSACandotherstakeholder

events

NIST IoTworkshop

Publishdraftforpubliccomment

Close45daycommentperiod–CoreBaseline

PublishFinalCoreBaselineDocument

PublishFederalBaselineDraft

NISTFederalBaselineWorkshop

Releaseforpubliccomment

Release Federal Baseline

Thankyouforyourparticipation!• AccessDraftNISTIR8259,CoreCybersecurityFeatureBaselineforSecurableIoTDevices:AStartingPointforIoTDeviceManufacturersathttps://csrc.nist.gov/publications/detail/nistir/8259/draft

• CommentsDue:September30,2019

• EmailCommentsto:iotsecurity@nist.gov

• FollowtheconversationonTwitter using#IoTBaseline