Although regulators seem to think all too often that cybersecurity is an after-thought for internet-connected device manufacturers, the National Institute of Standards and Technology (NIST) recognizes that as the Internet of Things (IoT) grows, so do cybersecurity risks. In March 2021, NIST published several key takeaways from a recent workshop that provide helpful guidance for IoT manufacturers so that they can be more pro-active in securing IoT devices.

NIST’s IoT cybersecurity considerations

NIST’s guidance includes:

  1. There is a need for secure IoT ecosystems: an ecosystem is only as strong as its weakest part. For example, if one unsecured IoT device allows unauthorized access to a WiFi network, all devices connected to that WiFi network are more vulnerable to security breaches. Therefore, manufacturers should strive to ensure a baseline security standard for all IoT devices.
  2. Consumer devices traditionally focus on design and usability at the expense of security. The assumption has been that consumers will not pay for security. However, NIST notes, many consumers have experienced the consequences of weak cybersecurity measures in connected devices (e.g., security breaches resulting in the compromise of sensitive information like baby or security camera video feeds) and are now selecting secure devices over less-secure ones.
  3. NIST identifies that there is a need for manufacturers to maintain IoT devices through their life cycle. The Federal Trade Commission (FTC) has regularly stated that manufacturers should have a business model that incorporates support for security patches for as long as the reasonably expected lifespan of the device. The FTC’s position is that manufacturers should continue to ensure security by monitoring threats to their devices and issuing patches and updates. One option is a subscription model that ensures ongoing support and infrastructure for IoT devices. Companies have begun to sell product maintenance services to IoT device manufacturers so that manufacturers can develop patches and the third-party services can distribute them and assist customers with applying them.
  4. Manufacturers, rather than consumers, should be tasked with ensuring adequate cybersecurity measures are in place. Consumers expect that IoT devices will meet minimum security standards by default, and asking consumers to take additional steps to ensure a device meets minimum security levels may create another vulnerability. Consumers may not have the technical expertise to understand and properly mitigate cybersecurity risks.
  5. Similarly, because patches are essential to ensuring ongoing security, consumers should not be required to manually implement them. Instead, the NIST guidance suggests that manufacturers should develop a common, simplified method to ensure continuing security by patching vulnerabilities automatically and by default.
  6. There is a need for ongoing consumer education about IoT cybersecurity. As these devices become more ubiquitous, especially in consumers’ homes, educating consumers about cybersecurity will be crucial to actual security.

Implications

The considerations that NIST identifies are not new. More troubling to regulators is that these same issues still remain years after they were first identified, even after efforts by the FTC and others to push IoT manufacturers to incorporate improved cybersecurity into their products and support processes. NIST may soon publish additional IoT cybersecurity standards based on this guidance, which will likely be used by regulators as a standard for reasonable security practices for IoT manufacturers. Therefore, IoT manufacturers should consider NIST’s guidance now, so that they are not playing catch-up by trying to bolt on security measures later.