NIST Official Warns Against Device-only Approach to Securing IoT

As federal agencies near a Congressional deadline to control their procurement of devices capable of connecting to the internet, a key official from the National Institute of Standards and Technology highlighted the role cloud services and other infrastructure providers—beyond the device manufacturers—play in mitigating cyberattacks that seek to exploit their connectivity. 

“The product is often more than just what [customers] have installed,” from a box they buy off the shelf, said Katerina Megas, who manages NIST’s program on cybersecurity for the internet of things. “Often there's a mobile app that controls access to the device, [that] lets you get access to the data on the device; it might let you turn it on and off. Often, that device is connected to the cloud.” 

Megas was speaking Tuesday at an event hosted by the American Enterprise Institute. She has led NIST’s production of a series of documents that together form guidance agencies must follow under the IoT Cybersecurity Improvement Act, a bipartisan bill that cleared Congress toward the end of 2020, accompanied by high praise from cybersecurity officials. 

Among the documents is a catalog of device capabilities agencies can use to inform their new procurement requirements, which Megas noted must be activated in December under the law. Agencies might want to consider requiring that vendors allow them to change the passwords necessary to access their devices, for example, according to the catalog.

In conjunction with the IoT Cybersecurity Improvement Act, NIST also references a set of documents—the 8259 series—which emerged from an executive order during the administration of President Donald Trump. That May 2017 order looked to create “resilience against botnets and other automated, distributed threats.” And it resulted in a roadmap that laid out roles and responsibilities for not just the device manufacturer, but also the enterprise end-users of the devices and the internet service providers, which supply the infrastructure that connects them to each other. 

“We have to make sure we don't lose sight of the fact how everything is interconnected,” Megas said. “We’ve always cautioned, ‘let's not just say that, you know, responsibility for cybersecurity is [only with] the manufacturers of the devices.’ It really is an ecosystem. You can't just expect the device to be secure, because it's so interconnected.”

The 2018 roadmap had buy-in from major industry stakeholders, including the telecommunications industry, which agreed on the importance of measures to secure internet routing systems, like the Border Gateway Protocol, in protecting against botnet attacks, wherein hackers can prompt the broad denial of services across a network by remotely controlling hijacked IoT devices.

But as other federal agencies call on the Federal Communications Commission to consider moving beyond voluntary initiatives for industry to address vulnerabilities in the routing system, the industry is opposing such regulation.

“Respect the Internet’s multistakeholder standards development process,” reads a Nov. 2 report from the Broadband Internet Technical Advisory Group, a nonprofit sponsored by internet service providers like Comcast and AT&T. “If regulation is considered, set goals rather than specifying technologies.” 

On stage with Megas during the AEI event, Brian Scriber, vice president of security and privacy technologies for CableLabs—a trade association for the cable industry—which provides devices like cable boxes, modems and routers, also took issue with an aspect of the NIST guidelines for agencies’ IoT procurement. 

The very first device capability listed in NIST’s catalog of potential requirements, is the ability for a device to identify itself. NIST saw the utility of device makers including something called a manufacturer’s usage description—or MUD—file in their products, in relation to an agency project called “device intent signaling.” 

“The device can send out a message to routers and say, ‘I am a light bulb … I shouldn't be talking to the thermostat in my house.’ This light bulb shouldn't be able to talk to other things,” Megas said, describing the project. 

Referencing the responsibilities of enterprise customers such as agencies, Scriber said, “[MUD] puts a weird onus on somebody else to solve a problem downstream,” adding, “there's not an economic driver to go back and necessarily update that device.” 

Megas defended MUD’s inclusion in NIST’s guidance, citing a similar document the agency has produced describing customer IoT responsibilities in connection with President Joe Biden’s executive order on cybersecurity. She stressed a need for stakeholders to embrace the concept of “defense in depth,” for effectively improving the cybersecurity of the internet of things through a comprehensive approach.