If you’re looking to buy IoT devices, start looking for compliance to the NIST guidance…:
[…] NISTIR 8259 “Foundational Cybersecurity Activities for IoT Device Manufacturers” provides six activities that IOT manufacturers can use to inform primarily the manufacturing of new devices:
- Identify expected customers and users, and define expected use cases.
- Research customer cybersecurity needs and goals.
- Determine how to address customer needs and goals.
- Plan for adequate support of customer needs and goals.
- Define approaches for communicating to customers.
- Decide what to communicate to customers and how to communicate it.
Across these suggested activities, there is a definite emphasis on understanding the customer, including how the customer will interact with the device, how the customer can be informed of security features, and device security lifecycle considerations. Beyond technical measures, such as software, the customer is an integral piece of the proposed security solution – without customer understanding, advanced features and technical countermeasures may not be of much use.
NISTIR 8259A “IoT Device Cybersecurity Capability Core Baseline” provides six baseline device cybersecurity capabilities. These baseline elements are meant to be extensible and somewhat solution agnostic in order to provide implementation flexibility. Device manufacturers would do well to review the provided rationales in light of described cybersecurity capability to inform ultimate implementation decisions. The six provided device cybersecurity capabilities are:
- Device Identification
- Device Configuration
- Device Protection
- Logical Access to Interfaces
- Software Update
- Cybersecurity State Awareness