The National Institute of Standards and Technology (NIST) has published its initial draft of updated cybersecurity guidelines for Internet of Things (IoT) manufacturers which includes a wider scope of products and more post-market considerations.
NIST’s draft update includes seven recommendations of foundational cybersecurity practices that the agency said manufacturers should take to secure their IoT products. Four of the practices focus on the pre-market stage of product development and three focus on post-market launch.
“This revision marks a pivotal change to addressing the full IoT product scope as well as broadening consideration of maintenance, support and end of life considerations for IoT products,” reads NIST’s draft update.
In its additional material on post-market cybersecurity, NIST noted the obligation of manufacturers to support product cybersecurity through end-of-life, define and plan approaches to communicate with customers, and decide what and how to communicate with customers.
“Manufacturers of IoT products will at some point market and sell their product, which will put it in the hands of customers and initiate the manufacturing post-market phase,” wrote NIST. “Even in this phase, manufacturers continue to have a role in supporting IoT products and the customers’ cybersecurity needs and goals … These foundational cybersecurity activities may benefit customers and their ability to secure products throughout their life.”
Some post-market actions that manufacturers should take, according to the draft, include: update include vulnerability remediation via software updates; prioritize actions on vulnerability and bug reports form the public; have integrators maintain awareness of known issues with IoT products; and make information available for customers of IoT products.
NIST added that end-of-life planning is necessary for when IoT products are no longer useful and explained that when “customers will seek to remove replace these products,” they may “have cybersecurity implications.”
The draft update also provides insight into better communication with customers, saying that “an often overlooked aspect of both marketing and the post-market phase is communication related to cybersecurity,” and that customers “will benefit from manufacturers clearly communicating about the cybersecurity of their products.”
NIST noted that while post-market practices “intended to help the securability of IoT products after or as they are sold” are important, they “should be planned for during the pre-market phase.”
The draft update also addresses the wide range of interoperability and IoT products, defining IoT products as those that are “comprised of a single IoT device and nothing else,” or “comprised of the IoT device and additional IoT product components.”