The National Institute for Standards and Technology (NIST) released a draft interagency report to establish a core baseline guide for cybersecurity that manufacturers may adopt for Internet of Things (IoT) devices they produce.
The baseline guide will provide manufacturers with information on how to identify and implement features most appropriate for their customers. NIST states that although the baseline guide is aimed at manufacturers, it can be used by anyone who might link IoT devices to the internet.
“This ‘Core Baseline’ guide offers some recommendations for what an IoT device should do and what security features it should possess. It is aimed at a technical audience, but we hope to help consumers as well as manufacturers,” said NIST computer scientist Mike Fagan, who helped author the guide.
The core baseline guide is not a set of rules and standards for the manufacturing industry, but rather a voluntary guidance to help mitigate cybersecurity risks. “Securing devices is a group effort,” Fagan said. “The manufacturer has to supply options and software updates, and the user has to apply them. Both sides have roles to play,” he added.
The core baseline guide makes six recommendations in securing IoT devices:
- IoT devices should be able to identify themselves;
- Users should be able to change IoT devices’ software and firmware configuration;
- Software and firmware should also be able to update using a secure and configurable mechanism;
- It should be clear how IoT devices protect data;
- IoT devices should limit their local and network interfaces; and
- Devices should be able to log cybersecurity events and make the logs accessible.
NIST is holding a workshop on Aug. 13 to gather feedback on the guide draft, with registration open until Aug. 6. Public comments on the draft will be accepted until Sept. 6, 2019.