Late last year, the National Institute of Standards and Technology (“NIST”) released Special Publication 800-160 (the “Guidance”) on implementing security in Internet-of-Things (“IoT”) devices. The Guidance was released following several highly-publicized distributed denial-of-service (“DDoS”) attacks in 2016 and is intended to provide a framework for software engineers to better address security issues and to develop more defensible and survivable systems in a sustainable manner throughout the life cycle of these devices.
The NIST IoT Security Guidance
IoT devices have become increasingly prevalent, both in the U.S. and worldwide, with one information technology research and advisory company forecasting that the count of IoT devices in use will reach 20.8 billion by 2020. Another company projects that in 2018, IoT devices will surpass mobile phones as the largest category of connected devices, with a growth projection of 23 percent annually between 2015 and 2021. However with this increased adoption comes a greater potential for misuse, as evidenced by their use in a number of recent DDoS attacks. The attackers have been able to exploit the relative security weaknesses in IoT devices, like internet-connected cameras and DVRs, using malware to create networks of these computers, known as botnets, that report to a central control server that can be used as a staging ground for launching powerful DDoS attacks. This malware is able to gain control over numerous IoT devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
The Guidance is designed to help prevent the vulnerabilities that lead to their exploitation and to facilitate “a disciplined, structured, and standards-based set of systems security engineering activities.” To accomplish this, the Guidance focuses on assessing the trustworthiness of various internet-connected devices and their impacts through a series of processes governed by the life cycle of each device. The Guidance breaks those processes into four categories:
- Agreement processes
- Organization-project enabling processes
- Technical management processes
- Technical processes
In each of those categories, Special Publication 800-160 uses international system engineering standards and maps out the purpose, outcomes, and various activities and tasks associated with each life cycle process. The Guidance addresses the activities and tasks, the concepts and principles, and most importantly, what needs to be considered from a security perspective when executing within the context of Systems Engineering.
As with other NIST special publications addressing security, the Guidance emphasizes the need to proactively consider and develop security as a part of the product design process and to consider it throughout both the design process and the product’s life cycle. The Guidance recognizes that accomplishing the security goals set forth represents “a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks—and a fundamental cultural change to the current ‘business as usual’ approach.” This Guidance is intended to represent “an important starting point” to initiate needed change.
We have previously provided recommendations about how organizations can help prepare themselves in advance of an attack, as well as how they can respond during and after an attack. NIST’s guidance is aimed at helping to prevent the vulnerabilities that allow these devices to be commandeered by attackers and used to launch various attacks—which is clearly a welcome step in combatting these attacks. Unfortunately, the implementation of these recommendations is not likely to occur quickly and may be ignored completely by low-cost manufacturers of internet-connected devices. Because pricing considerations often weigh heavily on customers buying these devices, consumer education about the security risks is likely to play a large role in the industry adoption of security measures like those discussed in the Guidance. Unfortunately, enhanced security often increases product prices and decreases convenience and ease-of-use for many end-users. Unless and until consumers show that they truly value security improvements through their behavior, companies, particularly those outside of the U.S. where many IoT devices are made, may be slow to adopt the recommendations found in the Guidance.
From a legal perspective, the Guidance can be seen as a double-edged sword for organizations that manufacture or use IoT devices. On the one hand, the guidance provides a framework for better securing these devices, the implementation of which could limit potential liability if implemented. On the other hand, the mere existence of the Guidance may be interpreted by regulators and potential litigants as creating a minimum threshold for negligence if the recommendations in the guidance are not followed.