By Kyle Haefner, Lead Security Architect, CableLabs, Bruno Johnson, CEO, Cascoda, Joe Lomako, Cybersecurity Lead, TÜV SÜD UK test lab
Internet of Things (IoT) security, like global warming, is one of the few things that can be said to have global awareness, global initiative, and a growing but disjointed global consensus. Governments of the world have recognized that IoT security is a priority problem. In response, they’ve developed security baseline guidance and drafted and passed legislation to increase IoT security. Manufacturers have realized that building security and privacy into devices adds real value to their brand. This is since consumers are increasingly aware of the importance of security and privacy in the devices they own and, as such, will make purchase decisions based on enhanced security and privacy features.
The challenges facing the industry now lie in navigating a patchwork of regulations that are currently vaguely defined with no clear guidance for certification of compliance. The countdown timer for compliance has already started.
Requirements and Provisions to Be Considered
Legislators in North America and Europe have been developing standards for IoT security. For example, the European Telecommunications Standards Institute (ETSI) has updated the Radio Equipment Directive (RED), which establishes a regulatory framework for placing radio equipment on the market. ETSI adopted a Delegated Act of the RED, activating Articles 3(3)(d), (e) and (f) for certain categories of radio equipment to increase the level of cybersecurity, personal data protection and privacy.
The update mandates cybersecurity, personal data and privacy protection for devices that can:
- 3d: communicate over the internet, either directly or via any other equipment;
- 3e: process personal data, traffic data or location data;
- 3f: enable users to transfer money, monetary value or virtual currency.
These provisions become mandatory on 1st August 2024, at which point manufacturers of radio-connected devices must be compliant or face potential action.
In the U.S., the National Institute for Standards and Technology (NIST) has released a three-pronged approach split between manufacturers, federal agencies and consumers.
For manufacturers, NIST provides guidance in the form of the NISTIR 8259 series. NISTIR 8259A is the IoT device cybersecurity core baseline that focuses on capabilities such as device identification, device configuration, data protection, logical access to interfaces, software update and a catch-all for logging and cybersecurity state awareness. NIST 8259B covers non-technical requirements such as documentation, information queries from customers, information dissemination, and education and awareness.
For federal agencies, NIST provides guidance in SP 800-213A on the use and management of IoT devices. This publication provides detailed requirements similar to categories in NISTR 8259A, however with more specific requirements under each device capability.
For consumers, NIST, in coordination with the Federal Trade Commission (FTC), has been assigned by President Biden’s Executive Order 14028 on Improving the Nation’s Cybersecurity to provide criteria on consumer IoT device labeling. This aims to give manufacturers guidance and standards on how to label consumer devices in terms of their capabilities both physical and cyber.
Additionally, the U.S. Federal Communications Commission (FCC) in June of 2021, released a notice of proposed rulemaking and notice of inquiry with the focus of improving the adoption of cybersecurity best practices in consumer electronics.
While there has not been an official call for a cybersecurity certification in the U.S. similar to the RED in Europe, judging by releases from NIST, FTC and the FCC, signs are beginning to point in that direction.
The primary requirement categories seen in Figure 1. below.
Figure 1. IoT Security Landscape
These legislations cause challenges for manufacturers, operators, and installers of IoT devices.
The Secure Device Lifecycle
A secure device lifecycle is the foundation of all secure device ecosystems. Manufacturers, operators, and installers of IoT devices will need to build upon this foundation to comply with the guidelines and regulations listed above. Stakeholders should be incorporating the secure device lifecycle into their business plans and processes now.
A secure IoT device lifecycle involves both hardware, software, and the ecosystem infrastructure required to support the device and associated services. Secure device lifecycle management shown in Figure 2. below encompasses all of the processes from the manufacture of the device where cryptographic identity is fused at the factory①, to provisioning operational credentials onto the device②, configuration at deployment site③, ongoing secure updates during normal operation④, and finally secure data wipe⑤ at decommissioning⑥.
Figure 2. The OCF Secure Device Lifecycle
Challenges for Manufacturers
For manufacturers, the timeline for meeting the EU’s RED provisions is short, especially given that the average hardware time-to-market is one and a half to two years – and this is without ongoing supply chain issues. Additionally, developing embedded devices with protections for keying material can take extra time and some manufacturers will need to retool their production lines to accommodate the extra steps of burning key material to the chips.
Challenges for Operators
Consumers expect that their smart devices are manageable wherever, whenever and on any device. To meet this expectation, manufacturers should ensure that their ecosystem offering includes secure communication both proximally, but also to the cloud and over multiple IP segments. Operators should build out and refine security technologies such as Public Key Infrastructure (PKI) to authenticate, authorize and account for devices within their ecosystems – and do so in a way that creates simple and seamless user experiences.
Challenges for Installers
Depending on the use case, the installation process can include a mix of the system integration, application engineering, and the IT administration function. As with manufacturers and operators, installers need to develop suitable technical training and management processes to allow for the appropriate provisioning of secure devices. The provisioning process ensures access rights and privileges for individual users so as to ensure a seamless user experience while maintaining security.
Answering the Call
For several years, manufacturers, vendors and internet operators have been working through various standards organizations to build secure IoT specifications that bring much of the best practices of running secure connected systems into the domain of secure connected and constrained systems.
There are now mature internationally recognized secure IoT communications standards that can help support the requirements set forth by the EU RED and the US NIST. By using such protocol standards, many of the challenges related to IoT security can be overcome.
However good the communications standard, organizations at every level of the IoT supply chain still need to implement appropriate management processes and ensure that their workforce has sufficient training to facilitate a seamless transition to a more secure world.
Governments are moving at an increasing pace to protect the security of networks from vulnerable and insecure devices – as can be seen with the above directives and guidelines coming from both the EU and US. Specific requirements directly tied to legislation are at best poorly defined and vague, and yet at the same time specific deadlines for conformance have already been set. This puts manufacturers in a difficult position in determining conformance of product lines with lead times that can stretch into multiple years.
The best option right now is to plan to build devices that can meet a majority of the requirements established in ETSI and NIST. It is impossible to foresee what legislation will require, but it is easy to guess that it will be based at least in part on currently established IoT security baselines. Manufacturers must not delay; the clock is ticking.
“EN 303 645 – V2.1.0 – CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements.” 2020. ETSI. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf
“Executive Order on Improving the Nation’s Cybersecurity.” 2021. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
“Federal Communications Commission FCC 21-73 Before the Federal Communications Commission Washington, DC 20554 In the Matter of.” 2021. Federal Communications Commission. https://docs.fcc.gov/public/attachments/FCC-21-73A1.pdf
“NIST Internal or Interagency Report (NISTIR) 8259A, IoT Device Cybersecurity Capability Core Baseline.” 2020. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/nistir/8259a/final
“NIST Internal or Interagency Report (NISTIR) 8259B, IoT Non-Technical Supporting Capability Core Baseline.” 2021. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/nistir/8259b/final
“NIST Special Publication (SP) 800-213A, IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog.” 2021. NIST Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-213a/final
“OCF – Specifications.” n.d. OPEN CONNECTIVITY FOUNDATION (OCF). Accessed March 3, 2022. https://openconnectivity.org/developer/specifications/
About the Authors
Kyle Haefner, PhD is a Lead Security Architect at CableLabs. He also chairs the Core Security work group of the Open Connectivity Foundation (OCF).
Bruno Johnson is the CEO of Cascoda. He also chairs the Marketing and Communications work group of the Open Connectivity Foundation (OCF).
Joe Lomako heads the cybersecurity team in TÜV SÜD’s UK test lab. He has a 25-year background in IoT and wireless connectivity compliance and certification.