NIST publishes IoT guide for manufacturers.
The US National Institute of Standards and Technology (NIST) published a draft guide titled NISTIR 8259 – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers. The guide aims to assist Internet of things (IoT) device manufacturers to understand the cybersecurity risks of their devices. The publication defines six cybersecurity features that manufacturers can voluntarily apply in their IoT devices that consumers can look for while purchasing the devices: (a) Device identification: The IoT device should have a way to identify itself, via a serial number and/or unique address when connecting to networks. (b) Device configuration: Users should be able to change the device software and firmware configuration. (c) Data protection: It should be clear how the IoT device protects the data it stores and warns about any unauthorised access and modification. (d) Logical access to interfaces: The device should limit access to authorised local and network interfaces. (e) Software and firmware update: The device’s software and firmware should be updatable, using a secure and configurable mechanism. (f) Cybersecurity event logging: IoT devices should log cybersecurity events and make the logs accessible to the owner or manufacturer. The deadline for public comments on the report is 30 September 2019. The guide complements the recent publication of NIST that dealt with IoT cybersecurity challenges of large organisations (e.g. federal agencies).