Your browser is not supported. Please update it.

2 December 2016

NIST and DHS weigh in on IoT security, still lack legal recourse

The USA’s National Institute of Science and Technology (NIST) and the Department of Homeland Security (DHS) have each published a set of IoT security guidelines, amid a period of particular fragility in the industry following recent spates of devastating DDoS attacks by Mirai botnets – exploiting preventable vulnerabilities in a myriad of connected devices.

The two documents hope to breathe a little optimism into a market down on confidence, with differing takes on how the battle against cyber attacks should be approached. NIST has opted for a crackdown on hardware flaws at the source, while the DHS has outlined basic security principles that are neither new nor revolutionary.

You’d think that the DHS would have the authority to impose strict punishments on IoT companies who ignored security guidelines. However, it seems that it’s going to take a rather nasty episode (potentially a nationally damaging one) to prompt the various global lawmakers into action. Mirai is just the beginning.

Guidelines are all well and good, but if they are not implemented by device manufacturers, agencies or service providers, then this brings us back to square one. This can seemingly only be achieved with the threat of punishments by cementing these guidelines as laws, but the two research groups appear to have forgotten to discuss the ways in which their respective security recommendations can be enforced.

Dubiety aside, the DHS has provided a framework of IoT security recommendations that are realistically achievable but less holistic than NIST’s research – which is part and parcel of being a government body. The DHS hopes to guide developers, manufacturers, service providers and consumers alike to focus on security at a more basic level – providing tools to prevent security holes in the development and use stages of devices before vulnerabilities emerge, post-deployment.

The advice given by the DHS could be something as simple as changing default passwords – a pivotal weakness exploited by the Mirai botnet. However, experts have critiqued the DHS for failing to provide proper implementation guidelines for developers – surely a critical aspect of any technical framework. That line of thinking quickly descends into a discussion of standards as solutions to the problem, and is admittedly not a straightforward debate.

NIST, on the other hand, has delved deeper into the intricacies of IoT security on a hardware level, advising device manufacturers to simplify their design processes. In addition, NIST recommends encompassing encryption, firewalls, and ways to monitor internal systems, which are installed after manufacture and contribute to increasingly compromised systems – simply increasing the potential attack surface.

The issue with purely bulking up on firewalls is that it can aid in the evolution of more advanced and sophisticated (or sometimes more simple) botnets. Relying on one gatekeeper device to keep the kingdom safe is setting yourself up for a dramatic fall.

NIST has mostly hit the nail on the head here, which, if combined with an industry-wide effort to shift towards an open-source software architecture, could prove crucial to preventing the prevalence of attacks – although open-source is a topic that inspires rather heated debates after a few beers, and definitely isn’t the answer to all life’s problems.

NIST’s four-year research paper Special Publication 800-160 states, “engineering-based solutions are essential to managing the growing complexity, dynamicity and interconnectedness of today’s systems. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical and human components that compose the systems and the capabilities and services delivered by those systems.”

For companies that are serious about tackling IoT security challenges, then the NIST guidelines are a respectable place to start. The combined efforts of the DHS and NIST will certainly have some influence on IoT players big and small, but, as previously touched on, the overbearing elephant in the room here is how these guidelines can be enforced, if at all. We wish they were more than simply guidelines, but their purpose lies in providing stepping stones to more concrete security practices in the future.