Cybersecurity Recommendations and Regulatory Requirements for IoT and Edge

Last week I came across a very useful Intel? whitepaper (“How Intel is Addressing IoT Cybersecurity Regulatory Requirements”) which examines the evolution of cybersecurity recommendations to protect IoT and Edge Workloads and how to address these using available technlogies. See here.

Let’s understand why this whitepaper is so relevant to what is happening now, and what can we learn from it.

This infographics from The Economist (“Why companies still want in-house data centres”, Oct 5th, 2023) shows that the data produced by broadcast media and mobile/internet will be overtaken by Internet of Things and analytics data.

Enterprises are looking at on-prem infrastructure to process data where latency, availability or intellectual property protections are big concerns. This is especially relevant for analytics data as enterprises invest in building AI capabilities, from inferencing and digital twins to running business segment specific Generative AI. The Economist article above cites what might come as a revelation to those who are not dealing with these problems viz. how inconsistency of data transfer (called Jitter), data loss and service outages are surprisingly common. Add to that IP protection concerns and it is not difficult to connect why enterprises are split in their choice of investing in their on-prem infrastructure rather than moving all their compute needs to cloud. In fact, my own conversations from trade shows, conferences and talks from industry leaders corroborates this rising interest in workload repatriation.

This also creates a weakening or flatlining of the momentum for digital transformation. Cloud is a rich development environment, with integrated tools for faster Time to Market. Distributed on-prem Edge Cloud on the other hand implies more devices and more software (often from open source or third-party providers), and thus a larger attack surface. Good news is that the enterprise CIOs and technologists are not the only ones worried about it. Governments and regulatory standardization bodies such as NIST and ETSI are stepping in and providing recommendations.

The Intel? whitepaper above goes into a chronology of how IoT cybersecurity laws started getting framed and where they are headed. In this post I’d like to take one such set of recommendations because of its wider applicability, and which also is a good starting point, viz. NIST IR 8259A and then NIST SP 800-213. They provide recommendations for IoT device cybersecurity capability and requirement. It (the whitepaper) also gives a curated list of relevant references and technologies to build such a security framework.

The key problem statement in the context of this post is to protect your edge infrastructure servicing IoT and Analytics needs. Billions of devices must connect to internet to benefit from new technologies such as analytics and Generative AI, to create significant additional value justifying continued investment in the digitalization; on the other hand, transnational criminal organizations and sometimes rogue nation states with advanced Information Technology skills are looking for ways to control and manipulate these infrastructures without the consent of its owner, and invariably beyond the law of the land. Such a data breach will increasingly attract significant penalties from the state agencies. The trend is that the onus is on the enterprises running the business or providing the services to prove the infrastructure is secure and compliant with data protection laws rather than be only responsible for fixing the problem once it has arisen.

We can address this challenge at two levels.

1)???? The first one is based on Networking concepts, viz. the control plane and user plane separation, and uses the concept of Zero Trust Access viz. the principles of least privilege, each request for access to data and resources is authenticated, authorized, and monitored; all authorizations are periodically revalidated. This is an interesting topic requiring a comprehensive treatment, and I see this as largely an industry response rather than a regulatory pull, so I’ll save it for a later post.

2)???? The second approach is what is added by NIST SP 800-213 for US Federal information and systems. This is around device security. It covers trust and security of the execution environment, securing the communications and the operations. In an ecosystem driven business, trust is a major gap; device security introduced by NIST SP 800-213 creates a great way of establishing that trust.

The two are conntected with overlapping audience, however, in the remaining part of this post, I will focus on the second approach around device security as this is an area of interest among different players in the ecosystem. There are Telecom and Managed Service Providers on one hand who are the gateways to the on-prem edge datacentres, and then there are Hyperscalers or cloud service providers with the most advanced tools and whose monetization model is linked to how much data they can process. A third critical player in this is the Hardware Equipment Manufacturer whose products are used by the Enterprises investing in their own on-prem edge infrastructure. Other important players are the technology vendors and Services companies who bring all the computational, security, and System Integration capabilities but need cooperation of the rest to meet their Return on Investment goals.

NIST SP 800-213A gives a Federal Profile as shown in the Intel? whitepaper and works as a good reference for infrastructure capabilities to build.

There are some further references in the Intel? whitepaper on building above capabilities using specific hardware and software technologies, which I’ll give it a pass here to keep this post generic and platform agnostic.

References:

1)???? Intel? whitepaper: “How Intel is Addressing IoT Cybersecurity Regulatory Requirements”, accessed on Oct-23 from this link, https://www.intel.com/content/www/us/en/content-details/790351/how-intel-is-addressing-iot-cybersecurity-regulatory-requirements.html

2)???? The Economist article: “Why companies still want in-house data centres”, Oct 5th 2023, https://www.economist.com/business/2023/10/05/why-companies-still-want-in-house-data-centres

3) NIST Foundational Cybersecurity Activities for IoT Device Manufacturers, https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf

4) NIST Cybersecurity for IoT Program, NISTIR 8259 Series https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program/nistir-8259-series

5) NIST IR 8259A IoT Device Cybersecurity Capability Core Baseline https://csrc.nist.gov/publications/detail/nistir/8259a/final

6) NIST Special Publication 800-213, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-213.pdf

7) NIST IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog, https://csrc.nist.gov/publications/detail/sp/800-213a/final

Disclaimers: The opinions expressed are my own. #Edge #IamIntel #AI