From the comfort of smart homes and the convenience of wearable devices to the intelligent operations of manufacturing systems and the functionality of smart cities, the Internet of Things (IoT) serves as the connective tissue of a digitally unified world. While a hallmark of modern innovation, this proliferation of interconnectivity also introduces a multifaceted set of cybersecurity challenges that necessitate vigilant attention and robust countermeasures.?
Leading the charge to secure this interconnected world, the National Institute of Standards and Technology (NIST), a global frontrunner in defining standards, has crafted extensive guidelines to mitigate cybersecurity risks. This article will illuminate the pervasive influence of IoT across industrial and manufacturing contexts, focusing on Industrial IoT (or IIoT). Further, it will dissect these crucial NIST documents, translating their intricate technical specifics into understandable insights.
What Is the Industrial Internet of Things?
The Industrial Internet of Things refers to IoT technologies in industrial settings, such as manufacturing, logistics, or energy/utilities. The adoption of these technologies has become so widespread that it is often considered part of a wider economic evolution called the Fourth Industrial Revolution (or Industry 4.0).?
The IIoT involves the interconnection of devices, sensors, and machines used in industrial operations, allowing them to communicate and share data and with human operators. The data collected from these devices can be analyzed to improve efficiency, enhance productivity, and reduce operational costs.
Key elements and technologies of IIoT include:
- Smart Sensors and Devices: Such devices collect and and all information from the performance and output of a machine, device, or process. Most importantly, this is done at the point of collection–that is, the sensor is often directly connected to, or part of, the item from which it collects data.?
- Network Connectivity: Powerful RF, Wi-Fi, and Bluetooth connectivity enables these sensors to readily communicate with each other and with different cloud servers, often in real-time.?
- Industrial Control Systems (ICS): These include distributed control systems (DCS), programmable logic controllers (PLCs), and supervisory control and data acquisition (SCADA) systems.
- Data Analytics and Machine Learning: Layers of edge and cloud computing systems take data from sensors and run deep analytics to feed intelligence and machine learning algorithms.
- Cloud Computing and Edge Computing: IIoT often uses cloud computing for data storage and processing. However, edge computing (processing data near its source) is becoming increasingly crucial for real-time applications.
- Cybersecurity: Given the critical nature of many industrial systems, cybersecurity is a significant concern in the IIoT.
How Does NIST Govern Security for IoT Systems?
NIST provides extensive guidance on the issue of cybersecurity in the Internet of Things. They have published several documents that provide recommendations and best practices for securing IoT devices and systems.
Note that aside from these documents, most IIoT requirements will also refer back to NIST Special Publication 800-53.
NISTIR 8259, "Foundational Cybersecurity Activities for IoT Device Manufacturers"
NISTIR 8259, "Foundational Cybersecurity Activities for IoT Device Manufacturers," is a document that guides manufacturers in improving the cybersecurity of IoT devices. The document outlines six high-level technical activities and three supporting activities that manufacturers should consider in the device cybersecurity lifecycle.?
Pre-Market Activities
- Identify Customers and Use Cases: This step involves understanding the context in which the device will be used, which can guide decisions about cybersecurity requirements.
- Research Customer Goals: This activity involves identifying the cybersecurity goals relevant to the customer use cases identified in Activity 1.
- Plan How to Address Customer Goals: This step involves making strategic decisions about achieving the cybersecurity goals identified in activity 2. This includes determining what device capabilities are needed to support these goals.
- Support Customer Goals: This step involves creating a plan for providing the necessary device capabilities throughout the device's cybersecurity lifecycle.
Post-Market Activities
- Define Customer Communication: This activity involves determining how to communicate effectively with customers about device cybersecurity. This could include providing customers with information about the device's security features, how to use them, and any actions customers need to take to keep the device secure.
- Plan Customer Communication: This step involves deciding exactly what information will be transmitted to customers and when that communication should occur.
Supporting Activities
- Ensure Expertise: In order to carry out the other activities effectively, manufacturers need to have sufficient cybersecurity knowledge and skills.
- Identify Relevant Practices: Manufacturers should use relevant standards and best practices to help guide their cybersecurity efforts.
- Roles and Responsibilities: Clearly defining who is responsible for various cybersecurity tasks can help ensure that those tasks are effectively carried out.
By following these activities, IoT device manufacturers can make their devices more secure, helping protect their customers and the broader internet from potential threats. This is especially critical in the current digital age, where cybersecurity risks constantly evolve.
NISTIR 8259A, "IoT Device Cybersecurity Capability Core Baseline"
"NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline" is a document that identifies a core baseline of cybersecurity capabilities that IoT devices should ideally have to be securable. This baseline is essentially the floor of what IoT systems should be to remain securable.
- Device Identification: The IoT device should be logically and physically identifiable. This is essential for tracking devices across their lifecycle, managing devices effectively, and tracing the source of events for incident response.
- Device Configuration: It is essential for an IoT device to support secure configuration by an authorized entity. Users should be able to change default settings to harden security, like changing default passwords. Devices should also support resetting to a particular state.
- Data Protection: Devices should provide capabilities to protect data, both at rest and in transit, to maintain confidentiality, integrity, and availability. This includes encryption and other protective measures.
- Logical Access to Interfaces: IoT devices often have various interfaces, like command line interfaces, web-based interfaces, or application programming interfaces. The device should support restricting logical access to these interfaces to authorized entities only.
- Software and Firmware Updates: The IoT device should support secure, authenticated, and timely software and firmware updates. Given the ever-evolving nature of cybersecurity threats, the ability to update devices is critical.
- Cybersecurity State Awareness: The device should be able to report on its cybersecurity state, like whether it is currently configured securely or has experienced cybersecurity events or anomalies. This information can be used for monitoring and incident response.
The document also recommends that manufacturers identify additional device capabilities beyond the core baseline that may be needed to support specific customers, applications, or environments.
This document can be used by manufacturers, policymakers, and procurement officers to evaluate and improve the cybersecurity features of IoT devices. The identified baseline capabilities can guide design, development, and acquisition decisions.
NIST SP 800-82, "Guide to Industrial Control Systems (ICS) Security"
NIST Special Publication 800-82, "Guide to Industrial Control Systems (ICS) Security" is a publication by NIST that provides guidance on how to secure Industrial Control Systems. While not specifically tailored to IoT, the principles and recommendations within are highly relevant given the increasingly networked nature of modern industrial environments.
- Device Identification: The IoT device should be logically and physically identifiable. This is essential for tracking devices across their lifecycle, managing devices effectively, and tracing the source of events for incident response.
- Device Configuration: It is important for an IoT device to support secure configuration by an authorized entity. Users should be able to change default settings to harden security, like changing default passwords. Devices should also support resetting to a certain state.
- Data Protection: Devices should provide capabilities to protect data, both at rest and in transit, to maintain confidentiality, integrity, and availability. This includes encryption and other protective measures.
- Logical Access to Interfaces: IoT devices often have various interfaces, like command line interfaces, web-based interfaces, or application programming interfaces. The device should support restricting logical access to these interfaces to authorized entities only.
- Software and Firmware Updates: The IoT device should support secure, authenticated, and timely software and firmware updates. Given the ever-evolving nature of cybersecurity threats, the ability to update devices is critical.
- Cybersecurity State Awareness: The device should be able to report on its cybersecurity state, like whether it is currently configured securely or has experienced cybersecurity events or anomalies. This information can be used for monitoring and incident response.
The document also recommends that manufacturers identify additional device capabilities beyond the core baseline that may be needed to support specific customers, applications, or environments.
This document can be used by manufacturers, policymakers, and procurement officers to evaluate and improve the cybersecurity features of IoT devices. The identified baseline capabilities can guide design, development, and acquisition decisions.
NIST Cybersecurity for IoT Program
While not a document, this program demonstrates NIST's focus on IoT security. It aims to develop standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed:
- Device Identification: The IoT device should be logically and physically identifiable. This is essential for tracking devices across their lifecycle, managing devices effectively, and tracing the source of events for incident response.
- Device Configuration: It is essential for an IoT device to support secure configuration by an authorized entity. Users should be able to change default settings to harden security, like changing default passwords. Devices should also support resetting to a secure state.
- Data Protection: Devices should provide capabilities to protect data, both at rest and in transit, to maintain confidentiality, integrity, and availability. This includes encryption and other protective measures.
- Logical Access to Interfaces: IoT devices often have various interfaces, like command line interfaces, web-based interfaces, or application programming interfaces. The device should support restricting logical access to these interfaces to authorized entities only.
- Software and Firmware Updates: The IoT device should support secure, authenticated, and timely software and firmware updates. Given the ever-evolving nature of cybersecurity threats, the ability to update devices is critical.
- Cybersecurity State Awareness: The device should be able to report on its cybersecurity state, like whether it is currently configured securely or has experienced cybersecurity events or anomalies. This information can be used for monitoring and incident response.
The document also recommends that manufacturers identify additional device capabilities beyond the core baseline that may be needed to support specific customers, applications, or environments.
Manage IIoT Security and NIST Compliance with Continuum GRC
Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- FedRAMP
- StateRAMP
- GDPR
- NIST 800-53
- FARS NIST 800-171
- CMMC
- SOC 1, SOC 2
- HIPAA
- PCI DSS 4.0
- IRS 1075
- COSO SOX
- ISO 27000 Series
- ISO 9000 Series
And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.
Continuum GRC is a proactive cyber security? and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization's cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.