NIST IoT機器製造者向けセキュリティの実践資料 NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers, NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
こんにちは、丸山満彦です。
NISTがIoTに関する白書を2つ(NISTIR 8259 Foundational Cybersecurity Activities for IoT Device ManufacturersとNISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
)公開していますね。。。
● NIST - ITL
・2020.05.29 (PUBLICATIONS) NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers
・[PDF] NISTIR 8259 (DOI)
Supplemental Material:
・[Web] Blog post
・[Web] Video overview of NIST recommendations
Related NIST Publications:
・2019.06.25 (PUBLICATIONS) NISTIR 8228 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
・[PDF] NISTIR 8228
Abstract
Internet of Things (IoT) devices often lack device cybersecurity capabilities their customers—organizations and individuals—can use to help mitigate their cybersecurity risks. Manufacturers can help their customers by improving how securable the IoT devices they make are by providing necessary cybersecurity functionality and by providing customers with the cybersecurity-related information they need. This publication describes recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These foundational cybersecurity activities can help manufacturers lessen the cybersecurity-related efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices.
・2020.05.29 (PUBLICATIONS) NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
・[PDF] NISTIR 8259A
Supplemental Material:
・[web] Federal Profile of NISTIR 8259A
・[web] NIST Cybersecurity for IoT Program
・[web] Blog post
・[web] Video overview of NIST recommendations
Abstract
Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This publication can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers.
■ 参考
● まるちゃんの情報セキュリティ気まぐれ日記
・2020.02.06 NISTがIoT機器製造者向けセキュリティの実践資料のドラフト(Ver.2)を公開していますね。。。
● NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers
Executive Summary
Manufacturers are creating an incredible variety and volume of internet-ready devices broadly known as the Internet of Things (IoT). Many of these IoT devices do not fit the standard definitions of information technology (IT) devices that have been used as the basis for defining device cybersecurity capabilities (e.g., smartphones, servers, laptops). The IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, LongTerm Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world.
The IoT devices in scope for this publication can function on their own, although they may be dependent on specific other devices (e.g., an IoT hub) or systems (e.g., a cloud) for some functionality.
Many IoT devices have computing functionality, data storage, and network connectivity along with functionality associated with equipment that previously lacked these computing functions (e.g., smart appliances). In turn, these functions enable new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also enable the collection and analysis of data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events [1].
IoT devices are acquired and used by many customers: individuals, companies, government agencies, educational institutions, and other organizations. Unfortunately, IoT devices often lack device capabilities that customers can use to help mitigate their cybersecurity risks, such as the functionality customers routinely expect their desktop and laptop computers, smartphones, tablets, and other IT devices to have. Consequently, IoT device customers may have to select, implement, and manage additional or new cybersecurity controls or alter the controls they already have. Compounding this task, customers may not know they need to alter their existing processes to accommodate the unique characteristics of IoT. The result is many IoT devices are not secured in the face of evolving threats; therefore, attackers can more easily compromise IoT devices and use them to harm device customers and conduct additional nefarious acts (e.g., distributed denial of service [DDoS] attacks) against other organizations.1.
The purpose of this publication is to give manufacturers recommendations for improving how securable the IoT devices they make are. This means the IoT devices offer device cybersecurity capabilities—cybersecurity features or functions the devices provide through their own technical means (i.e., device hardware and software)—that customers, both organizations and individuals, need to secure the devices when used within their systems and environments. IoT device manufacturers will also often need to perform actions or provide services that their customers expect and/or need to plan for and maintain the cybersecurity of the device within their systems and environments. From this publication, IoT device manufacturers will learn how they can help This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8259 IoT device customers by carefully considering which device cybersecurity capabilities to design into their devices for customers to use in managing their cybersecurity risks.
This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. Four of the six activities primarily impact decisions and actions performed by the manufacturer before a device is sent out for sale (pre-market), and the remaining two activities primarily impact decisions and actions performed by the manufacturer after device sale (postmarket). Performing all six activities can help manufacturers provide IoT devices that better support the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices. These activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.
Note that this publication is intended to inform the manufacturing of new devices and not devices that are already produced or in production, although some of the information in this publication might also be applicable to such devices.
Activities with Primarily Pre-Market Impact
- Activity 1: Identify expected customers and users, and define expected use cases. Identifying the expected customers and users, as well as the end users’ expected use cases for an IoT device early in its design is vital for determining which device cybersecurity capabilities the device should implement and how it should implement them.
- Activity 2: Research customer cybersecurity needs and goals. Customers’ risks drive their cybersecurity needs and goals. Manufacturers cannot completely understand or anticipate all of their customers’ risks. However, manufacturers can make their devices at least minimally securable by those they expect to be customers of their product and who use them consistent with the expected use cases.
- Activity 3: Determine how to address customer needs and goals. Manufacturers can determine how to address those needs and goals by having their IoT devices provide particular device cybersecurity capabilities in order to help customers mitigate their cybersecurity risks. To provide a starting point to use in identifying the necessary device cybersecurity capabilities, a companion publication is provided, NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline [4], which is a set of device cybersecurity capabilities that customers are likely to need to achieve their goals and fulfill their needs.
- Activity 4: Plan for adequate support of customer needs and goals. Manufacturers can help make their IoT devices more securable by appropriately provisioning device hardware and software resources to support the desired device cybersecurity capabilities. They should also consider business resources necessary to support development and continued support of the IoT device in ways that support customer needs and goals (e.g., secure coding practices, vulnerability response and flaw remediation).
Activities with Primarily Post-Market Impact
- Activity 5: Define approaches for communicating to customers. Many customers will benefit from manufacturers communicating to them more clearly about cybersecurity risks involving the IoT devices the manufacturers are currently selling or have already sold. This communication could be targeted at the customer directly or others acting on the customers’ behalf, such as an internet service provider or a managed security services provider, depending on context and roles.
- Activity 6: Decide what to communicate to customers and how to communicate it. There are many potential considerations for what information a manufacturer communicates to customers for a particular IoT product and how that information will be communicated. Examples of topics are:
- Cybersecurity risk-related assumptions that the manufacturer made when designing and developing the device
- Support and lifespan expectations, such as expected term of support, what process will guide end-of-life, will any functions of the device remain after its end-of-life, how customers can communicate with the manufacturer about suspected vulnerabilities during and even after the end of device support, and how customers may be able to maintain securability after support ends and at end-of-life
- Device composition and capabilities, such as information about the device’s software, hardware, services, functions, and data types
- Software updates, such as if updates will be available, when, how and by whom they will be distributed, and how customers can verify source and content of a software update
- Device retirement options, such as if and how a customer can securely transfer ownership of the device, and whether the customer can render the device inoperable for disposal
- Device cybersecurity capabilities that the device provides, as well as cybersecurity functions that can be provided by a related device or a manufacturer service or system
1 In 2017, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure [2], was issued to improve the Nation’s cyber posture and capabilities in the face of intensifying threats. The Executive Order tasked the Department of Commerce and Department of Homeland Security with creating the Enhancing Resilience Against Botnets Report [3] to determine how to stop attacker use of botnets to perform DDoS attacks. This report contained many action items, and this publication fulfills two of them: to create a baseline of cybersecurity capabilities for IoT devices, and to publish cybersecurity practices for IoT device manufacturers.
Table of Contents
Executive Summary
1 Introduction
1.1 Purpose and Scope
1.2 Publication Structure
2 Background
3 Manufacturer Activities Impacting the IoT Device Pre-Market Phase
3.1 Activity 1: Identify Expected Customers and Define Expected Use Cases
3.2 Activity 2: Research Customer Cybersecurity Needs and Goals
3.3 Activity 3: Determine How to Address Customer Needs and Goals
3.4 Activity 4: Plan for Adequate Support of Customer Needs and Goals
4 Manufacturer Activities Impacting the IoT Device Post-Market Phase
4.1 Activity 5: Define Approaches for Communicating to Customers
4.2 Activity 6: Decide What to Communicate to Customers and How to Communicate It
4.2.1 Cybersecurity Risk-Related Assumptions
4.2.2 Support and Lifespan Expectations
4.2.3 Device Composition and Capabilities
4.2.4 Software Updates
4.2.5 Device Retirement Options
4.2.6 Technical and Non-Technical Means
5 Conclusion
References
List of Appendices
Appendix A— Acronyms and Abbreviations
Appendix B— Glossary
● NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
Device Identification: | The IoT device can be uniquely identified logically and physically. | デバイスの識別: | IoT デバイスは、論理的にも物理的にも一意に識別することができる。 |
Device Configuration: | The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only. | デバイスの設定: | IoTデバイスのソフトウェアの構成を変更することができ、そのような変更は許可されたエンティティのみが行うことができる。 |
Data Protection: | The IoT device can protect the data it stores and transmits from unauthorized access and modification. | データ保護: | IoTデバイスは、不正なアクセスや変更から保存・送信されたデータを保護することができる。 |
Logical Access to Interfaces: | The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only. | インターフェイスへの論理アクセス: | IoTデバイスは、そのローカル、ネットワークインターフェース、及びそれらのインターフェースで使用されるプロトコルとサービスへの論理的アクセスを、許可されたエンティティのみに制限することができる。 |
Software Update: | The IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism. | ソフトウェアアップデート: | IoTデバイスのソフトウェアは、安全で構成可能なメカニズムを使用して、権限のあるエンティティのみが更新することができる。 |
Cybersecurity State Awareness: | The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only. | サイバースセキュリティ状態の認識: | IoTデバイスは、そのサイバーセキュリティの状態をレポートし、その情報に権限のあるエンティティのみがアクセスできるようにすることができる。 |
« CSAがソフトウェア定義の境界(SDP)を使用してゼロトラストを実装する方法に関する報告書を公開していますね。。。 | Main | 米国 国家安全保障局 (NSA) がEximの脆弱性を悪用するロシアのAPTグループ「Sandworm」に関する警告を公表 »
Comments