call for comment on NIST draft: Establishing Confidence in IoT Device Security: How do we get there?

Last week’s NIST cybersecurity white paper came across our desk and we’re reading up. Establishing Confidence in IoT Device Security: How do we get there?

The abstract model from Figure 1 is useful for organizing work from the vantage of stakeholders.

• Aspects: functional, business, human, timing, data, boundaries, composition, lifecycles, and communication.
• Concerns: safety, privacy, security, reliability, resilience.
• Facets: conceptualization, realization, assurance.

This both defines and determines trustworthiness? No. But it does reflect perception of trustworthiness. The team is working so customers can gauge trust before and after purchase.

Katerina Megas (NIST), Barbara Cuthill (NIST), and Sarbari Gupta (Electrosoft Services) found themes in their work. Quoted here:

1. The diversity and scale of IoT devices precludes having a single approach for establishing security confidence
2. The selection of confidence mechanism has to be risk based, with greater risk potentially requiring more rigorous confidence schemes
3. Confidence mechanisms have to be clear about the assumptions and limits of the confidence attestations
4. Confidence mechanisms can exacerbate problems of market fragmentation through narrow certifications or can mitigate by providing a certification that is recognized broadly
5. Certain categories of customers cannot be expected to take extensive actions with respect to IoT security
6. Maintaining appropriate confidence in a device over its lifetime requires IoT device manufacturers and confidence mechanisms to consider additional dimensions
7. Customer awareness and training are essential to expanding the recognition of IoT security confidence mechanisms

Wider PoV:

• There’s a big difference between security and security theater. This work attempts to reduce the theater. Improving confidence in the identity layer gets you closer.
• Not so sure the model makes distinctions between those who own devices, those who pay for them, those who use them, and passive data subjects. What you care about depends on where you stand and your power in relation to the entities behind the device.
• High Assurance Digital Identity of Things is just one component of overall IoT trust and security. But it touches nearly everything.

The authors seek feedback on model completeness. Comments are due next month, June 14, 2021, to: iotsec@nist.gov.