It’s now been 5 years since the first release of the NIST Cybersecurity Framework. Originally aimed at operators of critical infrastructure, the framework has been updated to also support the needs of private sector organizations in the U.S., primarily to help them assess and improve their ability to prevent, detect and respond to cyber attacks.
Use of the framework extends far beyond the United States, however, as there have already been more than half a million downloads from interested parties in more than 30 countries. NIST’s practical guidance is used by a wide range of businesses and organization that want to be proactive about risk management.
But businesses aren’t the only ones who can benefit from observing the framework’s best practices. Device and equipment manufacturers, too, can benefit from designing their products with inherent features that dovetail with the proactive approach to cybersecurity. This is especially true for device manufacturers in the burgeoning Internet of Things (IoT) space. With millions – billions, even – of new IoT devices expected to connect to the Internet in the years ahead, they mustbe designed with the inherent ability to protect themselves and fend off cyber attacks. If devices lack such features, they will ultimately be rejected by the businesses and agencies that want products that help them adhere to the cybersecurity framework’s best practices.
In fact, U.S. law might soon require stronger security in IoT devices…
Just introduced U.S Federal legislation will require manufacturers to address security lifecycle
A new bill was just introduced into the U.S. Congress that would require that devices purchased by the U.S. government meet a certain level of security requirements. Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:
Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching and configuration management for IoT devices.
Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
The European Union is addressing these same issues
Similar to the guidelines and proposed legislation in the U.S., ENISA, the European Union Agency for Network and Information Security, has published the Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures. The aim of this work is to provide insight into the security requirements of IoT, mapping critical assets and relevant threats, assessing possible attacks and identifying potential good practices and security measures to apply in order to protect IoT systems. Among the recommendations are:
Promote harmonization of IoT security initiatives and regulations
Raise awareness for the need for IoT cybersecurity
Define secure software/hardware development lifecycle guidelines for IoT
Achieve consensus for interoperability across the IoT ecosystem
Foster economic and administrative incentives for IoT security
Establishment of secure IoT product/service lifecycle management
Clarify liability among IoT stakeholders
How Cybeats helps device manufacturers adhere to the NIST Cybersecurity Framework best practices
The current NIST framework covers very well how manufacturers can design products securely. Cybeats is a technology partner that can support manufacturers’ security efforts at every point of the security cycle.
Cybeats protects IoT devices throughout their lifecycle by taking a unique “inside out” approach to cybersecurity. Our software is embedded into the devices as a non-intrusive micro-agent to provide continuous protection, allowing devices to instantly detect even the most sophisticated threats, block them to prevent harm, and gather intelligence to help neutralize the threats. Then when the manufacturer updates the firmware to eliminate vulnerabilities, Cybeats automates firmware distribution to all devices in the field to restore a secure posture. This process follows the best practices of the NIST Cybersecurity Framework in the following ways:
"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."
With the Cybeats micro-agent embedded in an IoT device, we are able to discover the assets of the device and the dependencies they have on external software libraries. Cybeats can determine if the device has any initial vulnerabilities before the product ships, which ensures the manufacturer sends a “clean” product to market.
"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."
Cybeats develops a profile of the device in its healthy state to provide a benchmark against which future states can be compared. In this way, we can detect even minor variations from the profile the device shouldhave. In addition, Cybeats continuously monitors for reports of vulnerabilities in the third-party software.
"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."
Cybeats can immediately detect any variations in the device profile and notify the manufacturer as well as the end users of the device.
"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event."
If suspicious activity on the device is detected, Cybeats can immediately neutralize the threat to prevent harm. Further, we facilitate the distribution of firmware updates to every affected device and keep all devices updated proactively. The process doesn’t depend on end users retrieving an update for themselves; Cybeats pushes all updates to them.
"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event."
Cybeats helps the affected systems recover from a breach without having to disconnect from the Internet by blocking the threat until a firmware update can be implemented. Thus, there is no downtime and operations can proceed as usual.
The NIST Cybersecurity Framework is embraced around the world by all types of organizations as the model for best practices to assess and improve their ability to prevent, detect, and respond to cyber attacks. Device manufacturers need to embrace the same model and implement the practices that will help their customers adhere to the NIST framework. By design, Cybeats can help IoT device manufacturers achieve this goal.