The number of IoT devices in the field continues to increase, and many of them are becoming important parts of our critical infrastructure, such as electrical grids. However, as we’ve seen time and time again, botnets and other cyberattacks are also on the rise and are a very real threat to IoT devices and the services that depend on them. The good news is that the U.S. Government’s National Institute of Standards and Technology (NIST) has developed an IoT cybersecurity standard called NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline, and it’s playing an important role in helping to keep IoT devices and services safe. As companies look to meet this NISTR 8259A, Implementing device authentication and data integrity are critical steps for compliance and, of course, securing IoT.
There are many threats and hacks to IoT devices, but the one I focus on is what are called botnets. Botnets are networks of devices that have been hacked by a bad actor who then can use them for nefarious purposes such as cyber-attacks such as denial of service attacks. When botnets first reared their ugly heads, they used to consist mainly of desktop PCs as they were a common device to target. Now, cybercriminals typically target video cameras, set-top boxes, and anything with insufficient security that can be quickly taken over. Those worrisome botnets are also on the rise. A Fortinet report showed that botnets detected within organizations had risen from 35.1% in January 2021 to 51.4% in June 2021.
While many types of botnet malware are actively operating in the field, an interesting one is the Mirai malware. One of the first serious botnets targeting IoT devices, Mirai is not sophisticated, but it has been around for a long time. Essentially Mirai works like this. First, an attacker uses a server to scan for devices with known vulnerabilities that he can exploit. The attacker then abuses those vulnerabilities to place the Mirai malware on the devices he finds and controls them from a command and control server. From this server, he can launch his attacks from these infected devices at will. Exploitable vulnerabilities range from software with known vulnerabilities that haven’t been updated to devices whose operators are still using the default security credentials they were shipped with. Unfortunately, these default credentials are no secret. They are well known amongst bad actors and sold cheaply on the Dark Web.
Botnets and other hacks have risen to the point where they are no longer bothersome nuisance but are major threats to our economy and livelihood. This was unfortunately directly demonstrated by two attacks in the 2010s, the “Black Energy“ attack on the Ukrainian electrical grid in 2015 and the “Not Petya“ attacks of 2017. While cyberattacks on IoT devices promise to continue and become even more sophisticated, there is some good news. Many of these attacks can be avoided simply by following some basic and well-established security practices. Some important ones include making sure that each IoT device is properly identified using secure identification techniques common in the industry and the software on the device can only be updated by entities with proper authorization.
The U.S. Government acts to secure IoT
With the number of threats to IoT devices on the rise along with the potential severe consequences of these attacks, the U.S. Government recognized the necessity of establishing policy responses to these threats. One of the first concrete steps was the publishing of an Presidential executive order in May 2017. It was then followed by the U.S. Congress passing the Internet of Things Cybersecurity Improvement Act of 2020. One of the the results of this activity is NIST publishing and promoting the NISTIR 8259A standard noted above.
Why does this standard from an admittedly obscure government agency matter? Well, the U.S. Government is required to only buy devices that comply with NISTIR 8259A and the U.S. Government is a very large customer for many companies. Given the size of the U.S. Government and its power in the market, previous NIST security standards have been broadly adopted by the industry and there is no reason to think that NISTIR 8259A will be any different. Accordingly, it has the potential to be a real game changer and one the industry should pay close attention to.
As shown in the graphic below, NISTIR 8259A requires the implementation of a number of security measures to protect IoT devices. Some of the solutions for these are already well known and adopted by the technology industry and others are starting to climb the adoption curve.
Two key technical measures called out by the NIST Baseline should be noted. One is the need for secure device authentication. Devices can be “spoofed.“ Authenticating devices is one effective way to stop spoofing. Device identification using PKI-based certificates, such as the ones offered by Intertrust PKI, is an industry-standard and market-proven method of device authentication. They are also a bedrock security technology that other measures such as secure boot and secure software updates are built upon. We should think beyond the simplest scenarios. To further increase security, companies should explore using expanded or rich identities that can authenticate any number of the capabilities of a device.
Another one is secure data integrity. A wide variety of critical actions could be taken based on data coming from IoT devices. Accordingly, the data stored by the device, as well as the data transmitted by the device needs to be secured and trusted. Device authentication is needed for data authentication measures such as data encryption. Device authentication is also necessary for adding additional capabilities to maintain data integrity since data can travel over untrusted networks and devices on its path to its final consumer.
IoT device manufacturers, their customers, and other ecosystem partners are well-advised to add NISTR 8259A compliance to their product roadmaps. Intertrust PKI and Intertrust Platform are useful tools to do so.
Julian Durand, CISO, Vice-President Product Management, Intertrust
Author – Bio
Julian Durand is an accomplished product owner, team leader, and creative inventor with more than 25 years of success in bringing breakthrough products to market at a massive scale. He is a named inventor in Digital Rights Management (DRM), Internet of Things (IoT), and virtual SIM technologies. He was the technical lead for the first music phone and pioneered vSIM and IoT businesses at Qualcomm. Julian has also productized SaaS and PaaS offerings in construction telematics, real-time child tracking, and cyber risk data analytics and is currently a CISSP (Certified Information System Security Professional). He can cover topics ranging from IoT security for clean energy, IoT tracking with sensors, and how to ensure data can be trusted in OT IoT applications, to name a few. He also has worked with the UN Refugee Agency, giving him a unique understanding of the human need and costs associated with cybersecurity.
