The number of IoT devices in the field continues to increase, and many of them are becoming important parts of our critical infrastructure, such as electrical grids. But as we’ve seen time and time again, botnets and other cyberattacks are also on the rise and pose a very real threat to IoT devices and the services that depend on them. The good news is that the US government’s National Institute of Standards and Technology (NIST) has developed an IoT cybersecurity standard called NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline, and it plays an important role in helping to keep IoT devices and services secure. As companies look to meet this NISTR 8259A, implementing device authentication and data integrity are critical steps for compliance and of course securing the IoT.
There are many threats and hacks to IoT devices, but the one I’m focusing on is what are called botnets. Botnets are networks of devices that have been hacked by a bad actor, who can then use them for malicious purposes, such as cyberattacks, such as denial-of-service attacks. When botnets first reared their ugly heads, they mainly consisted of desktop PCs as they were a common device to target. Now, cybercriminals typically target video cameras, set-top boxes and anything with inadequate security that can be quickly hijacked. These worrisome botnets are also on the rise. A Fortinet report showed that botnets found in organizations had increased from 35.1% in January 2021 to 51.4% in June 2021.
While many types of botnet malware are actively operating in the field, one interesting one is Mirai malware. One of the first serious botnets targeting IoT devices, Mirai isn’t sophisticated, but it’s been around for a long time. Basically, Mirai works like this. First, an attacker uses a server to scan for devices with known vulnerabilities that he can exploit. The attacker then exploits these vulnerabilities to place the Mirai malware on the devices he finds and controls them from a command and control server. From this server, he can launch his attacks from these infected devices at will. Exploitable vulnerabilities range from software with known vulnerabilities that have not been updated to devices whose operators are still using the default security credentials they were shipped with. Unfortunately, these default credentials are no secret. They are well known among bad actors and are sold cheaply on the Dark Web.
Botnets and other hacks have risen to the point where they are no longer a nuisance, but are major threats to our economy and livelihood. This was unfortunately directly demonstrated by two attacks in the 2010s, the “Black Energy” attack on the Ukrainian power grid in 2015 and the “Not Petya” attacks in 2017. While cyber attacks on IoT devices promise to continue and become even more sophisticated, is there is some good news. Many of these attacks can be avoided simply by following some basic and well-established security practices. Some important ones include ensuring that each IoT device is properly identified using secure identification techniques common in the industry, and the software on the device can only be updated by properly authorized devices.
The US government is acting to secure the IoT
With the number of threats to IoT devices increasing along with the potential serious consequences of these attacks, the US government recognized the need to establish policy responses to these threats. One of the first concrete steps was the publication of a presidential executive order in May 2017. It was then followed by the US Congress passing the Internet of Things Cybersecurity Improvement Act of 2020. One of the results of this activity is NIST publication and promotion The NISTIR 8259A standard mentioned above.
Why does this standard from an admittedly obscure government agency matter? Well, the US government is required to only purchase devices that comply with NISTIR 8259A, and the US government is a very large customer for many companies. Given the size of the US government and its market power, previous NIST security standards have been widely adopted by industry, and there is no reason to believe that NISTIR 8259A will be any different. Therefore, it has the potential to be a real game changer, and one the industry should pay close attention to.
As shown in the graphic below, NISTIR 8259A requires the implementation of a number of security measures to protect IoT devices. Some of the solutions to these are already well known and adopted by the technology industry, and others are starting to climb the adoption curve.
Two important technical measures that the NIST baseline states should be noted. One is the need for secure device authentication. Devices can be “spoofed”. Device authentication is an effective way to stop spoofing. Device identification using PKI-based certificates, such as those offered by Intertrust PKI, is an industry-standard and market-tested method of device authentication. They are also a foundational security technology upon which other measures such as secure boot and secure software updates are built. We should think beyond the simplest scenarios. To further increase security, companies should explore the use of extended or rich identities that can authenticate any number of a device’s functions.
Another is secure data integrity. A wide range of critical actions can be taken based on data coming from IoT devices. Therefore, the data stored by the device as well as the data transmitted by the device must be secured and trusted. Device authentication is required for data authentication measures such as data encryption. Device authentication is also needed to add additional capabilities to preserve data integrity, as data may travel over untrusted networks and devices on its way to the end consumer.
IoT device manufacturers, their customers and other ecosystem partners are advised to add NISTR 8259A compliance to their product roadmaps. Intertrust PKI and Intertrust Platform are useful tools for doing so.
Julian Durand, CISO, Vice President Product Management, Intertrust
Author – Bio
Julian Durand is an accomplished product owner, team leader and creative inventor with more than 25 years of success bringing breakthrough products to market at massive scale. He is a named inventor in Digital Rights Management (DRM), Internet of Things (IoT) and Virtual SIM technologies. He was the technical lead for the first music phone and pioneered the vSIM and IoT businesses at Qualcomm. Julian has also produced SaaS and PaaS offerings in building telematics, real-time child tracking and cyber risk data analytics and is currently a Certified Information System Security Professional (CISSP). He can cover topics ranging from IoT security for clean energy, IoT tracking with sensors, and how to ensure data can be trusted in OT IoT applications, to name a few. He has also worked with the United Nations Refugee Agency, which has given him a unique understanding of the human needs and costs associated with cyber security.