image alt tag

NIST releases first draft of IoT security guide for manufacturers

By Max Burkhalter
April 26, 2019

In late April, the National Institute of Standards and Technology released the preliminary draft of its "Securing Small-Business and Home IoT Devices" guide, providing manufacturers with clear recommendations for safeguarding internet of things technologies. This release is part of NIST's broader campaign to improve the default cybersecurity features of IoT devices sold in the U.S., as there are currently no federal standards in place to hold manufacturers accountable for releasing products with known vulnerabilities. With an estimated 20.4 billion connected IoT devices projected to be in use by 2020, according to Gartner, government officials are looking to establish best practices that will mitigate the rising prevalence of network-based attacks and protect consumers from identity theft.

Cybersecurity for homes and small businesses
The focus of NIST's new document is to provide device manufacturers with greater insight into the specific IoT security concerns that threaten consumers and small businesses. The document points out that most full-featured devices — computers, laptops, mobile phones, etc. — possess comprehensive security software to protect users from a range of common threats, from malware to cryptojacking. However, modern IoT-enabled devices are typically designed with less functionality, as they are meant to be inexpensive and limited in their use cases. For example, voice assistants like Google Home and Amazon Echo have a narrow range of capabilities compared to personal computers and mobile devices, yet they collect just as much sensitive information that hackers hope to exploit.

One of the biggest concerns is that IoT devices can be easily hijacked by malicious actors to launch denial-of-service attacks on institutional targets. In 2018, Square Enix and Ubisoft were hit with a series of large-scale DDoS attempts that caused major connectivity issues for their users, SC Magazine reported. Hostile users leveraged a massive botnet of infected IoT devices to flood the gaming companies' servers with more traffic than they could handle, leading to prolonged network interruptions and significant downtime. This type of cybersecurity threat has grown increasingly common, in part due to the unpatched and easily discovered software flaws in many popular IoT devices. But how does the NIST propose to mitigate DDoS attacks?

Web of connected devices hovering over a tablet.IoT devices transmit massive volumes of sensitive data, making comprehensive security a must-have feature.

NIST's manufacturer usage description
NIST's newly drafted guide explores the value of a manufacturer usage description architecture, which would limit the behavior of IoT devices and prevent exploitation from external sources. This is achieved by providing manufacturers with a standardized method to identify each device's type and the network communications it requires to perform its intended function. Once the MUD is deployed, a home or business network would be able to automatically permit or prohibit devices from sending and receiving traffic based on their specified type. This could stop malicious actors from absorbing consumer IoT technologies into their botnet, as the devices would be unable to transmit to unauthorized destinations. Additionally, NIST argues that MUD protocols would benefit almost every user segment, including:

  • Communications service providers: DDoS attacks can cause significant network degradation that may impact the quality and consistency of a service provider's consumer and small business solutions.
  • Users of IoT devices: End users can see a marked drop in performance and efficiency if their devices are hijacked and may incur extra utility costs as a result of increased activity.
  • Small businesses: Consumer-facing organizations depend on stable internet access and reliable computer systems to address customer concerns and process sales, making them a lucrative target for hackers and cryptominers.
  • IoT device manufacturers: Companies that sell connected devices can experience significant reputational damage if their products are regularly used in high-profile DDoS attacks, eroding customer confidence and stunting their growth potential.

NIST will be accepting public comments for its draft guidance document until June 24, but it will likely be several months before they release a final version. While the agency's recommendations are not legally binding, they do suggest that government officials are considering wider reforms in the IoT space.

Perle offers scalable, high-performance networking tools that can help small businesses and enterprises protect their core systems and keep up with the pace of IoT innovation. Read our customer stories to learn how we've helped other organizations take full advantage of IoT solutions.


Have a Question? Chat with a live Product Specialist!

Have a Question?

We can provide more information about our products or arrange for a price quotation.

email-icon Send an Email
contactus-icon Send an Email callus-icon Call Us

Send us an Email