Introduction

Non-technical supporting capabilities include the actions manufacturers or their supporting entities take in support of initial and on-going security of IoT devices. Such actions make it easier for customers to understand and identify how IoT devices are built to meet their cybersecurity needs, as well as the manufacturers' goals for how the IoT device should be securely used. The non-technical cybersecurity capabilities described can support cybersecurity-related customer efforts. By making customers more knowledgeable about how to secure the IoT devices, and how to most effectively use the device's cybersecurity capabilities, manufacturers can help reduce the number of occurrences and related severity of IoT device compromises, thwart attacks against the devices, and reduce the number of vulnerabilities that are exploited and lead to compromised devices.

The purpose of this catalog is to help IoT device manufacturers and their supporting entities (contractors, supply chain vendors, etc.) to identify non-technical IoT cybersecurity supporting capability actions they can use to better support their customers' cybersecurity needs and goals for understanding, identifying, and managing cybersecurity and privacy risks associated with the use of the manufacturer's IoT device. Such actions can include using communications, documentation, training, and other activities throughout the full lifecycle of an individual IoT device.

The actions found within this catalog provide a wide range of non-technical cybersecurity actions that can be used to support a manufacturer's goals and intended uses of each IoT device, and to meet the expectations and needs of the IoT device customers, to help them to use the device in a way that supports their risk management requirements. Because this is a catalog of actions, it is not expected that a manufacturer would use all the actions within this catalog.

Manufacturers, and their supporting entities, can determine which of the non-technical actions are applicable to each IoT device. This can be accomplished by taking into consideration:

1) the goal of the IoT device;
2) the technical capabilities of the IoT device;
3) the expectations for the intended uses of the IoT device;
4) the types of uses for the IoT device that are not intended;
5) the IoT device customer's purpose for using the IoT device;
6) the expected context within which the IoT device is meant to be used;
7) the data that is generated, derived, collected, generated, stored, disseminated and otherwise used;
8) the expected security actions that the IoT device customer will be responsible for performing;
9) the actions the manufacturer will commit to performing; and
10) the associated risks that the IoT device brings into the system where it will be used by each IoT device customer.

Manufacturers can then provide the most useful communications and education to their customers for each associated device. Manufacturers should consider that risks may vary greatly from one IoT customer to the next, so the non-technical communications and actions they take and provide to IoT device customers will be an important aspect of security for each IoT device.

Cybersecurity and privacy risks for an IoT device cannot all be addressed within the IoT device itself. Every IoT device operates within a broader IoT environment where it interacts with other IoT and non-IoT devices, cloud-based services, people, and other components. IoT device customers need to understand the assumptions and expectations under which the manufacturer created the IoT device that they are considering purchasing. Then after purchase, IoT device customers need to be provided with communications, education, and actions that will help them to understand how to securely use and maintain the IoT device. Such understanding will allow the IoT customer to more knowledgeably determine the risks of using the IoT device within their system (risks that the manufacturer may not have even thought about when engineering the device) and establish the associated technical abilities and non-technical actions.

NIST created the NISTIR 8259 series of IoT cybersecurity guidance documents, and the associated SP 800-213 document, to meet the needs of federal agencies, and to provide manufacturers creating IoT devices with guidance and information describing the cybersecurity requirements that need to be established and maintained for IoT devices used within federal agencies.

For assistance in determining risks created by IoT devices, manufacturers and their supporting entities can use the following NIST resources. These are also some of the documents which federal agencies use for determining risks within their systems and can inform manufacturers' actions for identifying the general kinds of risks the IoT device customers consider:

The IoT Cybersecurity Manufacturer Non-Technical Supporting Capabilities catalog is structured as follows:

A. Documentation from the Manufacturer

  1. Document assumptions made during the development process and other expectations related to the IoT device.
  2. Document the cybersecurity capabilities, such as those detailed within NISTIR 8259A and within the full IoT cybersecurity technical catalog, that are implemented within the IoT device, and how to configure and use them.
  3. Document design and support considerations related to the IoT device.
  4. Document maintenance requirements for the IoT device.

B. Manufacturer Information and Query Reception

  1. The ability for the manufacturer and/or supporting entity to receive maintenance and vulnerability information (e.g., bug reporting capabilities, bug bounty programs) from their customers and other types of entities.
  2. The ability for the manufacturer and/or supporting entity to respond to customer and third-party queries about cybersecurity of the IoT device (e.g., customer support).

C. Information Dissemination – From the Manufacturer and/or Supporting Entity

  1. The procedures to support the ability for the manufacturer and/or supporting entity to alert customers of the IoT device about cybersecurity relevant information.
  2. The procedures to support the ability for the manufacturer and/or supporting entity to notify customers of cybersecurity related events and information related to an IoT device throughout the support lifecycle.

D. Education and Awareness from Manufacturers/Supporting Entities

  1. Educate customers of the IoT device about the presence and use of device cybersecurity capabilities.
  2. Educate customers about how an IoT device can be securely reprovisioned or disposed of.
  3. Make customers aware of their cybersecurity responsibilities related to the IoT device and how responsibilities may be shared between them and others, such as the IoT device manufacturer.
  4. Provide training to IoT customers that explains the manufacturer's key assumptions and expectations related to the cybersecurity of the IoT device
  5. Provide training for how to back-up the data collected from or derived by the IoT device, and how to access such data that is stored in cloud storage, or other repositories.
  6. Educate customers about vulnerability management options for the IoT device or associated system available to be used by customers.