How to Approach the Risks of IoT Technology

For the past two decades the manufacturing world has been hearing about Internet of Things (IoT) devices. These devices are designed to not just collect operations data as their predecessors did, but also connect and communicate with a broader array of networked devices to help provide a holistic—or at least near holistic—view of plant operations.

Beyond this high-level explanation of an IoT device, to truly understand these devices and the potential cybersecurity risks they present, it’s important to understand their core make-up. As described by Jeff Marron, an IT specialist at the National Institute of Standards (NIST), an IoT device has at least one transducer for interacting with the physical world (e.g., a sensor or actuator) and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, etc.). 

In his presentation at the Industry of Things World USA 2024 event, Marron cited five guiding principles from the NIST related to IoT device cybersecurity in manufacturing environments:

• Adopt a risk-based understanding. Users of IoT devices should focus on how IoT characteristics affect system and organizational cybersecurity risk.
• Understand that IoT is really an ecosystem of “things.” Users should realize that no device exists in a vacuum. Therefore, it’s critical to look at your entire ecosystem, not just the IoT endpoints. 
• No one-size-fits-all technology exists. Manufacturers (both end users and producers of IoT devices) should allow for a diversity of approaches and technologies across verticals and use cases. 
• Have an outcome-based approach. Armed with specific, desired outcomes prior to purchase and deployment of IoT devices enables users to better select from among the best options for their environment. 
• Ensure stakeholder engagement. No matter the size of the project, be sure to collaborate with diverse stakeholders across the organization regarding tools, guidance, standards and resources. 

IoT device help

Even with these guiding principles in mind, Marron noted that manufacturers will still need help to ensure secure IoT deployments. To address this, NIST offers multiple sources of information and guidance for manufacturers using—or looking to use—IoT devices.

Among these works is “The Unique Challenges of IoT Cybersecurity (IR8228)". Marron said this walks readers through the process of considering IoT cybersecurity and privacy risks by:

• Defining specific capabilities IoT devices can provide.
• Describing considerations that may affect cybersecurity management and privacy risks of IoT devices. 
• Providing manufacturers with recommendations on how to address specific risk issues with their IoT devices.

Another publication from NIST is the “Foundational Activities for Manufacturers Producing IoT Technologies (IR8259)”. This is designed to inform manufacturers of IoT devices about what they should provide and process they should perform. It can also serve as a helpful guide to manufacturing end users to better understand what capabilities their IoT devices should feature. 

According to NIST, the main capabilities an industrial IoT device should feature are:

• Device identification—the IoT device can be uniquely identified logically and physically.
• Device configuration—the configuration of the IoT device’s software can be changed and such changes can be performed by authorized entities only. 
• Data protection—the IoT device can protect the data it stores and transmits from unauthorized access and modification. 
• Logical access to interfaces—the IoT device can restrict logical access to its local and network interfaces and the protocols and services used by those interfaces to authorized entities only. 
• Software update—the IoT device’s software can be updated by authorized entities only using a secure and configurable mechanism. 
• Cybersecurity state awareness—the IoT device can report on its cybersecurity state and make that information accessible to authorized entities only. 

Marron also noted that NIST’s National Cybersecurity Center of Excellence provides a collaborative hub for industry, government and academia to solve real world cybersecurity problems. He said the NCCOE provides “extensive IoT resources including manufacturing environment cybersecurity, trusted IoT device network layer onboarding and lifecycle management.