Featured Product
This Week in Quality Digest Live
Risk Management Features
Ann Brady
Cyberattacks are costly and disruptive, but an arsenal of standards helps companies stay ahead of the game
Oliver Binz
Better internal information systems help managers tell consumer demand from inflationary pressure
Steven I. Azizi
Take these steps to protect your employees and your company
Oliver Laasch
There’s unlikely to be a point of general stability anytime soon
Gleb Tsipursky
You shouldn’t trust your gut as a decision-maker: Here’s why.

More Features

Risk Management News
An early warning system lets Arctic people know when bears approach
ISO 21434 automotive cybersecurity and implementing design and process FMEAs
Implementing a SIOP process can smooth supply spikes while improving cash flow and increasing profitability
Does your business’ security match up with competitors?
Prior to vote, IAF seeks industry feedback to understand the level of demand from businesses and regulators.
The acquisition targets the rapidly widening gap between quality data creation and leverage
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
Designed to offer a comprehensive safety solution for fleet vehicles and workforce personnel
A cybersecurity expert lays out crucial HR practices to amplify attack readiness for modern businesses

More News

Barbara Cuthill

Risk Management

Whether Built or Bought, IoT Device Security Concerns Us All

Considerations for small and medium-size companies venturing into IoT waters

Published: Monday, May 17, 2021 - 12:02

The internet of things (IoT) offers many attractions for small and medium-sized manufacturers (SMMs) that may want to integrate IoT into their facilities and operations, or who seek to enter the IoT market with innovative products. However, when venturing into the IoT waters, it’s helpful to be prepared for the potential cybersecurity pitfalls, whether they are implications for organizational risk management when introducing IoT to the environment, or considerations for product design and support when entering the marketplace as a product vendor.

The NIST Cybersecurity for the Internet of Things program is working to provide the information that SMMs need to navigate these potentially turbulent waters.

IoT and risk management

The spectrum of available IoT products is broad and continually growing. Before you install smart thermostats to keep your employees comfortable, add smart coffee pots to break rooms to keep them caffeinated, or deploy the latest and greatest industrial control system technology in your production environment, it’s important to recognize the potential implications. You may have a robust information security program for your traditional IT, but those tools, processes, and procedures will likely require adaptation when IoT is introduced.

Some of the ways that IoT is different include:
Interacting with the physical world. IoT devices are equipped either with sensors that collect information from their environment, or actuators that cause “real world” objects to move or change. Sensing can generate a lot of potentially sensitive data, so knowing what is collected and where it’s going is important. A compromised actuator could enable an adversary to cause significant disruption; think what could happen if you don’t know who is commanding your smart locks.
Challenging conventional IT management practices. IoT devices are often “black boxes” that both obscure their internal goings-on and can’t be equipped with agents or queried in the same manner as servers, desktops, or firewalls. As a result, common IT management practices can prove ineffective with IoT. These management challenges can multiply quickly if you’re deploying IoT devices “at scale.”
Lacking common cybersecurity and privacy features. IoT devices often lack support for logging and monitoring, support for updating devices to address newly identified vulnerabilities, or cryptographic capabilities needed to protect sensitive information the devices generate or process. It can’t be assumed these devices possess the same cybersecurity capabilities as IT devices on the same network.

SMMs adopting IoT into their environments must be prepared to address these challenges. If entering the IoT market as a vendor, understanding these challenges can be an opportunity to develop a product that provides a better customer experience.

Managing your IoT security risk

When adopting IoT technology in your organization, SMMs should plan to address these challenges with an eye toward three goals:
1. Protecting IoT device security to ensure that the product is fully under the owner’s control, and not being exploited by outside actors to gain access to the SMM’s network or participate in a botnet.
2. Protecting data security so that data generated by IoT devices aren’t exposed or altered while stored on the devices, transferred across the network, or transmitted to a cloud-based service used to provide aspects of the product’s capabilities.
3. Protecting individuals’ privacy, being alert to the possibility of privacy-sensitive information being captured or created by IoT products, and cognizant of where those data might travel.

These goals are articulated in NISTIR 8228—“Considerations for managing internet of things (IoT) cybersecurity and privacy risks,” and can be difficult to achieve with currently available IoT products. For organizations that are applying the NIST Cybersecurity Framework (CSF) or defining their security requirements using NIST SP 800‑53 controls, NISTIR 8228 identifies a range of challenges that IoT devices present to achieving the ends that the CSF and SP 800‑53 intend.

For example, control SI-2—“Flaw remediation” from SP 800–53 can’t be satisfied by IoT devices that lack an ability for secure software or firmware updates. Similarly, many IoT devices can’t be analyzed in a manner needed to satisfy the CSF subcategory DE.CM-8—“Vulnerability scans that are performed.”

Consideration for the three goals identified above should factor into the selection of IoT products as well as how they are managed because the security capabilities of IoT devices contribute to achieving the overall security requirements of the systems into which the devices are integrated.

Improving your IoT products’ security posture

If you are venturing into creating IoT products, awareness of cybersecurity challenges can help guide your approach to the development and support of your product. The three goals described above also apply when developing an IoT product. A thoughtful approach to development with those goals in mind will result in a more manageable, more secure product. This approach involves both the design and development phase for the product as well as the support phase once it’s brought to market, as illustrated in the figure below from NISTIR 8259—“Foundational cybersecurity activities for IoT device manufacturers.”

Addressing customers’ cybersecurity needs and goals will involve technical capabilities in IoT devices and their supporting infrastructure, as well as supporting activities on the part of device manufacturers and affiliated third parties. Specific examples of these can be found in NISTIR 8259A—“IoT device cybersecurity core baseline” (published May 2020), and NISTIR 8259B—“IoT nontechnical supporting capability core baseline” (public draft published December 2020).

Technical cybersecurity capabilities

Device identification

The IoT device can be uniquely identified, logically and physically.

Device configuration

The configuration of the IoT device’s software can be changed, and such changes can be performed by authorized entities only.

Data protection

The IoT device can protect the data it stores and transmits from unauthorized access and modification.

Logical access to interfaces

The IoT device can restrict logical access to its local and network interfaces, and the protocols and services used by those interfaces, to authorized entities only.

Software update

The IoT device’s software can be updated by authorized entities only, using a secure and configurable mechanism.

Cybersecurity state awareness

The IoT device can report on its cybersecurity state and make that information accessible to authorized entities only.

Nontechnical supporting capabilities


The ability for the manufacturer and/or supporting entity to create, gather, and store information relevant to cybersecurity of the IoT device throughout the development of a device and its subsequent life cycle.

Information and query reception

The ability for the manufacturer and/or supporting entity to receive from the customer information and queries related to cybersecurity of the IoT device.

Information dissemination

The ability for the manufacturer and/or supporting entity to broadcast and distribute information related to cybersecurity of the IoT device.

Education and awareness

The ability for the manufacturer and/or supporting entity to create awareness of, and educate customers about, elements such as cybersecurity-related information, considerations, and features of the IoT device.

Planning activities combined with applying the technical and nontechnical baselines will help SMMs develop products that are both more securable and better supported, which will help your customers take advantage of your IoT innovations while limiting the impact to their risk management challenges.

Information that can help

The NIST Cybersecurity for the Internet of Things program has engaged deeply with the community during the last several years and developed a rich collection of guidance around IoT cybersecurity challenges. Whether you are an SMM looking to improve operations with the integration of IoT, or entering the marketplace with new products, there are many resources and publications available to assist your efforts.

NIST’s Cybersecurity for IoT welcomes manufacturer feedback on our current public drafts.

First published April 15, 2021, on NIST’s Manufacturing Innovation Blog.


About The Author

Barbara Cuthill’s picture

Barbara Cuthill

Barbara Cuthill is the deputy program manager for the NIST Cybersecurity for IoT Program.