IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

Veridify DOME™ and Complying with US Federal IoT Cybersecurity Law from Derek Atkins, Veridify’s Chief Technology Officer

In December 2020, as the 116th Session neared its end, Congress passed H.R. 1668, the Internet of Things Cybersecurity Improvement Act of 2020, and the President signed it into law, Public Law 106-207 [Law]. The act’s primary objective is to establish minimum security standards for IoT devices owned or controlled by the Federal Government. It specifically directs the National Institute of Standards and Technology (NIST) to develop standards and guidelines for using such IoT devices within ninety (90) days of enactment of the law. It establishes a framework for continued vigilance in the years ahead.

In short, this law defines an IoT device as any device that has at least one transducer (sensor or actuator) and network interface and is not a smartphone or laptop. The law requires these devices’ manufacturers to comply with the National Institute of Standards and Technology (NIST) IR document 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers [NISTIR-8259].

NISTIR 8259 lists six activities for device manufacturers to perform – four activities prior to a device entering the market and two activities after the device is in the market.

  1. Identify expected customers and users, and define expected use cases.
  2. Research customer cybersecurity needs and goals.
  3. Determine how to address customer needs and goals. (This is where NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline [NISTIR-8259A] comes into play.)
  4. Plan for adequate support of customer needs and goals.
  5. Define approaches for communication to customers.
  6. Decide what to communicate to customers and how to communicate it. This includes device lifetime planning, software updates, device retirement options, etc.

DOME Provides a Scalable Device Security Platform
Although compliance with the NIST framework is some time in the future, Veridify’s DOME™ IoT security platform can help manufacturers, private companies and government entities make significant progress toward meeting this coming requirement. DOME is a zero-touch device ownership management and enrollment solution that enables a simple, cost-effective, and efficient tool to deliver device-level security management, in-field software support, and a lifetime blockchain credential for every IoT device.

Customers can leverage the features of DOME to comply with sections of the law more easily. Planning for customer needs and communicating directly with end-users may be nearly impossible for some manufacturers, especially when the device’s user is often several transactions removed. However, manufacturers are still required to comply with the law. DOME specifically addresses manufacturer communication to customer’s ex-post device deployment by establishing proof of ownership at the device level. That is, DOME establishes device-level security. In practice, if the manufacturer sells to a wholesaler, who sells to a distributor, who sells to an installer, who sells to a customer, there may be no direct line of communication from the manufacturer to the end-user.  DOME solves this communication problem by enabling new lines of customer resource management between the manufacturer and the ultimate end-user of their products.  This connection is not available in current platforms, but DOME makes it available through its device proof-of-ownership process.  Moreover, DOME also provides tools for device lifetime planning, software updates, and device retirement, rounding out the post-market activities.

DOME prevents unauthorized communication and device access by encoding ownership credentials in a blockchain and requiring the device to validate the chain of ownership at deployment.  This ensures a trusted chain-of-custody and enables DOME to securely connect the manufacturer to the device’s current owner. When the device is ready to be retired, DOME helps comply with the law by providing secure lifetime management through the use of the blockchain credential.

It is very likely that full compliance with the U.S. Federal Cybersecurity Law is many months, if not years away. However, in the interim, device manufacturers will seek innovative product solutions that can address these challenges without adding unnecessary complexity and costs to their processes. Leveraging a device-level security platform, like DOME, delivers the necessary scalability and security to play a significant role in helping to address IoT security challenges and comply with the NIST 8259.

References
[Law] https://www.congress.gov/bill/116th-congress/house-bill/1668/text

[NISTIR-8259] https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf

[NISTIR-8259A] https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259A.pdf