The US National Institute of Standards and Technology (NIST) released guidance on Internet of Things device cybersecurity for home and small-scale enterprise networks designed to prevent network-based attacks.
By urging to adopt a standards-based approach to network communication and requiring IoT devices to only operate when needed and as their maker intended, the new policy is hoped to prevent data breaches, protect sensitive unclassified information, and more:
“This new policy aims to prevent data leaks and protect privacy of critical unclassified information, personally identifiable information, and operational data,” a press release from the Army CIO said.
The Army mentioned that the rise of IoT devices during the COVID-19 pandemic has heightened the risk of botnets and other network-based threats. Noting the rapid growth of the Internet of Things, NIST researchers said many devices have minimal security measures:
“The rapid growth of IoT devices… is a cause for concern because IoT devices are tempting targets for attackers… Many IoT devices…have minimal security or are unprotected… As a result of the pandemic, we saw a drastic expansion of our digital ecosystem which introduced new cybersecurity risks. So, we’re elevating and expanding our protocols to make telework offices more secure for our current and future digital Army workforce,” said Army CIO Dr. Raj Iyer.
The NIST Cybersecurity Practice Guide details the manufacturer’s usage description (MUD) and related protocols and tools that can help prevent exploitation of an Internet of Things (IoT) device.
“[MUD increases] the device’s resilience to network-based attacks,” NIST wrote. “MUD can automatically permit the device to send and receive only the traffic it requires to perform its intended function.”
The US Army warned about the constant collection and use of audio and video recordings by smart Internet of Things devices which presents risks to the security of classified information in certain workplace settings.
NIST provides four implementations that are based on the MUD that can be used to secure and onboard new devices. These include traffic rules for devices and protecting them from insecure connections. The four recommendations also provide how-to steps and results from the successful implementation of the guidelines.
By preventing unauthorized traffic from and from a device, the guidelines can prevent the exploitation of an Internet of Things device:
“By prohibiting unauthorized traffic to and from a device, the solution outlined in this guide both reduces the opportunity for an IoT device to be compromised by a network-based attack and reduces the ability of compromised devices to participate in network-based attacks such as DDoS campaigns,” the experts added.
In addition, the Army’s new policy includes a requirement that all soldiers and civilians who are approved to telework must remove or turn off all devices in their workspaces; turn off or remove all personal mobile devices, such as smartphones or tablets, in the work area; and disable audio access functions on personal assistant applications and devices.