What we learnt at the DOSS IoT Day Roundtable 2024, Part I.
By Gaelle Le Gars, asvin GmbH
The joint EU-US CyberSafe Products Action Plan
The Action Plan builds on the EU Cyber Resilience Act framework and the U.S. cybersecurity labelling programme U.S. Cyber Trust Mark.
At the beginning of 2024, the EU and the US have agreed on an action plan to align their cybersecurity requirements and support convergence in their approaches on the practical implementation of their respective freshly adopted legislation.
The ultimate goal of the EU-US joint CyberSafe Products Action Plan is a seamless transatlantic market for trusted products
The Action Plan includes steps that DG CONNECT and relevant U.S. regulatory agencies intend to take to contribute to the promotion of compatibility with their respective regulatory and policy initiatives. For the year to come, the signatories committed to developing a shared lexicon and taxonomies in cybersecurity, advancing cooperation in standards development activities, exploring potential alignment between various conformity assessment procedures and fostering joint industry engagement.
Elections on both sides of the Atlantic mean executive-level decisions are necessarily time-limited but everyone expects the overall direction of this cooperation to continue, regardless of electoral outcomes. Both parties agreed to further the objectives of the action plan within the context of the EU-U.S. cyber dialogue including agency-level (ENISA – CISA) and industry-level collaborations.
As we learnt from the ENISA speaker at the DOSS event, Eric Vétillard, current efforts at US-EU convergence focus on a pragmatic bottom-up approach of harmonising the documentation required as evidence for certification. Among other merits, that pragmatic approach is likely to yield results a lot faster than a formal agreement of mutual recognition.
NIST on IoT Cybersecurity and the US Cyber Trust Mark
This direction of travel should entice the EU IoT sector stakeholders to take an active interest in the recent output of the US National Institute for Standards and Technology (NIST) IoT Cybersecurity Program.
On the 3rd of April 2024, NIST issued a draft version of its Product Development Cybersecurity Handbook, Concepts and Considerations for IoT Product Manufacturers for public comment. The period for comments is open until the 17th of May.
At the DOSS IoT Day event, we had the benefit of a presentation by Barbara Cuthill from NIST on IoT Cybersecurity and the U.S. Cyber Trust Mark. Barbara presented key elements of the IoT cybersecurity approach developed over several years by the team which produced the Handbook.
Unlike ENISA, NIST is not an executive agency and its role has no direct equivalent in the EU. It acts as a bridge between executive agencies and industry-led standardisation bodies. For cybersecurity, its work involves developing conceptual frameworks to interpret regulatory requirements, matching existing standards, identifying gaps and formulating guidance for the industry.
NIST’s Conceptual Breakthrough
The NIST team authoring the draft handbook was originally tasked with delivering guidance for the cybersecurity of IoT products intended for the consumer market. In the process of developing the framework, the NIST team arrived at a conceptual breakthrough, a simple yet effective way of addressing a particularly challenging aspect of IoT Cybersecurity: determining what’s in scope.
For the full picture, the best is to read the handbook which helpfully defines terms and concludes with extended tables translating concepts to requirements and matching them to globally sourced standards and guidance. One purpose of the comment period is for readers to complete this matching exercise with any reference not yet included.
NIST’s breakthrough relies on a few key concepts:
IoT Products
NIST defines the IoT product as “an IoT device or IoT devices and any additional product components that are necessary to use the IoT device beyond basic operational features.” “This definition built upon NIST’s prior work in IoT Device Cybersecurity Capability Core Baseline, NISTIR 8259A, and IoT Non-Technical Supporting Capability Core Baseline, NISTIR 8259B”.
Indeed, any cybersecurity consumer information or “guarantee” at the device level is insufficient to ensure minimal cybersecurity outcomes when in use. Similarly to the CRA, the goal here is to resolve the unfair but pervasive state of affairs where Customers – and especially consumers – are left to figure out on their own the cybersecurity and privacy issues involved in the remote and connected part of their IoT device.
In addition, NIST conceptualises the cybersecurity of IoT products where these IoT products
- are systems in themselves
- form part of broader systems with other IoT products to which they are connected
- operate in an environment made of other IoT to which it can but not necessarily does connect.
All of which have implications for the scope of cybersecurity requirements and applicable standards.
Cybersecurity Outcomes
“The cybersecurity expectations for the IoT product based on the customer’s needs and goals, usually in the form of statements of IoT device and product cybersecurity capabilities and non-technical supporting capabilities.”
Including:
Technical Outcome “A cybersecurity expectation intended to be delivered via functions or features of hardware and/or software.”
Non-Technical Outcome: “A cybersecurity expectation intended to be provided by an action or process by an individual or organization.”
This latter part is the most novel part of the approach in that it integrates back into the conceptual framework, the multiple information flows involved in the extended responsibilities of the product developer (equivalent to the “product manufacturer “ in EU law for our present purpose) regarding the product and the cybersecurity outcomes experienced. Incidentally, these extended responsibilities are similar to those introduced by recent EU cybersecurity legislation, in particular the Cyber Resilience Act.
And finally:
Roles
“Roles” is defined as “A set of expected cybersecurity responsibilities associated with a product to be assumed by a single entity. (Derived from “role” definition in NISTIR 6192.)
NIST’s Approach
In effect, if not explicitly, NIST’s approach combines two viewpoints – what the authors call “cybersecurity perspectives”:
- On one side the more familiar manufacturer/engineering viewpoint which we could call “systems architecture” viewpoint
- On the other “cybersecurity outcome” viewpoint, in effect the perspective from the other end of the product experience, that of the customer.
Below is our virtual interpretation of how these two viewpoints relate in the NIST approach:
The merit of this approach is to encompass in a single framework both intrinsic and contextual aspects of IoT cybersecurity. The handbook, currently available as Draft for comments, includes tables translating non-technical outcomes into more ‘actionable’ sub-outcomes and matching those to standards. The fact that the NIST authors could match all but one of their sub-outcomes to standards suggests that, at a minimum, their approach is coherent with broadly understood cybersecurity state-of-the-art.
References:
Fagan, K. N. Megas, K. Scarfone, and M. Smith, ‘Foundational cybersecurity activities for IoT device manufacturers’, National Institute of Standards and Technology, Gaithersburg, MD, NIST IR 8259, May 2020. doi: 10.6028/NIST.IR.8259.
Simmon, ‘Internet of Things (IoT) component capability model for research testbed’, National Institute of Standards and Technology, Gaithersburg, MD, NIST IR 8316, Sep. 2020. doi: 10.6028/NIST.IR.8316.
Fagan, J. Marron, J. Brady Kevin G., B. B. Cuthill, K. N. Megas, and R. Herold, ‘IoT non-technical supporting capability core baseline’, National Institute of Standards and Technology (U.S.), Gaithersburg, MD, NIST IR 8259B, Aug. 2021. doi: 10.6028/NIST.IR.8259B.
National Institute of Standards and Technology, ‘Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products’, National Institute of Standards and Technology, Gaithersburg, MD, NIST CSWP 24, Feb. 2022. doi: 10.6028/NIST.CSWP.24.
Fagan, K. Megas, P. Watrobski, J. Marron, and B. Cuthill, ‘Profile of the IoT Core Baseline for Consumer IoT Products’, National Institute of Standards and Technology, NIST Internal or Interagency Report (NISTIR) 8425, Sep. 2022. doi: 10.6028/NIST.IR.8425.
‘Cybersecurity measurement’, NIST, Apr. 2021, Accessed: Apr. 10, 2024. [Online]. Available: https://www.nist.gov/cybersecurity-measurement
‘Identifying Standards and Guidance for a Consumer IoT Product Development Handbook’. NIST, Nov. 30, 2023. Accessed: Apr. 10, 2024. [Online]. Available: https://www.nist.gov/system/files/documents/2023/11/30/FINAL_IoT%20Product%20Requirements%20Discussion%20Essay_20231129.pdf
Fagan, ‘Product Development Cybersecurity Handbook: Concepts and Considerations for IoT Product Manufacturers’, National Institute of Standards and Technology, Gaithersburg, MD, NIST CSWP 33 ipd, 2024. doi: 10.6028/NIST.CSWP.33.ipd
