Strengthening IoT Security: NIST Guidance on Configuration Control and Recovery

For many organizations, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides a flexible option for implementing security controls. The CSF Core outlines an organization’s desired cybersecurity outcomes. However, rather than providing a checklist of specific actions to perform, it allows the internal stakeholders the ability to define the actions that will achieve these objectives.

The NIST CSF mentions Internet of Things (IoT) devices once, including it under the definition of information and communications technology (ICT) to which all Functions, Categories, and Subcategories apply. For many organizations, this can feel overwhelming, especially as attackers increasingly target IoT devices as an entryway into systems and networks. 

Managing IoT device security is difficult enough. When adding documentation to the process, it can become a time-consuming, unwieldy behemoth. Most companies have hundreds, if not thousands, of these devices connected to their networks. From security cameras to routers, IoT devices are embedded into the fabric of an organization’s business operations. 

As attackers work to gain unauthorized access to systems, networks, and data using weaknesses in these devices, implementing and maintaining secure configurations is critical to cybersecurity and compliance with the NIST CSF. 

Identify (ID)

The Identify Function focuses on ensuring that your organization understands its current cybersecurity risk. Within this Function, the Asset Management (ID-AM) Category directs organizations to identify and manage assets with a Subcategory related to implementing secure configurations on IoT devices. 

This section contains the following Subcategory:

ID.AM-08: Systems, hardware, software, services, and data are managed throughout their lifecycles

One of the examples of implementations that help achieve this outcome is:

Properly configure and secure systems, hardware, software, and services prior to their deployment in production.

IoT devices pose a unique problem for organizations as they often lack the configuration and customization options that other devices offer. However, at a minimum, organizations can typically implement certain basic configurations that include, but are not limited to:

• Changing default passwords
• Implementing multi-factor authentication (MFA)
• Providing only authorized users with the ability to change configurations
• Using just-in-time access for updating configurations
• Limiting permissions for any products that allow unauthenticated software to run
• Limiting or disabling unnecessary functionalities

Protect (PR)

The Protect Function focuses on safeguards that the organization can use to manage its cybersecurity risks. This Function contains two Categories that are relevant to implementing and maintaining secure IoT device configurations. 

Platform Security (PR.PS)

The Platform Security Category directs organizations to manage hardware, services, and software, including firmware, operating systems, and applications. This management should be consistent with the overarching risk strategy. 

Under Platform Security, two activities can help organizations achieve this outcome:

• PR.PS-01: Configuration management practices are established and applied
• PR.PS-02: Software is maintained, replaced, and removed commensurate with risk

The NIST CSF provides the following examples of implementations that meet the objectives:

• Establish, test, deploy, and maintain hardened baselines that enforce the organization’s cybersecurity policies and provide only essential capabilities (i.e., principle of least functionality).
• Review all default configuration settings that may potentially impact cybersecurity when installing or upgrading software.
• Monitor implemented software for deviations from approved baselines.
• Uninstall and remove any unnecessary software components (e.g., operating system utilities) that attackers might misuse.

As part of NIST CSF compliance, organizations should consider taking the following actions:

• Documenting secure configuration baselines. 
• Identifying default configurations that can undermine security, like default passwords or unnecessarily open ports.
• Limiting devices’ external communications to mitigate connections to known risky IP addresses or geographic regions. 

Technology Infrastructure Resilience (PR.IR)

The Technology Infrastructure Resilience Category directs organizations to build and manage security architecture based on their risk strategy to protect assets confidentiality, integrity, availability, and organizational resilience. 

Under Technology Infrastructure Resilience, the NIST CSF defines the following activity that can help achieve the desired outcome:

PR.IR-01: Networks and environments are protected from unauthorized logical access and usage

The NIST CSF then provides the following example of an implementation that can help meet the objectives: 

Check the cyber health of endpoints before allowing them to access and use production resources.

For the purposes of NIST CSF compliance, organizations should consider IoT devices as endpoints. Checking on the cyber health of endpoints should include:

• Documenting approved, secure configurations for different devices and manufacturers.
• Establishing and enforcing change management procedures. 
• Testing all configurations prior to deploying the IoT devices on networks. 

Detect (DE)

The Detect Function focuses on finding and analyzing possible cybersecurity attacks and compromises. Within this Function, the Continuous Monitoring (DE.CM) Category directs organizations to monitor assets for anomalies, indicators of compromise (IoCs), or other potentially adverse events. 

Within this, the Continuous Monitoring Category, the NIST CSF defines the following activity that can help achieve the desired outcome:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

The NIST CSF then provides the following example of an implementation to help meet the objectives:

Monitor software configurations for deviations from security baselines

Configuration drift is when devices deviate from approved, secure states, which can happen for various reasons, including:

• Manufacturers are making remote updates.
• Technicians opening ports. 
• IT teams making undocumented repairs. 

Often, organizations fail to detect configuration drift, which allows attackers to exploit these misconfigurations to gain unauthorized access to the organization’s networks or remotely control devices, such as using them as part of a botnet. 

To identify IoT device configuration drift as part of NIST CSF compliance, organizations should:

• Take snapshots to document known secure configurations. 
• Regularly scan devices to identify any unauthorized configuration changes. 
• Classify configurations into risk categories, like high, medium, or low. 
• Set alert triggers for any configuration variances to identify when and how a configuration changed. 
• Compare current device configurations to their known good states. 
• Review configuration changes over time to understand how and when a deviation occurred. 

Recover (RC)

The Recover Function focuses on restoring assets and operations affected by a cybersecurity incident. Within this Function, the Incident Recovery Plan Execution (RC.RP) Category directs organizations to perform restoration activities to ensure operational availability of systems and services affected by cybersecurity incidents. 

Within this Category, the NIST CSF defines the following activity to help achieve the desired outcome: 

RC.RP-04: Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms

The NIST CSF then provides the following example of an implementation to help meet the objectives:

Monitor the performance of restored systems to verify the adequacy of the restoration

To streamline the recovery process after an incident and comply with the NIST CSF, organizations should:

• Identify the last known secure configuration for the devices before the incident occurred.
• Review the differences between the current state and the last known secure configuration. 
• Identify when the deviation occurred and correlate that with the external events leading to it. 
• Roll back to the known good configurations to complete the restoration process. 

Asimily Configuration Control: Manage Configuration Drift to Mitigate Compliance Risk

Implementing secure configurations can be challenging for IT teams, especially when working with diverse, complex IoT device deployments. When you work with Asimily, you gain the benefit of our IoT device security platform and our experts who can help you identify secure configurations for the devices in your environment. 

To monitor and maintain secure configurations over time, Asimily’s Configuration Control module, part of the Asimily platform, stores a snapshot of each IoT device connected to your network so that you can document the known good state for them. The information includes complete details about the device and its connectivity, including:

• Ports
• Services
• External IP
• Topology

By storing this information, you have the most complete known good state snapshot so you can implement, monitor, and maintain secure configurations. Furthermore, this documentation facilitates the rollback of any devices that deviate from the approved secure baselines, whether due to normal maintenance or a cyberattack, to their secure state. 

Asimily’s Configuration Control module allows you to classify configurations based on risk categories to reduce alert fatigue. Additionally, you can create alert triggers around various parameters to focus on the configuration changes that matter most and avoid unwanted levels of alerting. 
Contact us today to learn more about Asimily Configuration Control.