IoT security

NTIA zeros in on IoT patching

The National Telecommunications and Information Administration's working groups are close to finishing their guidance on upgrading and patching internet-of-things devices.

The Existing Standards, Tools and Initiatives Working Group is compiling a review of IoT security standards and initiatives but has found few best practices for patching IoT devices. Deral Heiland, co-leader of the group and the research lead at Rapid 7, said only a couple of documents went into any detail on patching.

Most of the literature doesn’t go beyond simply saying, "'You should patch,'" he told GCN after a Sept. 12 meeting on the progress the groups have made.

That’s why he is excited about one of the other working group’s publications.

The Technical Capabilities and Patching Expectations Working Group has been crafting a voluntary framework for the patching process.

Allan Friedman, the director of cybersecurity initiatives at NTIA, presented the progress of this draft publication, saying the goal is to come to a common understanding of what, exactly, it means to have a device that can be updated.

The publication breaks down over-the-air updates into 13 different steps and then details what happens in each one.

“I can’t wait until this is published because I can use this now,” Heiland said. "It’s not a standard, because this isn’t a standards organization, but it's a direction and something to consider."

The draft guidance from the Incentives, Barriers, and Adoption Working Group presents a taxonomy for understanding the incentives and challenges to IoT updatability. It will join the final document from the Communicating Upgradability Working Group in the next few months.

When the final version of these publications are released, the working group members will move onto new issues surrounding IoT, such as authentication requirements, privacy and acceptable lifespans for these technologies.


Charter Sponsors