This piece was originally published in the September/October 2019 issue of electroindustry.
The Internet of Things (IoT) is growing rapidly. By 2020 there will be nearly 30 billion IoT devices around the world1. The proliferation of these devices could pose a threat to the internet at large if companies have not taken appropriate cybersecurity measures to protect these devices. NEMA Members that manufacture connected products take their role in strengthening the cybersecurity of the products they manufacture very seriously. They are using industry best practices to secure their supply chains, secure their operations, and secure their products, minimizing cybersecurity threats along the way.
In 2018 NEMA published its first Cyber Hygiene Best Practices document that identifies a set of industry best practices and guidelines for electrical equipment and medical imaging manufacturers to raise their level of cybersecurity sophistication in their manufacturing facilities and engineering processes.
However, addressing cybersecurity risks is a shared responsibility between the manufacturer and their customer. Recognizing this, the association’s second Cyber Hygiene Best Practices document identifies industry best practices and guidelines that electrical equipment and medical imaging manufacturers may consider when providing cybersecurity information to their customers. These practices and guidelines are meant to help customers effectively manage their cybersecurity expectations as they use the equipment within the context of their respective markets (e.g., commercial and residential buildings, industrial equipment, the electrical grid, hospitals, and surface transportation). The document also provides suggestions for how customers can work with their respective manufacturers to improve the customer’s level of cybersecurity through industry best practices and guidelines. The cyber hygiene guidelines described in this document focus on people, processes, and products.
This document addresses raising a customer’s level of cybersecurity by following seven fundamental principles:
- segmenting networks
- understanding data types and flows
- monitoring devices and systems
- user management
- hardening devices
- updating devices
- providing a recovery plan/escalation process
Example Recommendations—User Management
One typical way that IoT devices have been compromised is through default passwords that customers often do not change and frequently aren’t even aware of. Default passwords are typically used to perform initial commissioning of the device because known defaults simplify the process. The document recommends that manufacturers require default passwords be changed before the device becomes capable of communicating operationally. Password complexity requirements vary by industry. Manufacturers are encouraged to prevent the user from using weak passwords.
Typically, a device will have one or more locally stored accounts and/or passwords to perform various functions when central remote user authentication and authorization are not available or enabled. Inevitably, passwords for local authentication will be lost or forgotten. The NEMA document describes the following best practices for the recovery of such a device:
- Whenever possible, centrally authenticate a user as a privileged security administrator of the device. Also, permit the privileged user to reset local account passwords to a new
- When central authentication is not possible, manufacturers should provide some mechanism that is not network based—for example, a reset button or special power-on sequence—to reset a device to its default configuration and/or password, thereby allowing customers to restore access to the device. These reset mechanisms should be documented clearly so that customers understand the operational state of the device prior to, during, and after the reset process.
- The user should be required to change the default password as part of the password reset process in much the same way as is required for initial commissioning of the device.
- When a device is reset, it should communicate the reset operation to a logging service or
- Safe operation of the device should continue while the user is resetting the password.
- The system should delete any sensitive customer information stored in the device after a password reset has
- Manufacturers should provide a means to back up a device’s configuration and settings and enable the restoration of the configuration and settings after a password reset has occurred in order to bring a device back into a fully operational state with minimal downtime.
Combined with the first NEMA Cyber Hygiene document and Supply Chain Best Practices document, this suite of industry guidance documents portrays the important role that NEMA and its Member companies play with respect to mitigating IoT cybersecurity risks. These documents will continue to evolve and adapt in the ever-changing cybersecurity landscape. ei
1 Statista, “Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions),” November 2016. https://www.statista.com/statistics/471264/ iot-number-of-connected-devices-worldwide