Credit:
Shutterstock
Who
needs
to
know
‘What,’
‘When,’
and
‘How’
to
tell
them
The
Challenge
There
are
many
challenges
to
providing
and
maintaining
cybersecurity
in
today’s
connected
world.
While
product
developers
increasingly
consider
security
as
they
design
and
build
products,
they
may
not
always
communicate
critical
cybersecurity
information
about
their
connected
products.
Information
gaps
present
a
challenge
to
stakeholders—especially
customers—who
have
limited
insight
into
the
security
processes,
functions
and
features
that
protect
connected
products,
components,
and
services.
Effective
communication
is
the
next
step
towards
a
more
secure
connected
ecosystem.
Many
of
our
conversations
about
connected
products
focus
on
connectivity
in
the
technical
sense
(protocols,
algorithms,
etc.).
Promoting
trust
among
participants
in
the
ecosystem
and
reducing
the
cybersecurity
risks
associated
with
using
these
products
relies
on
a
different
type
of
communication:
open
dialogue
and
sharing
information.
This
helps
increase
knowledge
and
improve
peoples’
understanding
about
the
cybersecurity
of
a
connected
product
and
is
a
shared
responsibility;
from
hardware
and
software
component
suppliers
to
product
developers,
system
integrators,
security
researchers
and
end
users…
each
member
of
the
ecosystem
has
a
role
to
play.
Ideally,
ecosystem
members
should
work
in
alignment
to
truly
mitigate
risk—but
they
all
need
information
to
play
their
part.
Communicating
effectively
about
security
also
helps
mitigate
risk
and
is
important
to
establishing
and
maintaining
trust.
For
example,
a
lack
of
information
about
a
product’s
security
capabilities
may
constrain
a
customer’s
ability
to
take
advantage
of
them.
In
some
cases,
a
question
is
simply
not
asked
(and
therefore,
the
lack
of
capability
goes
unrealized
until
it’s
potentially
too
late).
The
phrase
“knowledge
is
power”
applies;
knowing
what’s
available
is
the
first
step
to
maximizing
the
value
of
it,
and
communication
is
about
what
each
audience
needs
to
know.
To
consider
next
steps,
a
framework
that
aligns
lexicon
and
expectations
among
parties
could
provide
a
shared
vision
of
common
best
practices.
All
audiences
could
benefit
from
a
consistent
framework
to
identify
what
needs
to
be
communicated,
how
to
organize
the
information,
and
the
processes
that
underlie
it.
Interactions
could
include
developers,
manufacturers,
service
providers,
system
integrators,
security
researchers,
conformance
assessors,
regulators,
end
users,
and
…
(the
list
can
get
very
long)
–
each
audience
may
merit
a
different
approach.
Additionally,
in
our
interconnected
world,
this
communication
often
has
a
global
dimension,
which
brings
in
cultural
and
legal
variations
that
must
be
considered.
For
all
of
these
reasons,
we
are
exploring
the
idea
of
an
approach
to
creating
a
Cybersecurity
Transparency
Framework
for
Connected
Products.
Our
goal
would
be
to
describe
a
structured
approach
to
achieving
necessary
and
appropriate
communication
of
relevant
cybersecurity
information
among
participants
involved
in
the
creation,
consumption,
and
use
of
connected
products.
Such
a
framework
would
be
a
tool
for
sharing
information
and
expectations
across
the
supply
chain.
For
example,
it
could
be
used
to
organize
information
and
identify
key
topics
that
need
to
be
covered
for
various
communications
use
cases,
such
as:
-
Product
creators
to
customers; -
Creators
communicating
with
regulators,
conformance
assessment
bodies,
and
other
third
parties
who
need
to
understand
a
product;
and -
Supply
chain
participants
communicating
with
creators
that
use
their
components.
The
scope
would
encompass
structure,
format,
terminology,
process,
and
content
as
well
as
communication
means.
Creating
a
framework
can
help
establish
a
shared
lexicon
and
terminology
for
communicating
about
features
and
means
to
drive
outcomes
(reducing
risk,
driving
security
outcomes).
Related
to
process,
the
framework
could
help
each
ecosystem
participant
define
interested
parties,
the
purpose
of
the
interaction,
the
mode
of
communication,
how
communications
can
be
supported
by
technical
means,
and
the
options
to
implement
the
interaction
with
considerations
for
things
such
as
risk,
relevancy,
and
applicability.
The
framework
approach
could
also
provide
a
structure
for
establishing
best
practices
in
sharing
content,
such
as
the
types
of
information
appropriate
for
communications
at
different
levels
of
supply
chain
participants,
support,
and
use
in
the
connected
product
ecosystem.
This
would
be
both
broad
and
high
level
to
facilitate
improving
the
exchange
of
cybersecurity-related
information
throughout
the
product
ecosystem
(while
allowing
for
customization,
as
not
every
connected
product
and
every
customer
will
need
to
receive
the
same
information
in
the
same
way).
NIST
SP
800-213A
and
NIST
IR
8259B,
which
describe
non-technical
supporting
capabilities
for
IoT
devices,
provide
a
potential
starting
point
for
these
kinds
of
discussions,
as
do
efforts,
both
domestic
and
international
ranging
from
the
global
work
on
consumer
IoT
cybersecurity
labeling
schemes
to
voluntary
standards
such
as
ETSI
303
645
and
ISO/IEC
27402
(DIS).
We
look
forward
to
future
discussions
with
stakeholders
in
this
very
important
topic
that
we
feel
is
foundational
to
enabling
a
more
secure
connected
product
ecosystem.
Questions
or
Ideas?
If
you’d
like
to
weigh
on
in
this
concept,
please
email
us
at
iotsecurity
[at]
nist.gov.
We’d
love
to
hear
from
you!
About Author
