Dr Nick Allott, CEO of Nquiringminds, is in Washington DC, 17 April 2025 at NIST the National Cybersecurity Center of Excellence. As part of the Trusted IOT onboarding team we are running an open day before the publication of SP1800-36. This is important work. It paves the way to solve the problem we find ourselves in where every IOT device shares the same network password leading to security vulnerabilities. It also has impact on bigger themes such a continuous assurance, policy and supply chain integration. There is opportunity to feed into the conversation, the NIST Cybersecurity White Paper is open for public comment through May 29, 2025.
The National Institute of Standards and Technology (NIST) is a U.S. federal agency that promotes innovation and industrial competitiveness by advancing measurement science, standards, and technology. Within NIST, the National Cybersecurity Center of Excellence (NCCoE) focuses on addressing pressing cybersecurity challenges through collaborative projects with industry, government, and academia.
One of NCCoE’s significant initiatives is the development of Special Publication (SP) 1800-36, titled “Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management.” This publication aims to tackle the prevalent issue where multiple IoT devices share the same network password, leading to security vulnerabilities. By introducing trusted, scalable, and automated mechanisms for securely provisioning IoT devices with network credentials—a process known as trusted network-layer onboarding—the guide seeks to enhance the security posture of both devices and networks.
To engage stakeholders and gather feedback before finalizing SP 1800-36, the NCCoE hosted an IoT Open House event on April 17, 2025, at their facility in Rockville, Maryland. This in-person workshop provided attendees with insights into the draft publication and the road ahead for trusted IoT onboarding. The event featured discussions on various onboarding methods, including Wi-Fi Easy Connect, Bootstrapping Remote Secure Key Infrastructure (BRSKI), and the Thread protocol. Industry collaborators such as HPE, Aruba, CableLabs, Kudelski IoT, and NquiringMinds presented their implementations and shared experiences.
The implications of SP 1800-36 extend beyond individual device onboarding. By establishing standardized and secure onboarding processes, the publication supports broader cybersecurity objectives, including continuous assurance, policy enforcement, and supply chain integration. Organizations can leverage these guidelines to ensure that IoT devices are securely integrated into their networks, maintain compliance with security policies throughout their lifecycle, and manage devices originating from diverse supply chains with confidence.
The public comment period for the draft of SP 1800-36 was open until July 30, 2024, allowing stakeholders to contribute to the refinement of the guidelines. Engagements like the IoT Open House and the collaborative development process underscore the NCCoE’s commitment to fostering secure and interoperable IoT ecosystems.
This following NIST Cybersecurity White Paper is open for public comment through May 29, 2025.
Trusted IoT Device Network-Layer Onboarding and Lifecycle Management | NCCoE
In conjunction with the IoT Open House event held on April 17, 2025, the National Institute of Standards and Technology (NIST) released a draft Cybersecurity White Paper titled Towards Automating IoT Security. This white paper complements the efforts outlined in Special Publication (SP) 1800-36 by exploring strategies for automating the security of Internet of Things (IoT) devices throughout their lifecycle.
The white paper addresses the challenges associated with the manual configuration and management of IoT devices, which often lead to security vulnerabilities. It emphasizes the importance of automated mechanisms for device onboarding, configuration, and continuous monitoring to maintain a secure posture. By leveraging automation, organizations can ensure that IoT devices are securely integrated into their networks, adhere to security policies, and are resilient against evolving threats.
Furthermore, the paper discusses the integration of automated security measures into existing supply chain processes. This integration is crucial for verifying the integrity and authenticity of IoT devices before deployment, thereby enhancing trust in the devices and the networks they connect to.
The release of this white paper signifies NIST’s commitment to advancing IoT security through practical guidance and collaborative efforts with industry stakeholders. It serves as a valuable resource for organizations seeking to implement automated security solutions for IoT devices.
For a detailed exploration of the concepts and recommendations presented, you can access the full white paper here: Towards Automating IoT Security.
Nick Allott, CEO of NquiringMinds and a contributor to the program, emphasized the importance of continuous security assessment in IoT device onboarding:
“So, what we’ve done is we’ve defined a set of data structures and protocols that allow an IoT device to be assessed for its security posture pre-onboarding. And not only that, it allows that security posture to be continuously assessed and if it falls below a threshold it gets kicked off.”
This approach addresses the challenges associated with manual configuration and management of IoT devices, which often lead to security vulnerabilities. By leveraging automation, organizations can ensure that IoT devices are securely integrated into their networks, adhere to security policies, and are resilient against evolving threats.
The paper discusses the integration of automated security measures into existing supply chain processes. This integration is crucial for verifying the integrity and authenticity of IoT devices before deployment, thereby enhancing trust in the devices and the networks they connect to.
The release of this white paper signifies NIST’s commitment to advancing IoT security through practical guidance and collaborative efforts with industry stakeholders. It serves as a valuable resource for organizations seeking to implement automated security solutions for IoT devices.
For a detailed exploration of the concepts and recommendations presented, you can access the full white paper here: Towards Automating IoT Security.
