NIST Releases Report on IoT Security
Internet-enabled technologies are becoming the new norm. Printers, phones, scanners--even coffee makers--are now a part of the Internet of Things (IoT). By some accounts, more than 20 billion IoT devices will be connected to networks across the world by 2020.
This network of technologies has revolutionized how devices work--while also introducing some pretty serious cybersecurity and privacy risks. According to the National Institute of Standards in Technology (NIST), IoT devices have different cybersecurity and privacy capabilities than typical information technology (IT). They can’t be monitored the same as IT because they lack management features and user interfaces. And, even more critically, they can’t support the same security features, like authentication, system logs, or strong encryption.
In June 2019, (NIST) released a report to address these security issues. “Considerations for Managing IoT Cybersecurity and Privacy Risks” offers government agencies and private companies alike a path forward to better protect their IoT devices. It is a publication from NIST’s Cybersecurity for the Internet of Things (IoT) program, which supports the development and application of standards, guidelines and tools that improve connected devices’ cybersecurity.
3 Risk Mitigation Goals
NIST posits three high level goals to reduce IoT cybersecurity and privacy risks:
Protect device security. Prevent a device from being used to conduct attacks.
Protect data security. Protect the confidentiality, integrity, and/or availability of data.
Protect individuals’ privacy, throughout the device lifecycle.
These three points offer a framework organizations can use to help structure their IoT security standards.
“The report is mainly for any organization that is thinking about security on the level of the NIST Cybersecurity Framework,” said Mike Fagan, a NIST computer scientist and one of the authors of the report. “It’s targeted at the mode of thinking that an organization would have.”
3 Key Recommendations
“Considerations...Risks” also presents three recommendations for addressing these risks and challenges:
Understand the IoT device risk considerations and the challenges they may cause.
Adjust organizational policies and processes to address the cybersecurity and privacy risk mitigation challenges, throughout the IoT device lifecycle.
Implement updated mitigation practices.
These recommendations offer an effective way organizations can fulfill the posed IoT goals.
Agencies and businesses should also "consider the tradeoffs among these risks when making decisions about cybersecurity and privacy risk mitigation," NIST says. "Managing cybersecurity and privacy risks for some IoT devices may affect other types of risks and introduce new risks to safety, reliability, resiliency, performance, and other areas."
What’s Next?
This report is the first of a planned series of documents from NIST to help IoT users protect themselves. Next up: a core baseline document, identifying fundamental cybersecurity capabilities that IoT devices can include. It is intended for all IoT devices, including those for individual users and home networks.
“We plan to release a draft of the baseline document for public comment in July [2019], says Fagan. “We’d like to help all IoT users be aware of the risks to their security and privacy and help them approach those risks with open eyes.”
Following its release, NIST will hold a workshop to collect feedback. The workshop is currently scheduled for August 13 and is open for public registration through August 6.
Fagan notes that the overarching goal of NIST’s efforts is to foster a general understanding. “Considerations for Managing IoT Cybersecurity and Privacy Risks” and subsequent IoT reports aim to increase organizations’ abilities to recognize IoT risks.
“IoT is still an emerging field [and] some challenges may vanish as the technology becomes more powerful,” Fagan said. “For now, our goal is awareness.”
Interested in learning more about innovation trends in the federal government? Visit us at www.corneralliance.com and sign up for Innovation Dive, Corner Alliance’s monthly newsletter on the latest government innovation trends, news and perspectives.