The National Institute of Standards and Technology today released a new draft publication that takes a deep dive into the issue of trust: how can we trust that the products creeping into every aspect of our day-to-day lives are secure, safe, respect user privacy, and are ultimately tools we can depend on?
These products are Internet of Things (IoT) devices–everything from smart home devices to industrial grade sensors with internet connectivity. The publication, “NISTIR 8222 Internet of Things (IoT) Trust Concerns,” suggests there may be far more considerations than manufacturers initially realized before releasing potentially billions of new internet-connected devices into the marketplace.
“As with any new, unproven technology, questions about trustworthiness arise. Those questions often boil down to this: are the benefits worth the risks, i.e., are there more positive reasons to adopt a new technology than to avoid it? If answered with ‘yes’, a secondary question is: how can you minimize the risks to make the technology more acceptable and therefore ‘suitable for use’ by a wider audience?” NIST said.
The draft publication outlines 17 trust-related issues “that may negatively impact the adoption of IoT products and services,” spanning scalability, predictability, difficult in measurement, lack of certification criteria, all the way down to usability, performance, and reliability.
The question NIST is seeking to answer with the guidance is this: “Will an IoT product or service provide the desired operations with an acceptable level of quality?”
Drawing from another NIST publication – NIST SP 800-183 Network of ‘Things’ – the new document isn’t concerned with risk and mitigation, NIST said, but ultimately the ability of IoT products to achieve their intended outcomes, and the limiting factors those that manufacture, own and operate them must reconcile to achieve those outcomes.
SP 800-183 outlined six elements that would indicate trust in an IoT device; the new publication seeks to address the elements that could give pause.
“Most new technologies are created to benefit humanity, however those technologies in the wrong hands can enable new and unforeseen nefarious actions,” NIST said. It also called to mind the concerns of anyone who’s tasked Alexa with making their home lives a bit easier.
“If you cannot see a technology, how do you know what else it might be doing? For example, with voice response technology such as a smart speaker, when you talk to the device, do you know if it is the only system listening, and do you know if the sounds that it hears are stored somewhere for eternity and linked to you?” NIST said.
The new guidance acknowledges that the list of 17 concerns is “necessarily incomplete given this rapidly changing industry,” but NIST hasn’t stamped the product as final just yet. The agency is seeking comment until Nov. 5 to build on the new guidance.
Across government, it’s an issue that’s inspired lawmakers, Federal agencies and the administration to stump for change.
President Trump commissioned a report on the impact of botnets–automated, distributed cyberattacks leveraging compromised devices–in May 2017, and the Departments of Commerce and Homeland Security delivered that report this May. The agencies flagged IoT as a growing contributor to the problem.
Since IoT devices often lack robust, baked-in security, they are more easily co-opted for nefarious purposes, such as distributed attacks. The report from the Commerce and Homeland Security Departments called for baseline IoT security standards in commercial and government environments to mitigate the impact.
In the Senate, a bill, the Internet of Things Cybersecurity Improvement Act, would require similar minimal operational standards for any IoT devices purchased by Federal agencies. The bill’s sponsor, Sen. Mark Warner, D-Va., recently flagged the botnet report to the President as further evidence of the need for IoT standards.
Legislation in the House has also proposed an in-depth study of the IoT marketplace to determine which Federal bodies would govern IoT regulation and standardization. That bill, the State of Modern Application, Research, and Trends of IoT (SMART IoT) Act, made it through committee, but has thus far failed to advance to the House floor for a vote. The bill also lacks companion legislation in the Senate.
Thus, as it stands, security baselines in IoT devices have no legal mandate, highlighting further the trust considerations NIST is attempting to make clear to IoT adopters.
NIST said that many of the trust concerns “have no current resolution,” but that “when possible, this publication outlines recommendations for how to mitigate or reduce the effects of these IoT concerns.” An appendix in the publication also suggests that “one central organization” to govern the use and development of IoT systems “could have significant positive impact on the security and safety of IoT systems and consumers’ lives.”
