The National Institute of Standards and Technology on Tuesday released new draft guidance that aims to address both the cybersecurity and privacy risks stemming from the use of Internet of Things (IoT) devices.
NIST is aiming to provide clarity on an expanding area of concern in the Federal government. Lawmakers and the administration alike have expressed strong concerns about a lack of device security among a wide range of IoT use cases.
As the number of internet-connected devices and sensors expands, the potential threat to networks has increased–through an expansion of the attack surface and proliferation of devices that often lack robust security controls.
NIST recently authored a publication on IoT trust concerns, which sought to address factors that would lead to IoT devices not performing in their intended manner. Tuesday’s publication, “Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks,” focuses primarily on how organizations can understand the risk to their IT environment, including “accepting, avoiding, mitigating, sharing, or transferring risk.”
The draft “identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices.” Those are:
- Many IoT devices interact with the physical world in a way conventional IT devices usually do not;
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
NIST also identified three broad risk mitigation goals for the devices: protecting device security; protecting data security; and protecting individuals’ privacy.
While the full document provides significantly more granular detail on achieving those goals, NIST offered three broad recommendations on how to do so, indicating that the overarching imperative for organizations is to “understand risk considerations and mitigation challenges,” then “adjust organizational policies and processes” to address those challenges, and finally “implement updated mitigation practices for the organization’s IoT devices.”
With regard to building in “pre-market” capabilities and cybersecurity baselines into IoT devices–which has been strongly suggested by lawmakers, Federal agencies, and the administration–NIST’s publication seems attuned to the difficulty in achieving that goal.
The premise here–that IoT devices should have robust security built in by their manufacturers–is frankly not the reality, as internet-connected devices are being brought to market cheaply and without strong security controls.
Sen. Mark Warner, D-Va., said in May that a technology market failure “to reward security over cost or convenience has led to devastating DDoS [distributed denial of service] attacks.” Warner has proposed legislation that would require “minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.”
NIST noted the difficulty in getting to that well-intentioned goal, saying, “Although these efforts are important and helpful, organizations are already using many IoT devices without these capabilities, and it will take time for manufacturers to improve pre-market capabilities for future devices, if that can be done without making them too costly.”
Knowing the clear and present risks IoT devices pose to both security and personally identifiable information, NIST’s guidance could be a strong step toward better protecting IT environments and user data–even with the understanding that the technology is inherently flawed. The agency is accepting public comment on the draft of NISTIR 8228 until Oct. 24.