The National Institute of Standards and Technology (NIST) released an interagency report offering guidance for Federal agencies for managing Internet of Things (IoT) cybersecurity and privacy risks.
The published guide is an effort by NIST to assist Federal agencies and other organizations in avoiding risks with IoT devices throughout their lifecycles because many organizations are not fully aware of how many IoT devices are being used.
“Many organizations are not necessarily aware they are using a large number of IoT devices,” the guide states. “It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do.”
The guide focuses on three high-level considerations for cybersecurity and privacy management in IoT devices, including:
- “Many IoT devices interact with the physical world in ways conventional IT devices usually do not;
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.”
Risk mitigation goals for IoT devices that NIST identified are to protect device and data security, as well as protecting individuals’ privacy.
“Once organizations are aware of their existing IoT usage and possible future usage, they need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response—accepting, avoiding, mitigating, sharing, or transferring risk,” the guide says.