The proliferation of the Internet of Things (IoT) is soon to be accelerated with the arrival of 5G, which promises a world of smart devices that can improve everything from public transportation and driverless cars to remote medical care. But it also raises the profile of IoT as a prime target for hackers. All those smart devices provide a massive footprint that could be used to attack and access networks, making securing IoT a top priority.
The National Institute of Standards and Technology (NIST), which last September issued a draft report to help guide Federal agencies in managing IoT risks, now says it has identified a critical gap regarding baseline IoT security. NIST is looking for input on how to shore up the foundations for managing that risk and protecting privacy when practically every device that uses power will soon be connected to the Internet.
The NIST Cybersecurity for IoT Program has issued a discussion draft and is asking stakeholders to help identify the core cybersecurity capabilities that would serve as a baseline for devices connected to the IoT, according to a NIST announcement. A particular focus is on baked-in security. “NIST welcomes feedback from all stakeholders on preliminary ideas for developing baselines that can be used by IoT device manufacturers and other interested parties to determine baseline pre-market cybersecurity capabilities for devices,” NIST said.
Stakeholder feedback has been a part of NIST’s process all along, and in fact is how it identified the baseline gap in the first place. The draft report in September grew out of workshops and feedback, and was issued, like other NIST reports, with a call for public comment. The feedback on that report revealed the gap in guidance for IoT baseline security, NIST said, specifically concerning cybersecurity capabilities that could be built into devices before they hit the market, rather than leaving them to be added in later.
NIST also cites a May 2018 report–which has a long title but is known as the Botnet Report—by the departments of Commerce and Homeland Security, which recommends a number of actions for strengthening the cyber ecosystem against botnets. The recommendations include NIST developing a core set of capabilities, including those for the IoT.
The IoT–which can include driverless vehicles and power system controls, airborne drones and bridge sensors, Alexa-type personal assistants and medical monitors, not to mention a plethora of home appliances for people who want to talk to their washing machines–is spreading faster than security controls can account for, both in the public and private sectors.
A recent survey by Gemalto, for instance, found that, while IoT use is widespread and growing in the commercial sector, 48 percent of companies are unable to even detect if their IoT devices have suffered a breach. Meanwhile, 90 percent of respondents to Gemalto’s survey said they believe IoT security is important to consumers, and 97 percent said a strong approach to security would be an important competitive edge. Also, 79 percent of respondents said government needs to provide more robust guidelines on IoT security, which is what NIST is trying to do.
For government, IoT security is at least important. DHS’ alert last year that Russia was targeting the U.S. power grid and other parts of the infrastructure, where IoT devices are common, is one example of where IoT vulnerabilities could be consequential. A trend toward cyber attacks on medical IoT devices is another.
IoT security doesn’t have a one-size-fits-all approach–navigational controls for a drone need better protection than a smart light bulb. But NIST is looking for baselines than can be applied to almost all IoT devices. Baselines could, for instance, involve how a device is identified, whether it allows updates to software and firmware, a device’s configurability, whether local and remote access can be controlled, and whether its data can be encrypted, according to the discussion draft.