NIST Targets Cybersecurity and Privacy for the Internet of Things

The National Institute of Standards and Technology (NIST) has released a new draft guidance document aimed at helping federal agencies understand the added cybersecurity and privacy challenges of the Internet of Things (IoT). The draft was released for public comments on September 24 and will remain open until October 24.

IoT Risk Mitigation

The draft guidance addresses the challenges with cybersecurity and privacy risk mitigation for IoT devices in terms of three high-level risk mitigation goals:

• Protect device security – Prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. This goal applies to all IoT devices.
• Protect data security – Protect the confidentiality, integrity, and/or availability of data (including PII) collected by, stored on, processed by, or transmitted to or from the IoT device. This goal applies to each IoT device with one or more data capabilities unless it is determined that none of the device’s data needs its security protected.
• Protect individuals’ privacy – Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data security protection. This goal applies to all IoT devices that process PII or directly impact individuals.

For each of the three high-level risk mitigation goals the guidance then delineates a number of specific challenges for individual IoT devices, and risk considerations, implications and expectations. NIST assumes that if data security needs to be protected then device security needs to be protected as well, so the challenges for both would need to be considered. Similarly, if individuals’ privacy needs to be protected then device and data security need to be protected as well, so the challenges in all three areas must be considered.

To address the cybersecurity and privacy risk mitigation challenges for IoT devices NIST recommends organizations thoroughly understand the IoT device risk considerations detailed within each of the above areas and then adjust their policies and processes to address the risk mitigation challenges throughout the IoT device lifecycle and implement updated mitigation practices for their IoT devices.

Opportunities and Implications

As agencies continue to look to IoT implementations to increase efficiencies and effectiveness they will need help in identifying and mitigating cyber- and privacy risks within their existing and growing IoT-enabled infrastructure. This presents opportunities for integrators who understand both the capabilities and vulnerabilities of IoT as well as the up/down stream impacts of security measures. It also presents opportunities for specialized device manufacturers and service providers in niche markets as well as major industries to increase their play in the cybersecurity market, either as primes or subs on related contracts.

Vendors of IoT devices and supporting capabilities should stay attuned to what federal agencies are doing to ensure these offerings support and do not degrade an agency’s cybersecurity and privacy posture. Increasingly, the government has been adding requirements on contractors to improve their internal cybersecurity as a condition of doing government work. This has been especially true in the defense industry, where DoD data and information is often transmitted across or is stored on company networks. The growth of IoT will only increase the stakes and scrutiny on cybersecurity. Vendors and services firms alike need to ensure that their internal cybersecurity, supply chain, and privacy risk management practices strengthen their competitiveness in the federal marketplace as IoT continues to grow.