NIST’s Interagency International Cybersecurity Standardization Working Group has released its interagency report on cybersecurity standards for the Internet of Things, and it is inviting draft comments from agencies.
The report covers the standards landscape for cybersecurity for the Internet of Things and it maps standards to 11 core areas.
The Interagency International Cybersecurity Standardization Working Group was established in 2015 to coordinate on major issues in international cybersecurity standardization and enhance U.S. federal agency participation in applying the standards.
The Internet of Things, which allows devices and products to talk to one another, is expected to revolutionize both the consumer and federal landscape in the next few years as an increasing number of organizations integrate it into everyday processes. It incorporates remote sensors, wearables, weapons, and vehicles, which all present new threats for the military and federal government. Its adoption opens up some major cybersecurity challenges, with concerns already raised by agencies about botnets presenting risks to internet-connected devices. In August, the Internet of Things Cybersecurity Act was introduced to establish ground rules and heighten security standards around IoT device security.
The report examines a range of cybersecurity aspects of the Internet of Things, including cryptographic techniques, encryption, hardware assurance, digital signatures, identity and access management and network security.
In the report, the DoD CIO states: “While traditional information systems generally prioritize Confidentiality, then Integrity, and lastly Availability, control systems and IoT usually prioritize Availability first, then Integrity and lastly Confidentiality. This does not mean that focus should be exclusively on Availability. We need to ensure that we maintain sufficient focus on Integrity and Confidentiality to address safety, privacy, and mission requirements.”
The report highlights the cybersecurity standards that are already available for connected vehicles, consumer IoT, health and medical devices, smart buildings and smart manufacturing across three key areas including cryptographic techniques, cyber incident and identity access management. It found that standards were urgently needed for all five IoT components within network security and IT system security evaluation.
It also recommends applying blockchain technology to cryptographic techniques, implementing best practices when software patches are not a feasible way of resolving cyber incidents and implementing best practices for malware in software.
The report also found that there ought to be best practices for software development within the Internet of Things, and that IoT device manufacturers and security vendors should consider developing device specific interfaces for monitoring in the interim.
According to the working group, agencies need to review these standards gaps with respect to their own missions, and work with industry to initiate new standards.
The IICS WG has opened solicitation for comments on this report until April 18. Comments should be submitted to NISTIRfirstname.lastname@example.org, and submitters are encouraged to use a comment template available on the Draft NISTIR 8200 homepage. Comments will be posted online as they are received.