A new publication released by the National Institute of Standards and Technology (NIST) aims to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual Internet of Things (IoT) devices.
As well as federal agency personnel, the NIST report is also aimed at IoT device manufacturers and integrators, who are responsible for cybersecurity and privacy risks for IoT devices.
The full scope of IoT is vast, rapidly evolving and expanding. This inherent complexity makes understanding IoT and the cybersecurity and privacy risks involved vital. NIST defines the diverse provisions of IoT devices, including “computing functionality, data storage, and network connectivity for equipment that previously lacked them, enabling new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting.”
The nature and use of IoT devices varies across different sectors. For example, they may be utilized in specialized hospital equipment in the healthcare sector and smart-road technologies in the transportation sector. According to the report, many organizations are not necessarily aware they are using a large number of IoT devices. It is of the utmost importance that organizations fully understand their use of IoT because many of these devices affect cybersecurity and privacy risks differently than conventional IT devices do.
The first step in taking responsibility for IoT devices is therefore an awareness of existing IoT usage and possible future usage. In addition, organizations need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response.
NIST’s publication provides three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices:
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
Cybersecurity and privacy risks for IoT devices can be explained using three high-level risk mitigation goals: protect device security, protect data security, and protect individuals’ privacy. Each goal builds on the previous goal and does not replace it or negate the need for it.
When meeting these risk mitigation goals, organizations must address a set of risk mitigation areas, which each define an aspect of cybersecurity or privacy risk mitigation. The NIST publication states, “For each risk mitigation area, there are one or more expectations organizations usually have for how conventional IT devices help mitigate cybersecurity and privacy risks for the area.” One or more challenges may be posed by IoT devices for each expectation; the end result is a structured set of potential challenges with mitigating cybersecurity and privacy risk for IoT devices that can each be traced back to the relevant risk considerations.
NIST says organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas. To achieve this, the publication provides a list of recommendations. The first of these calls for understanding concerning IoT device risk considerations and the challenges they may cause to mitigating cybersecurity and privacy risks for IoT devices in the appropriate risk mitigation areas. The second recommendation calls for an adjustment in organizational policies and processes used to address cybersecurity and privacy risk mitigation challenges throughout the IoT device lifecycle. Finally, the publication encourages implementation of updated mitigation practices for the organization’s IoT devices as would be done to any other changes to practices.
Cybersecurity and privacy risks are very much a reality for the modern technological landscape. However, with proper comprehension and education, navigating such issues can be effectively streamlined and mastered.
