The National Institute of Standards and technology (NIST) has released Draft NIST Internal Report (NISTIR) 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, an introductory document that will serve as the foundation for a planned series of publications on how to manage cybersecurity and privacy risks associated with IoT devices.
The Internet of Things is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Yet many organizations are unaware of the large number of IoT devices already in use or how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices.
The NIST document is intended to aid both federal agencies and private organizations by identifying three high-level considerations for how IoT devices differ from conventional IT devices, as well as defining three accompanying goals for risk mitigation.
Firstly, many IoT devices interact with the physical world in ways conventional IT devices usually do not. The report states the potential impact of some IoT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. It adds that operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.
In addition, many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IoT devices, expanding staff knowledge and tools to include a much wider variety of IoT device software, and addressing risks with manufacturers and other third parties having remote access or control over IoT devices.
Finally, the availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.
Cybersecurity and privacy risks for IoT devices can be thought of in terms of high-level 209 risk mitigation goals – protecting device security, protecting data security, and protecting individuals’ privacy.
The draft NIST report says organizations should ensure they are addressing cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas. It goes on to recommend actions for achieving this, which includes understanding the risk considerations and challenges, adjusting organizational policies and processes to address these challenges, and implement updated mitigation practices for the organization’s IoT devices.
NIST says there has been a great deal of interest from many organizations in establishing cybersecurity and privacy baselines to aid with IoT device risk mitigation. To date, most efforts have focused on specifying pre-market cybersecurity and privacy capabilities (the capabilities manufacturers should build into their IoT devices). Although these efforts are important and helpful, organizations are already using many IoT devices without these capabilities, and it will take time for manufacturers to improve pre-market capabilities for future devices, if that can be done without making them too costly.
Also, some efforts have assumed that organizations will only want to use pre-market capabilities. Organizations acquiring IoT devices may want to use pre-market capabilities, post-market capabilities (capabilities added by the organization after device acquisition), or a combination of these for a variety of reasons. Furthermore, for some IoT devices, only the security of the device itself needs to be protected. Other IoT devices might need data security protected in addition to device security, and a subset of those devices might also need privacy protected in ways that data security protection cannot. NIST says existing efforts have not distinguished requirements and recommendations in this way, leaving organizations to determine which ones apply to any particular IoT device implementation and usage.
A public comment period for this draft document is open until Oct. 24, 2018.