The National Institute of Standards and Technology (NIST), a US physical sciences laboratory that promotes innovation and industrial competitiveness, has released a report to help organizations understand and manage cybersecurity and privacy risks associated with the internet of things (IoT).
Mike Fagan, a NIST computer scientist and one of the authors of the report, said the paper is mainly for organizations thinking about security on the level of the NIST Cybersecurity Framework.
“It’s targeted at the mode of thinking that an organization would have — more resources, more people, more ability, but also more risk of attack because of all those things. It’s bad when a single house is attacked, but if a million bank account passwords are stolen, that has a much larger impact,” Fagan wrote in a company announcement.
The 34-page report, “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NISTR 8228),” is a companion document to the Cybersecurity Framework and SP 800-53 Rev. 5, two NIST resources that offer guidance for mitigating risk to information systems, according to Fagan.
“IoT is still an emerging field,” Fagan said. “Some challenges may vanish as the technology becomes more powerful. For now, our goal is awareness,” he said.
The report highlighted three factors that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices as well as three high-level risk mitigation goals that organizations should have in mind.
“The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available,” the report noted.
On mitigation goals, the report emphasized that the most important consideration for IoT administrators is to protect the device and data and individuals’ privacy.
“Organizations should ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas,” the report noted.
While the report provides insights on the management of risks associated with IoT, NIST is a non-regulatory body and can only provide guidelines.
However, the report itself is the first in a planned series of documents NIST is developing, according to Fagan.
NIST said it plans to release a core baseline document that aims to identify fundamental cybersecurity capabilities that IoT devices can include.
“We’d like to help all IoT users be aware of the risks to their security and privacy and help them approach those risks with open eyes,” Fagan said.
Governance, regulations, and standards pertaining to IoT are gaining ground in many parts of the world. Many alliances and industry bodies have released similar guidelines for IoT users, including the FIDO Alliance, NFC Forum, and the Wi-SUN Alliance.
Even the International Organization for Standardization (ISO) has released a reference framework for IoT. The new standard, called the ISO/IEC 30141, provides an internationally standardized IoT Reference Architecture for connected systems.
Early this year, the European Telecommunications Standards Institute (ETSI) has released the TS 103645, which it said is a globally applicable standard for cybersecurity in IoT. The new specification seeks to establish a security baseline for internet-connected consumer products.
