First in a series to help organizations understand and mitigate risks with the Internet of Things.
The National Insitute of Standards (NIST) has released new general guidelines that adapt principles from the federal agency’s Cybersecurity Framework to the IoT era.
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) spotlights three important factors that could affect security and risk management for IoT devices:
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not. The potential impact of some IoT devices making changes to physical systems thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices, the agency says.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IoT devices, expanding staff knowledge and tools to include a much wider variety of IoT device software, and addressing risks with manufacturers and other third parties having remote access or control over IoT devices.
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.
The guidelines note that the IoT is constantly expanding and evolving, and combines information technology with operational technology. Cloud and mobile computing, big data and embedded systems are also in the mix, and the devices that make use of it all give equipment that was previously isolated network connectivity, data storage and computing functionality.
This breadth of IoT devices is substantial and spans sectors from transportation to healthcare and beyond. In fact, there are so many IoT devices in use that enterprises may not have a very good grasp on just how many they are using – itself a big risk.
According to the guidelines, three high-level risk mitigation goals should be kept in mind:
- Protect device security. Prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment.
- Protect data security. Protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device. This goal applies to each IoT device except those without any data that needs protection.
- Protect individuals’ privacy. Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data security protection. This goal applies to all IoT devices that process PII or that directly or indirectly impact individuals.
Several recommendations aim to help companies reach these goals. They include: understanding IoT device risk and the challenges they may cause; adjusting polices to address these goals throughout the lifecycle of a device; and creating updated mitigation practices.
NIST says the new guidance is the first in a planned series addressing IoT security. Future publications, they emphasized, will go into greater detail and depth.