NIST outlines IoT cybersecurity and privacy risk mitigation
- By Susan Miller
- Jun 26, 2019
To help government agencies, manufacturers and integrators manage the cybersecurity and privacy risks associated with the increasing number of internet-of-things devices, the National Institute of Standards and Technology has issued an internal report, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
The variety and number of single-purpose IoT devices requires organizations to evaluate their current cybersecurity and privacy practices and make necessary changes, NIST says.
Unlike conventional IT equipment, IoT devices interact with the physical environment, including non-IoT devices, cloud-based services, people and other components. They cannot be accessed and monitored like typical IT equipment because they frequently lack management features, and user interfaces. Plus, they can be difficult to manage at scale because of their varying lifespans, the different software employed, and the challenges with maintaining an accurate inventory.
Additionally, IoT devices have different cybersecurity and privacy capabilities than traditional IT, the report says. They often cannot support the security features built into IT components, like system logs, strong encryption or authentication or central management, making them difficult to protect.
NIST lays out three high-level goals -- protecting devices, data and individuals' privacy throughout the device lifecycle -- and outlines the potential challenges agencies may face along with mitigation strategies.
A detailed chart describes expected IoT capabilities, the challenges, the affected NIST SP 800-53 controls, implications for the organization and affected subcategories of the Cybersecurity Framework. So an IoT device that does not conceal the display of password characters, for example, affects authenticator feedback controls (IA-6) and increases the risk of credential theft.
NIST recommends agencies thoroughly understand the challenges IoT devices pose to cybersecurity and privacy. They should also adjust their policies and processes to take into account issues of scaling, privacy risk management and supply-chain security. Organizations should also "consider the tradeoffs among these risks when making decisions about cybersecurity and privacy risk mitigation," NIST says. "Managing cybersecurity and privacy risks for some IoT devices may affect other types of risks and introduce new risks to safety, reliability, resiliency, performance, and other areas."
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.