The Internet of Things (IoT) has been widely regarded as representing a significant cybersecurity risk, which will only grow as connected devices continue to proliferate. As an important step in addressing these concerns, the Interagency International Cybersecurity Standardization Working Group (IICS WG) has developed a draft National Institute of Standards and Technology Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT). The report’s intent is to inform and enable policymakers, managers, and standards participants to seek timely development and use of cybersecurity standards in IoT components, systems, and services.
The charter of the IICS WG, established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee (NSC Cyber IPC), is to coordinate on major issues and enhance U.S. federal agency participation in international cybersecurity standardization.
This draft report:
- Provides a functional description of the IoT
- Describes several IoT applications that are representative examples, including: connected vehicles, smart buildings, smart manufacturing, and consumer, health and medical applications
- Summarizes the cybersecurity core areas and provides examples of relevant standards
- Describes IoT cybersecurity objectives, risks, and threats
- Provides an analysis of the standards landscape for IoT cybersecurity
- Maps IoT relevant cybersecurity standards to cybersecurity core areas
The report states that cybersecurity for IoT is unique and will require tailoring of existing standards, as well as the creation of new standards.
Industry best practices have usually followed NIST publications, and NIST standards often become auditor evaluation criteria for U.S. compliance entities. This publication clearly marks the beginning of NIST acting on behalf of the U.S. federal government to increase the national cybersecurity posture for the Internet of Things. The report states “Effective U.S. government participation involves coordinating across the U.S. government and working with the U.S. private sector. There is a much greater reliance in the U.S. on the private sector for standards development than in many other countries.” As the United States generally grows market-driven, private sector-led standards, it is important to note that this document encourages the private sector to start developing standards within this needed area.
NISTIR 8200 is a good initial effort to help elevate the security posture of firms involved with deploying devices and aggregating information through the Internet of Things ecosystem. However, there are several areas where there are no standards brought into the document, such as: Hardware Assurance (malware in firmware), Software Assurance, Security Automation and Continuous Monitoring, and System Security Engineering. While higher level standards for many of these areas are available and low-level specifications and implementations are in use, as NISTIR states “these areas require maturation through international standards developing organizations.” Without specific standards referenced, firms can substitute from other frameworks. By leveraging successful frameworks such as NIST RMF, ISO/IEC, COBIT, IETF, HITRUST, NERC CIP, or IEC TR (depending on the appropriate operational industry), firms have the tools to fill in areas that are not covered by NISTIR 8200.
For firms that operate without mandatory compliance frameworks, the document Draft NISTIR 8200 can be used to review the implementation of important cybersecurity principles and identify gaps now, ahead of any mandates.
These gaps will need to be prioritized based on a risk assessment measuring the impact of vulnerability exploitation. In house security teams identifying the gaps should work with their governance, risk, and compliance leaders to plan how to address any findings and remediate to improve the overall security posture with appropriate considerations for cost and time.
The public comment period for Draft NISTIR 8200 closes on April 18, 2018. Comments can be submitted on the draft NISTIR 8200 homepage and will be posted online. Industry professionals should review and comment so they understand the importance the federal government places on securing the IoT and can contribute to standards evolution.