NIST Interagency Report on IoT: An Incremental Step Toward IoT Standards

March 05, 2018, Abel Sussman, Senior Project Manager, Commercial Services, Coalfire

The Internet of Things (IoT) has been widely regarded as representing a significant cybersecurity risk, which will only grow as connected devices continue to proliferate. As an important step in addressing these concerns, the Interagency International Cybersecurity Standardization Working Group (IICS WG) has developed a draft National Institute of Standards and Technology Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT). The report’s intent is to inform and enable policymakers, managers, and standards participants to seek timely development and use of cybersecurity standards in IoT components, systems, and services.

The charter of the IICS WG, established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee (NSC Cyber IPC), is to coordinate on major issues and enhance U.S. federal agency participation in international cybersecurity standardization.

This draft report: 

  • Provides a functional description of the IoT
  • Describes several IoT applications that are representative examples, including: connected vehicles, smart buildings, smart manufacturing, and consumer, health and medical applications
  • Summarizes the cybersecurity core areas and provides examples of relevant standards
  • Describes IoT cybersecurity objectives, risks, and threats
  • Provides an analysis of the standards landscape for IoT cybersecurity
  • Maps IoT relevant cybersecurity standards to cybersecurity core areas

The report states that cybersecurity for IoT is unique and will require tailoring of existing standards, as well as the creation of new standards.

Industry best practices have usually followed NIST publications, and NIST standards often become auditor evaluation criteria for U.S. compliance entities. This publication clearly marks the beginning of NIST acting on behalf of the U.S. federal government to increase the national cybersecurity posture for the Internet of Things. The report states “Effective U.S. government participation involves coordinating across the U.S. government and working with the U.S. private sector. There is a much greater reliance in the U.S. on the private sector for standards development than in many other countries.” As the United States generally grows market-driven, private sector-led standards, it is important to note that this document encourages the private sector to start developing standards within this needed area.

NISTIR 8200 is a good initial effort to help elevate the security posture of firms involved with deploying devices and aggregating information through the Internet of Things ecosystem. However, there are several areas where there are no standards brought into the document, such as: Hardware Assurance (malware in firmware), Software Assurance, Security Automation and Continuous Monitoring, and System Security Engineering. While higher level standards for many of these areas are available and low-level specifications and implementations are in use, as NISTIR states “these areas require maturation through international standards developing organizations.” Without specific standards referenced, firms can substitute from other frameworks. By leveraging successful frameworks such as NIST RMF, ISO/IEC, COBIT, IETF, HITRUST, NERC CIP, or IEC TR (depending on the appropriate operational industry), firms have the tools to fill in areas that are not covered by NISTIR 8200.

For firms that operate without mandatory compliance frameworks, the document Draft NISTIR 8200 can be used to review the implementation of important cybersecurity principles and identify gaps now, ahead of any mandates.

These gaps will need to be prioritized based on a risk assessment measuring the impact of vulnerability exploitation. In house security teams identifying the gaps should work with their governance, risk, and compliance leaders to plan how to address any findings and remediate to improve the overall security posture with appropriate considerations for cost and time.

The public comment period for Draft NISTIR 8200 closes on April 18, 2018. Comments can be submitted on the draft NISTIR 8200 homepage and will be posted online. Industry professionals should review and comment so they understand the importance the federal government places on securing the IoT and can contribute to standards evolution.

Abel Sussman

Author

Abel Sussman — Senior Project Manager, Commercial Services, Coalfire

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS