The National Institute of Standards and Technology (NIST) recently posted an invitation for stakeholder input for the creation of its guidance on IoT Security and Privacy Risk Considerations.
Across all industry sectors, IoT implementations are delivering new capabilities and services. Due to the large scope of IoT and its integration into other systems, NIST is looking to provide guidance on improving security and privacy risk management for IoT.
As part of its efforts to engage in industry dialogue and to help move important standards efforts like this forward, the Secure Technology Alliance IoT Security Council members worked together to compile their industry insight and expertise on the topic in a formal response which has been provided to NIST.
Below are summaries of the IoT Security Council’s responses to NIST’s six questions:
NIST Question: Is a network connection to an external network required for devices to be considered IoT?
The Council defined the two virtual planes—control plane and application plane—and their related functions in regard to defining IoT devices. It is not required for devices to be connected to an external network for normal operations. However, if application plane or control plane operations necessitate the device to be connected to an external network, then we can consider the device an IoT device.
NIST Question: NIST selected the term “devices” over terms such as “objects” and “things” as there does not seem to be consensus among technology, security, and privacy professionals on the preferred term. Which term would be best for future guidance?
The Council defined and differentiated “end point” as well as other notions associated with IoT; such as “digital twin,” which represents the canonical properties of an IoT device typically used for active remote management or capturing the last known checkpoint, and “hypallage” (which involves the connection of a small IoT device to another device which then makes the combination an IoT device (example: automobile).
NIST Question: Our expected focus for the guidance is security and privacy risks for two types of IoT ecosystem components: integrated IoT devices with built-in sensors and/or actuators, and composite IoT devices. Are these the areas where organizations need more guidance? Are there any others NIST should focus on?
The Council advised that guidance should span beyond the individual components and should also focus on the clustering or segmentation of components.
NIST Question: Are there any gaps in the capabilities list?
The Council explained that the NIST defined capabilities fall within the ‘application plane’ definition. The Council advised that the control plane, inclusive of diagnostics, lifecycle management enablement, credentials enabling identity and security and secure configuration, as well as software updates, should be included in IoT capabilities.
NIST Question: What use cases would best document interactions between IoT capabilities?
The Council noted the broad IoT capabilities within three general categories of sensing, communicating and actuating. Within those categories common use case examples are outlined.
NIST Question: How could risk assessment and response processes be adjusted to take IoT characteristics into account?
The Council discussed the challenges presented by the introduction of IoT into traditional IT security scenarios, such as: perimeter, point-point encryption, human interaction, and identity. The remote and autonomous nature of IoT environments create a need for tailored cybersecurity measures in each of these areas.