There are plenty of standards that can be used to help secure The Internet of Things, but not much evidence that they’re being used, according to NIST, which calls on government and industry to settle on conforming standards for IoT products in a new report.
That National Institute of Standards and Technology (NIST) has unveiled guidelines for cybersecurity standards for the fast-growing Internet of Things.
The NIST Interagency Report (NISTIR) 8200, published on Wednesday, gives both the government and the public a first look at what NIST thinks is needed to provide security guidelines covering components, systems and services that will make up a wide range of Internet of Things solutions: from connected vehicles to consumer IoT applications to smart manufacturing and health IT. It concludes that, while many standards exist that could play a part in securing the IoT, better effort to harmonize security standards is needed to protect both consumers and the public from online threats to connected devices.
Cyber security standards already exist that address issues such as data security, incident management and identity management, software assurance and supply chain risk. But adoption of those standards has been “slow” across the many industries that have embraced Internet of Things and other connected technologies, NIST found. In pressing areas, such as network security or IT system security evaluation, standards have not been developed to meet the new challenges of the IoT, but are sorely needed, NIST concludes.
The report assesses IoT solutions against standard IT security measures like “confidentiality,” “integrity,” and “availability” and finds many similarities in the kinds of risks and threats faced by IoT endpoints, no matter their kind or purpose. Malware infections can degrade device integrity and compromise data stored on IoT endpoints. Denial of service attacks can affect device availability. However, the consequences of attacks vary greatly depending on the context. NIST notes that the risks posed by compromises of consumer IoT devices are mostly limited to consumer privacy. In the context of health IT devices, the risk is injury, illness and death, NIST notes.
However, NIST found evidence that the prospect of threats, attacks and bad outcomes has prompted industry to embrace a standards-based approach to manufacturing and deploying secure and resilient products.
[You might also like: EFF Seeks Right to Jailbreak Alexa, Voice Assistants]
While many independent and industry backed standards exist to guide IoT product companies in designing and deploying secure products, NIST found little evidence that industries were embracing those standards as part of their product design.
NIST also found a number of gaps, where clear standards do not exist. For example: NIST noted the absence of best practices for vulnerability remediation in cases when software patches are not feasible. Similarly, NIST noted there are no clear best practices for avoiding malware infections in firmware. In the arena of network security, where there is no shortage of existing standards, updates are needed to address the special requirements of IoT networks that have the potential for creating spontaneous connections.
[You might also like:The US Military’s IoT Problem Is Much Bigger Than Fitness Trackers]
NIST recommends that government organizations start moving towards standards based implementation of IoT by “participat(ing) in the development of these standards” and promote and cite standards in agency procurements.”
The report also calls on US industries to develop conformity assessment programs that will normalize the use of standards in IoT products. Citing the example of wireless networking standards promoted by the Wi-Fi Alliance, NIST said that efforts to standardize the implementation of wireless networking protocols in devices helped assure consumers that wireless networking gear would work seamlessly on their home networks. “Successful conformity assessment provides the needed level of confidence, is efficient, and has a sustainable and scalable business model,” NIST said.