News, insights and resources for data protection, privacy and cyber security leaders

Revision of NIST 800-53 Tackles IoT Security and Privacy

The Internet of Things (IoT) is having an enormous impact on the operations of organizations and government, as well as ordinary citizens. The increasing interconnectivity of devices and the sheer number of devices that are in use by the man on the street and within the business environment means that IoT security and privacy questions are being asked by more and more organizations. To address these challenges, the U.S. National Institute of Standards and Technology (NIST) has just released a public draft for Revision 5 of the latest NIST 800-53 Special Publication – ‘Security and Privacy Controls for Information Systems and Organizations’ that offers guidance on coping with the emerging challenges posed by IoT.

 

Addressing IoT security and privacy head-on

The latest revision aims to establish a consolidated set of controls for data platforms through the integration of privacy controls into organizational security controls that it has supplied guidance for in the past. NIST said the publication will also facilitate integration with the its Cybersecurity Framework and other risk management and cyber approaches.

The draft NIST 800-53 is especially relevant to address the challenges of IoT security and privacy. By clarifying the relationship between privacy and security, it is hoped that the guidance will help streamline the selection of controls needed to address modern risks from the increasing popularity of the Internet of Things.

The set of standards introduces new controls based on proven attack information and threat intelligence data. Selection of a primary set of baseline security controls in accordance with a worst-case impact analysis assists organisations in creating standard security controls, as well as adding the security controls in line with an organizational risk assessment. The security rules cover 17 areas, including incident response, access control, ability for disaster recovery and business continuity.

 

New security and privacy risks for IoT

According to Ron Ross, NIST fellow and leader of the joint task force behind the update, personally identifiable information is becoming more and more vulnerable due to the proliferation of IoT devices. He said. “It’s important that our [organization’s] security and privacy teams work together to implement required privacy controls and protect systems from being hacked.”

This is not the first time NIST has issued guidance. This is the fifth version of standards in respect of this subject that has been issued. However, it’s the first to really get under the skin of how IoT security and privacy is impacted by remote sensors and media collection devices like cameras, recorders and voice-activated controls which can now be found in personal devices and smart systems like those used for the latest models of motor vehicles and within traffic monitoring systems.

 

Guidance from NIST 800-53 to navigate IoT complexities

Ross described the current computing environment as “the best of both worlds.” He noted that while handhelds (and other) devices are delivering functionality and power that would have been hard to imagine only two decades ago, “sometimes these systems get so complicated that we don’t understand fundamentally what’s going on below the surface. That’s where the vulnerabilities lie,” he noted.

The new NIST 800-53 document is very much aimed at real world solutions. It aims to guide users through the complexities of establishing best practice and controlling systems and devices. Although aimed primarily at U.S. Federal Agencies there is some valuable guidance for both individuals and organizations as far as the use of commercial devices is concerned. This could be viewed as a framework for best practice in industry as well as government.

 

 

Nicole Lindsey

US Correspondent at CPO Magazine
Nicole Lindsey is a writer and blogger for more than 10 years, focusing on the intersection of technology, innovation and privacy. She has a background in information technology and has worked with various software companies and tech startups on their public relations and communications initiatives.

Leave A Reply

Your email address will not be published.

Subscribe and Get 50% Off 6-Hour Workshop Video

PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

Thanks for subscribing!

Pin It on Pinterest

Share This