Within the United States, there has been an increasing emphasis on the development of the Internet of Things (IoT), and in order for that to happen, there has to be universal agreement on the standards for IoT components, systems and services. As a result, the U.S. National Institute of Standards and Technology (NIST) recently released a landmark, 187-page report (“Interagency Report on Status of International Standardization for the IoT”), which goes into extensive detail about what has to happen next for the development of the Internet of Things – including a discussion of privacy and security risks that need to be considered.
The target audience for the NIST report
Unlike other IoT reports that have tended to focus primarily on the needs and interests of the technologists building the underlying products, services and components, this NIST report is much more far-reaching and focuses on risk management and cybersecurity for IoT.
The NIST report is designed for three major audiences: policymakers at federal agencies, managers at businesses and standards organizations. Taking a big picture view, NIST would like to make it possible for businesses, government leaders and standards organizations to all be on the same page when it comes to rolling out new IoT innovations and talking about the key issues for devices and environments.
Key areas of concern for the IoT
The NIST report goes into extensive detail for five major areas where IoT appears to have the most promise: connected vehicles, consumer IoT, healthcare IoT, smart buildings and smart manufacturing. The report describes IoT applications that are most in need of consensus in term of standards and approaches, as well as related tools to improve performance.
Moreover, the NIST report is noteworthy for raising areas of concern, where security and privacy risks appear to be growing the fastest. The NIST report identifies a few gaps in current standards. For example, the NIST report points out that there is currently an inability to use software patches to fix flaws in cyber incident management. And the NIST report also points out that there are currently risks for critical IT infrastructure (such as industrial control systems) as a result of not having the proper standards in place. This would suggest that organizations need to put into place an enhanced cybersecurity for IoT program.
And the NIST report also outlines one crucial difference in the approach between traditional IT security and IoT security: confidentiality and privacy is currently relegated to a less prominent role, all in the name of making more IoT devices and sensors available for a wider range of uses. Within this report, this is described as the difference between a traditional CIA (Confidentiality, Integrity, Availability) approach and the new AIC (Availability, Integrity and Confidentiality) approach. As you can see, in the traditional IT security approach, confidentiality plays a primary role; however, in the new IoT security approach, confidentiality plays a tertiary role.
Privacy issues created by the IoT
One central idea that runs throughout the new NIST report on IoT is that all of the IoT components being created today are interacting with the physical world, and that is opening up new privacy concerns. As these components acquire data storage, networking, processing or sensing capabilities, they pose a potential risk for user privacy and confidentiality. As a result, agreement on guidelines and related tools is paramount.