Image of mobile phone with protected icon and surrounded by devices representing how IoT security and privacy is tackled by the updated NIST 800-53
Updated NIST 800-53 Tackles IoT Security and Privacy

Revision of NIST 800-53 Tackles IoT Security and Privacy

The Internet of Things (IoT) is having an enormous impact on the operations of organizations and government, as well as ordinary citizens. The increasing interconnectivity of devices and the sheer number of devices that are in use by the man on the street and within the business environment means that IoT security and privacy questions are being asked by more and more organizations. To address these challenges, the U.S. National Institute of Standards and Technology (NIST) has just released a public draft for Revision 5 of the latest NIST 800-53 Special Publication – ‘Security and Privacy Controls for Information Systems and Organizations’ that offers guidance on coping with the emerging challenges posed by IoT.

Addressing IoT security and privacy head-on

The latest revision aims to establish a consolidated set of controls for data platforms through the integration of privacy controls into organizational security controls that it has supplied guidance for in the past. NIST said the publication will also facilitate integration with the its Cybersecurity Framework and other risk management and cyber approaches.

The draft NIST 800-53 is especially relevant to address the challenges of IoT security and privacy. By clarifying the relationship between privacy and security, it is hoped that the guidance will help streamline the selection of controls needed to address modern risks from the increasing popularity of the Internet of Things.

The set of standards introduces new controls based on proven attack information and threat intelligence data. Selection of a primary set of baseline security controls in accordance with a worst-case impact analysis assists organisations in creating standard security controls, as well as adding the security controls in line with an organizational risk assessment. The security rules cover 17 areas, including incident response, access control, ability for disaster recovery and business continuity.

New security and privacy risks for IoT

According to Ron Ross, NIST fellow and leader of the joint task force behind the update, personally identifiable information is becoming more and more vulnerable due to the proliferation of IoT devices. He said. “It’s important that our [organization’s] security and privacy teams work together to implement required privacy controls and protect systems from being hacked.”

This is not the first time NIST has issued guidance. This is the fifth version of standards in respect of this subject that has been issued. However, it’s the first to really get under the skin of how IoT security and privacy is impacted by remote sensors and media collection devices like cameras, recorders and voice-activated controls which can now be found in personal devices and smart systems like those used for the latest models of motor vehicles and within traffic monitoring systems.

Guidance from NIST 800-53 to navigate IoT complexities

Ross described the current computing environment as “the best of both worlds.” He noted that while handhelds (and other) devices are delivering functionality and power that would have been hard to imagine only two decades ago, “sometimes these systems get so complicated that we don’t understand fundamentally what’s going on below the surface. That’s where the vulnerabilities lie,” he noted.

The new NIST 800-53 document is very much aimed at real world solutions. It aims to guide users through the complexities of establishing best practice and controlling systems and devices. Although aimed primarily at U.S. Federal Agencies there is some valuable guidance for both individuals and organizations as far as the use of commercial devices is concerned. This could be viewed as a framework for best practice in industry as well as government.