Image of smart city with overlay of network connections signifying IoT network and how the new NIST report will address security and privacy
What You Need To Know About the New NIST Report on IoT

What You Need To Know About the New NIST Report on IoT

Within the United States, there has been an increasing emphasis on the development of the Internet of Things (IoT), and in order for that to happen, there has to be universal agreement on the standards for IoT components, systems and services. As a result, the U.S. National Institute of Standards and Technology (NIST) recently released a landmark, 187-page report (“Interagency Report on Status of International Standardization for the IoT”), which goes into extensive detail about what has to happen next for the development of the Internet of Things – including a discussion of privacy and security risks that need to be considered.

The target audience for the NIST report

Unlike other IoT reports that have tended to focus primarily on the needs and interests of the technologists building the underlying products, services and components, this NIST report is much more far-reaching and focuses on risk management and cybersecurity for IoT.

The NIST report is designed for three major audiences: policymakers at federal agencies, managers at businesses and standards organizations. Taking a big picture view, NIST would like to make it possible for businesses, government leaders and standards organizations to all be on the same page when it comes to rolling out new IoT innovations and talking about the key issues for devices and environments.

Key areas of concern for the IoT

The NIST report goes into extensive detail for five major areas where IoT appears to have the most promise: connected vehicles, consumer IoT, healthcare IoT, smart buildings and smart manufacturing. The report describes IoT applications that are most in need of consensus in term of standards and approaches, as well as related tools to improve performance.

Moreover, the NIST report is noteworthy for raising areas of concern, where security and privacy risks appear to be growing the fastest. The NIST report identifies a few gaps in current standards. For example, the NIST report points out that there is currently an inability to use software patches to fix flaws in cyber incident management. And the NIST report also points out that there are currently risks for critical IT infrastructure (such as industrial control systems) as a result of not having the proper standards in place. This would suggest that organizations need to put into place an enhanced cybersecurity for IoT program.

And the NIST report also outlines one crucial difference in the approach between traditional IT security and IoT security: confidentiality and privacy is currently relegated to a less prominent role, all in the name of making more IoT devices and sensors available for a wider range of uses. Within this report, this is described as the difference between a traditional CIA (Confidentiality, Integrity, Availability) approach and the new AIC (Availability, Integrity and Confidentiality) approach. As you can see, in the traditional IT security approach, confidentiality plays a primary role; however, in the new IoT security approach, confidentiality plays a tertiary role.

Privacy issues created by the IoT

One central idea that runs throughout the new NIST report on IoT is that all of the IoT components being created today are interacting with the physical world, and that is opening up new privacy concerns. As these components acquire data storage, networking, processing or sensing capabilities, they pose a potential risk for user privacy and confidentiality. As a result, agreement on guidelines and related tools is paramount.

For example, take the area of healthcare IoT, one of the five major areas covered by the report. Connected medical devices represent a potential breakthrough for the way we think about healthcare – they offer healthcare practitioners and doctors the rare opportunity to collect medical data on patients 24/7. By doing so, it might be possible to spot the onset of disease much earlier than ever before possible, and it might lead to more of an emphasis within the healthcare industry on prevention rather than treatment.

But what happens when that medical data is exposed to other parties other than the doctor and the patient? That is what raises the most concern. A fundamental building block of the healthcare industry is the utmost confidentiality between patient and doctor. You don’t want your medical information being shared with your boss or co-workers at the office, and you don’t want that medical information being shared with third parties (including insurance companies and government regulatory bodies) unless required by law.

That is why it is so important to have agreement and unanimity on what each IoT system needs to include (especially standards and guidelines) as part of international cybersecurity standardization. It starts by assessing the risks and potential threats of each IoT component being added to the system, and ends by taking a holistic view of each integrated system. The cybersecurity of connected devices can no longer be separate from the cybersecurity of the entire system.

Standards gaps for the IoT

Taking a short-term look at the future, the NIST report on IoT raises serious questions about several possible standards gaps. One of these gaps is blockchain for IoT security. How well are businesses and government agencies employing the latest blockchain technology for privacy, security and encryption? And what do they need to keep in mind when deploying new IoT-specific blockchain solutions?

In addition, the NIST report on IoT looks at possible cybersecurity issues that need to be resolved in the near-term future, especially those issues related to encryption, digital signatures, and network security. Encryption is particularly important because IoT devices and sensors are constantly transmitting information and data to other nodes in the network of an organization. Strong encryption means that prying third parties are not able to gain access to this information. At some level, organizations need to be able to agree on the proper level of encryption for every single IoT transfer of data.

Future steps ahead for the build-out of the IoT

The comprehensive 187-page report released by the Interagency International Cybersecurity Standardization Working Group of the NIST offers a path forward for the development of the Internet of Things and provides a snapshot look at the status of international cybersecurity. Importantly, the report focuses on the risks, threats and gap in the current IoT environment and proposes steps that need to be taken in the future to address these gaps. Perhaps the greatest gaps are those related to security and privacy. The NIST supports the development of standards in these two areas.

For years, IoT developers have focused too much on availability (i.e. getting the devices out there to be used as part of systems and networks), and not enough on privacy and confidentiality. The good news is that this mindset appears to be shifting. There is growing recognition that there needs to be universal standards in place to improve the cybersecurity of any IoT system, and that will have positive implications for data privacy and security. Standardization for the Internet of Things is an important starting point for a more secure future.