NIST Plans To Draft IoT Cybersecurity Guidance That Will Impact the Private Sector
NIST announced plans to develop guidance on IoT for federal agencies, indicating that its guidance will address common high-level risks regarding both cybersecurity and privacy. It is clear from a recent workshop that NIST’s effort will impact expectations for the tech sector.
NIST is taking on this work under its Cybersecurity for IoT Program, which was launched in November 2016 to house NIST’s cyber efforts that touch on IoT. As the Manager of that program described in a recent blog post, entitled Riding the Carousel of Progress to Tomorrow’s Internet (of Things), “[t]ogether with [NIST’s] partners from government, industry, international bodies and academia, [NIST is] working to understand the IoT-specific threat landscape, identify what standards exist and where the gaps are, and provide guidance for federal agencies to deploy IoT in a way that brings the greatest benefit while being secure, safe and privacy-preserving.”
As part of this effort, on October 19, NIST hosted a IoT Cybersecurity Colloquium to convene stakeholders from government, industry, and academia. The purpose of the Colloquium was to help inform NIST’s future strategy and actions regarding IoT guidance, and to be a primary input for such guidance. NIST previewed that its guidance may take the form of “characteristic- or capabilities-based groupings of devices” to help organizations identify threat profiles and determine mitigation strategies.
The Colloquium featured mainly speakers from industry and covered IoT generally, including consumer IoT. Key themes that arose include:
- IoT is different from the traditional Internet ecosystem. As such, different security approaches may be necessary.
- The IoT ecosystem is complex; there is no one-size-fits-all solutions when it comes to cybersecurity for IoT.
- A voluntary and non-regulatory approach to IoT cybersecurity is preferable to a prescriptive, regulatory one.
- There is not consensus on whether the unique nature of IoT can be covered by the NIST Cybersecurity Framework, or whether it calls for a new cybersecurity framework or a tailored profile based on NIST’s Framework.
- There is a need to ensure that incentives are aligned to promote sound security for IoT.
- Supply chain risk management is critical to an organization’s cybersecurity posture: organizations need to ensure that their suppliers and vendors are thinking about and acting on security in the right ways.