Are you a little worried about the security implications of IoT devices? Help is at hand. The National Institute of Standards and Technology (NIST) has just released a document to help IoT users protect themselves from IoT security issues.
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) draws on the general cybersecurity principles in the NIST Cybersecurity Framework and adapts them for the IoT era. It is the first in a series of documents that aims to help organizations better understand IoT security risks.
The guide identifies cybersecurity and privacy risk considerations with IoT devices, before exploring some of the challenges of mitigating them. Finally, it makes some broad recommendations.
It warns that IoT devices interact with the physical world, potentially changing physical systems. They can also gather large amounts of data about individuals, it says.
IT teams should protect device security through proper asset management (maintaining a proper IoT device inventory) and vulnerability management (eliminating known vulnerabilities in device firmware). They should also carefully manage access to devices and monitor them for data and device security incidents. They should prevent data tampering, and manage the flow of personal data, while setting permissions for personal data processing, the report adds.
That's all well in theory, but IoT devices often can't be accessed, managed, or monitored like regular IT devices, the report warns. They often take a 'black box' approach and lack interfaces or management features altogether. Some of them don't even have unique identifiers. These shortcomings can limit the availability of cybersecurity information like event logs.
NIST makes several recommendations to cope with these challenges. These include identifying which devices have IoT characteristics and what types they are, assessing the risk of each device, and then creating a strategy to respond to that risk by accepting, avoiding, mitigating, sharing, or transferring it.
It's a high-level document, but it's just the start in a series of further documents from NIST on IoT security. In fact, NIST removed an appendix originally included in this document, which gave examples of desirable cybersecurity and privacy capabilities for IoT devices. It will be released in a separate publication, the report adds.
In an industry already littered with IoT devices, managing everything from transportation systems to water and energy networks, it's good to see an authoritative guideline for IoT security – even if, as in this case, the guideline is purely voluntary.