Latest NIST Draft Report a Call to Action for Federal Agencies and Private Companies
Inflection Point for IoT
In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and benefits. However, the increased ubiquity of IoT comes with heightened risks to security, privacy and physical safety and without a standardized set of cybersecurity requirements, many IoT devices and systems are vulnerable to attack. Earlier this month, the National Institute of Standards and Technology (NIST) (through the Interagency International Cybersecurity Standardization Working Group (IICS WG)) released a draft report to help both federal agencies and private companies plan and develop cybersecurity standards in their use and production of IoT components, products, systems and services. The draft report stresses the importance of coordination across the private and public sectors in developing standards to bolster the security and resilience of IoT, provides a snapshot of current international cybersecurity standards, and offers recommendations for gap-filling.
Mind the Gap
The draft report uses five market areas of IoT application (Connected Vehicles, Consumer IoT, Health IoT & Medical Devices, Smart Buildings and Smart Manufacturing) to provide a synopsis on the current state of play for international cybersecurity standards along the following core areas:
- Cryptographic Techniques
- Cyber Incident Management
- Hardware Assurance
- Identity and Access Management
- Information Security Management Systems
- IT System Security Evaluation
- Network Security
- Security Automation and Continuous Monitoring
- Software Assurance
- Supply Chain Risk Management
- System Security Engineering
While there are at least some established standards in most of these core areas, a few areas currently lack standards (namely, IT System Security Evaluation, Network Security and System Security Engineering). Indeed, even where standards have been established, consistent implementation across the five market areas are either lagging or nonexistent. For example, although some Hardware Assurance standards exist for the Connected Vehicles and Health IoT market areas, implementation has been lagging, while the same standards have yet to be implemented in the Consumer IoT, Smart Building and Smart Manufacturing market areas. This inconsistency in standards and adoption is explained by the draft report as a function of the typical prioritization of cybersecurity in networks. Traditionally, cybersecurity focuses on confidentiality, integrity, and availability (in that order), but when an organization develops standards for IoT technologies, it’s important to consider how the IoT components interact with the physical world as well as each other when prioritizing; accordingly, cybersecurity for an IoT device may be ordered differently depending on the use case. For example, Hardware Assurance is likely the most important issue for a medical device such as a pacemaker while Identity and Access Management are likely paramount for Smart Buildings.
A New Standard of Care?
So why should private companies care about this draft report? NIST is a part of the Department of Commerce and unlike other standards bodies that are dependent on licensing revenues for funding, NIST’s work is effectively in the public domain. Some NIST standards (such as FIPS) become requirements for federal agencies and their contactors, particularly in the absence of clearly identified alternatives (the Department of Defense, for example, imposes the security controls found in NIST publication 800-171 on its contractors). Therefore, suppliers and contractors to government agencies will often be required to evaluate themselves against NIST standards in the absence of industry accepted alternatives.
Further, to the extent that NIST finalizes this report and establishes that there are approved cybersecurity standards that are characterized as mature, manufacturers and users of IoT devices may face an argument that following those standards is a standard of care to which they must adhere. In a typical common-law context, the standard of care is determined by asking what a reasonable and prudent person would do in the same circumstance. To be imposed as a standard of care, however, the cybersecurity standard also must have reasonable acceptance in the relevant community and impose a specific duty on a person or company. Though the NIST report does not yet represent such a standard, NIST’s view is persuasive to some sectors and available for companies without cost. Companies working in the US may want to consider the positions in this report in their planning sequences, perhaps to leverage the final version as a self-assessment tool to identify gaps and/or to confirm that certain named standards are not relevant to their organizations. Given that NIST is seeking feedback from the public, there is an opportunity for private companies to have meaningful input in the final version of this report.
The Clock is Ticking
At a time when the application of IoT is experiencing rapid growth across industries, NIST states that it hopes the report will inform and enable managers, policymakers, and Standards Developing Organizations as they seek to develop a holistic cybersecurity framework focused on security and resiliency. Although the benefits of IoT are significant, the draft report acknowledges that “the timely availability of international cybersecurity standards is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures.” Failing to establish effective standards could have significant consequences on current products and on how future products are developed.
Public comments to the draft report are being accepted until April 18, 2018 and can be submitted to NIST at NISTIRemail@example.com using the comment template available at https://csrc.nist.gov/publications/detail/nistir/8200/draft.