January 26, 2022

Volume XII, Number 26

Advertisement
Advertisement

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

NIST Releases Draft Report on IoT Cybersecurity Standards; Comments Due April 18

On February 14, 2018, the National Institute of Standards and Technology (NIST) released a draft of its NIST Interagency Report 8200 (NISTIR 8200), which is intended to inform policymakers and standards participants in developing and implementing cybersecurity standards in and for IoT devices and systems.  At a high level, the draft report is intended to:

  • provide a functional description for IoT (Section 4);
  • describe several IoT applications that are representative examples of IoT (Section 5);
  • summarize the cybersecurity core areas and provides examples of relevant standards (Section 6);
  • describe IoT cybersecurity objectives, risks, and threats (Section 7);
  • provide an analysis of the standards landscape for IoT cybersecurity (Sections 8 and 9); and
  • map IoT relevant cybersecurity standards to cybersecurity core areas (Appendix D).

The draft report was developed by the Interagency International Cybersecurity Standardization Working Group (IICS WG), which was established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee.  This group was convened to analyze international cybersecurity standardization issues and enhance U.S. federal agency participation in international cybersecurity standardization efforts.

NISTIR 8200 provides a non-exhaustive list of five IoT technology application areas that are offered for use in any analysis of the present state of IoT cybersecurity standardization.  These include:

  • Connected Vehicle IoT – enables vehicles, roads, and other infrastructure to communicate and share vital transportation information
  • Consumer IoT – consists of IoT applications in the residence as well as wearable and mobile devices.
  • Health IoT – processes data derived from sources such as electronic health records and patient generated health data.
  • Smart building IoT – includes energy usage monitoring systems, physical access control security systems and lighting control systems.
  • Smart manufacturing IoT – enables enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services

The report breaks down each of the five IoT technology application areas into eleven cybersecurity core areas and analyzes IoT cybersecurity objectives, risks, and threats present in each.

In terms of operationalizing security in the IoT context, NISTIR 8200 observes that traditional IT systems generally prioritize confidentiality, then integrity, then availability.  However, the report notes that IoT devices span a range of functions over a variety of sectors, and for some devices, those priorities may be ranked differently.  The report notes that this proliferation of varying IoT devices presents a challenge in terms of sheer volume of systems to be protected, and the diverse nature of IoT services increases the challenge for development of consistent cybersecurity standards.

Nevertheless, NISTIR 8200 concludes that standards-based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications, stating that:

[T]hrough analysis of the application areas, cybersecurity for IoT is unique and will require tailoring of existing standards, as well as, creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.

The report then provides an analysis of the “standards landscape” in the IoT cybersecurity space, mapping the existing IoT security standards onto the eleven cybersecurity core areas.  It also notes the market impacts of existing standards and assesses the remaining gaps.

The report explains that effective U.S. government participation in cybersecurity standards development involves coordinating and working with the private sector, as there is much greater reliance in the U.S. on the private sector for standards development than in many other countries.  Accordingly, the report states that IICS WG relied on major contributions from “companies and industry groups, academic institutions, professional societies, consumer groups, and other interested parties.”

In terms of next steps for government agencies, NISTIR 8200 concludes that:

For identified priorities, agencies should work with industry to initiate new standards projects in Standards Developing Organizations (SDOs) to close [identified] gaps.  In accordance with USG policy, agencies should participate in the development of IoT cybersecurity standards and, based upon each agency’s mission, agencies should cite appropriate standards in their procurements.  Also, in accordance with USG policy, agencies should work with industry to support the development of appropriate conformity assessment schemes to the requirements in such standards.

This report provides a possible starting point for industry as it seeks to create a focus on security standards coordination and development in the IoT space in new and evolving joint and complex arrangements, such as public-private partnerships for smart cities and connected transportation technologies.  The list of IoT cybersecurity standards the report contains will constitute a valuable resource for tracking the current state of IoT cybersecurity standards, as it is quite extensive and contains a range of information about each standard.

© 2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume VIII, Number 54
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Laura Phillips, Drinker Biddle Law Firm, Washington DC, Communications Law Attorney
Partner

Laura H. Phillips is a partner in and chair of the firm's Government & Regulatory Affairs Practice Group and a member of the Telecommunications & Mass Media Team.  She has over 25 years of experience working in nearly every aspect of the telecommunications market.

Laura counsels wireless and wired technology entrepreneurs and represents these clients on issues related to the development of new technologies, including devoting substantive attention to the development of spectrum auctions, network...

202-842-8891
Anthony Glosson, Drinker Biddle, Privacy & Communications Lawyer
Associate

Anthony D. Glosson assists clients with a range of privacy, communications, and regulatory compliance matters. He is the author of several publications in the field of technology law, and has been selected as a keynote speaker for a Capitol Hill discussion on active cyber defense.

Prior to joining Drinker Biddle, Anthony worked on numerous privacy and communications matters while serving as a law clerk for FCC Commissioner Ajit Pai, technology advocacy group TechFreedom, and state policy forum American Legislative Exchange...

(202) 230-5131
Advertisement
Advertisement
Advertisement