NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce.

The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail.

“IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST.

In the guidance document, NIST identifies three high-level considerations that can affect the management of risks that IoT devices can introduce. First, IoT devices tend to interact with the physical world in ways that conventional IT devices do not. Second, IoT devices cannot typically be accessed, managed, and monitored in the same way as conventional IT devices. Third, the availability, efficiency and effectiveness of cybersecurity and privacy controls are different for IoT devices than conventional IT devices.

Cybersecurity and privacy risks need to be addressed for the entire lifecycle of IoT devices and can be considered in terms of three high-level mitigation goals:

  • Preventing IoT devices from being used to conduct attacks
  • Protecting the confidentiality, integrity, and availability of data stored on the devices
  • Protecting the privacy of individuals

The guidance document suggests various ways that the above goals can be met and the challenges that organizations may face achieving those goals. However, since IoT devices are so diverse, it is difficult for recommendations to be made that can be applied for all use cases, levels of risk and device types.

NIST is seeking public comments on the document and will be accepting feedback until October 24, 2018. The draft document can be downloaded on this link (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.