The internet of things covers a wide range of devices, from smart speakers to medical devices, but the National Institute of Standards and Technology is looking to build a common foundation of cybersecurity practices for IoT manufacturers and consumers.
At an IoT workshop at its headquarters in Gaithersburg, Maryland, NIST sought feedback from industry partners on an internal report released in June that focused on next steps for IoT security and privacy. Tuesday’s meeting also stemmed from a roadmap the agency released in April that laid out areas where the agency could further advance its work on its cybersecurity framework.
Mary Theofanos, a computer scientist with NIST’s Material Measurement Laboratory, said as IoT devices gain mainstream popularity with consumers, fewer users have an understanding of the security implications of those devices.
“Early adopters generally tend to have pretty decent technical backgrounds, because that’s why they adopt these things. They understand a little bit more about the technology, they’re a little bit more aware of some of the issues. But now we’re getting to that point where we’re getting a lot of non-technical users that are adopting these, bringing these into their home, and they don’t have the technical background to understand exactly what’s going on,” Theofanos said at Tuesday’s workshop.
Katerina Megas, the program manager of NIST’s Cybersecurity for the internet of things (IoT) program, said upcoming IoT guidance will help agencies navigate security concerns as they begin to adopt the technology.
“We had devices in place in federal agencies, in some cases, that had already been purchased,” she said. “We wanted to ensure what we provided some information to those operational entities that were already using IoT devices, understanding they had a range of capabilities.”
Given the broad audience of NIST’s recommendations, Megas said upcoming guidance wouldn’t take a “one-size-fits-all approach.” Instead, she said the agency is focused on developing a “core baseline” that most agencies and private-sector companies can implement, and then use that baseline as a jumping-off point for further industry-specific security standards.
“We feel this allows us to take an outcome-based approach and allows the different verticals or sectors to further elaborate, whether it be standards-development organizations or within their own organizations,” she said.
Tuesday’s session also served as a listening session for NIST officials to better understand existing best practices from industry and to tailor its guidance around those standards.
“I’d say very simply put, we’re trying to take a lot of the state-of-the-art practices and turn those into common practices every organization should be taking advantage of, especially when it comes to cybersecurity,” said Kevin Stine, the chief of the applied cybersecurity division NIST’s Information Technology Laboratory (ITL).
Jim St. Pierre, the deputy director of ITL, said his office is working closely with other NIST labs on a project called “NIST on a chip,” which, among other things, is focused on developing standards on making precise measurements on IoT sensors.
“An internet of things sensor may or may not need that accuracy, but I would expect, over time, we’re going to see — and we are seeing — applications where those types of accuracies are needed and are of interest,” St. Pierre said.
But based on interviews NIST held with 40 individuals who own at least three smart devices, most consumers don’t have a solid understanding of IoT privacy or security implications.
“They don’t really have a good concept of what IoT is as we define it … They don’t really know how it’s connected or where it’s going,” Theofanos said.
Aside from privacy and data security implications, St. Pierre said compromised IoT devices can have “life-and-death safety concerns,” in cases of self-driving cars and internet-connected medical devices.
Once NIST completes its IoT core baseline, St. Pierre said the agency will continue to solicit feedback from agencies and the private sector about their specific IoT needs.
“This is not a one and done here,” he said. “This isn’t, ‘We get this baseline done and then we’ve got that taken care of.’”