NIST seeks comment on draft IoT security standards
- By Susan Miller
With its power to impact transform nearly all aspects of modern society, adoption of the internet of things "brings cybersecurity risks that pose a significant threat to the Nation," the National Institute of Standards and Technology said in a new report.
The draft version of NIST's "Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)" aims to help policymakers, managers and standards organizations develop and standardize IoT components, systems and services.
To push that standardization, NIST puts a stake in the ground in several areas by:
Defining IoT as a concept based on components that interact with the physical world and have data storage, networking, processing and sensing capabilities.
Describing representative IoT applications such as connected vehicles, consumer IoT (like smart homes), health IoT and connected medical devices, smart buildings and smart manufacturing.
Listing and summarizing core areas of cybersecurity, including encryption, digital signatures, hardware assurance, identity and access management, network security, security automation and continuous monitoring and supply chain risk management.
Describing IoT cybersecurity objectives, risks and threats as they relate to the representative applications.
Analyzing the current standards landscape for IoT cybersecurity as related to the core areas.
Presenting a matrix of the status of the major IoT cybersecurity standards and how they map to the core areas and applications.
Listing several possible standards gaps, such as applying blockchain technology to IoT security and best practices for avoiding malware in software and firmware.
Appendices include definitions, an IoT capabilities table, an IoT standards maturity model and extensive tables that sort standards by core area of cybersecurity. Additional guidance lists relevant FIPS documents and NIST SP 800-series publications on security.
Read the full report here.
Comments are due April 18. Reviewers are encouraged to use the comment template, and NIST will post comments online as they are received.