On February 14, 2018, the National Institute of Standards and Technology (NIST) released a draft of its NIST Interagency Report 8200 (NISTIR 8200), which is intended to inform policymakers and standards participants in developing and implementing cybersecurity standards in and for IoT devices and systems.  At a high level, the draft report is intended to:

  • provide a functional description for IoT (Section 4);
  • describe several IoT applications that are representative examples of IoT (Section 5);
  • summarize the cybersecurity core areas and provides examples of relevant standards (Section 6);
  • describe IoT cybersecurity objectives, risks, and threats (Section 7);
  • provide an analysis of the standards landscape for IoT cybersecurity (Sections 8 and 9); and
  • map IoT relevant cybersecurity standards to cybersecurity core areas (Appendix D).

The draft report was developed by the Interagency International Cybersecurity Standardization Working Group (IICS WG), which was established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee.  This group was convened to analyze international cybersecurity standardization issues and enhance U.S. federal agency participation in international cybersecurity standardization efforts.

NISTIR 8200 provides a non-exhaustive list of five IoT technology application areas that are offered for use in any analysis of the present state of IoT cybersecurity standardization.  These include:

  • Connected Vehicle IoT – enables vehicles, roads, and other infrastructure to communicate and share vital transportation information
  • Consumer IoT – consists of IoT applications in the residence as well as wearable and mobile devices.
  • Health IoT – processes data derived from sources such as electronic health records and patient generated health data.
  • Smart building IoT – includes energy usage monitoring systems, physical access control security systems and lighting control systems.
  • Smart manufacturing IoT – enables enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services

The report breaks down each of the five IoT technology application areas into eleven cybersecurity core areas and analyzes IoT cybersecurity objectives, risks, and threats present in each.

In terms of operationalizing security in the IoT context, NISTIR 8200 observes that traditional IT systems generally prioritize confidentiality, then integrity, then availability.  However, the report notes that IoT devices span a range of functions over a variety of sectors, and for some devices, those priorities may be ranked differently.  The report notes that this proliferation of varying IoT devices presents a challenge in terms of sheer volume of systems to be protected, and the diverse nature of IoT services increases the challenge for development of consistent cybersecurity standards.

Nevertheless, NISTIR 8200 concludes that standards-based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications, stating that:

[T]hrough analysis of the application areas, cybersecurity for IoT is unique and will require tailoring of existing standards, as well as, creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.

The report then provides an analysis of the “standards landscape” in the IoT cybersecurity space, mapping the existing IoT security standards onto the eleven cybersecurity core areas.  It also notes the market impacts of existing standards and assesses the remaining gaps.

The report explains that effective U.S. government participation in cybersecurity standards development involves coordinating and working with the private sector, as there is much greater reliance in the U.S. on the private sector for standards development than in many other countries.  Accordingly, the report states that IICS WG relied on major contributions from “companies and industry groups, academic institutions, professional societies, consumer groups, and other interested parties.”

In terms of next steps for government agencies, NISTIR 8200 concludes that:

For identified priorities, agencies should work with industry to initiate new standards projects in Standards Developing Organizations (SDOs) to close [identified] gaps.  In accordance with USG policy, agencies should participate in the development of IoT cybersecurity standards and, based upon each agency’s mission, agencies should cite appropriate standards in their procurements.  Also, in accordance with USG policy, agencies should work with industry to support the development of appropriate conformity assessment schemes to the requirements in such standards.

This report provides a possible starting point for industry as it seeks to create a focus on security standards coordination and development in the IoT space in new and evolving joint and complex arrangements, such as public-private partnerships for smart cities and connected transportation technologies.  The list of IoT cybersecurity standards the report contains will constitute a valuable resource for tracking the current state of IoT cybersecurity standards, as it is quite extensive and contains a range of information about each standard.

Comments on NISTIR 8200, the draft report, are due by April 18, 2018.