How to manage IoT cybersecurity
A publication aims to help federal agencies and other organizations manage cybersecurity and privacy risks associated with individual Internet of Things (IoT) devices.
The purpose of this 44-page publication, released by the National Institute of Standards and Technology (NIST), is to help organizations better understand and manage the cybersecurity and privacy risks associated with IoT devices throughout the devices’ lifecycles.
IoT is an evolving and expanding collection of diverse technologies that interact with the physical world. IoT devices are an outcome of combining the worlds of information technology (IT) and operational technology (OT).
On top of that, quite a few IoT devices are the result of the convergence of cloud computing, mobile computing, embedded systems, big data, low-price hardware, and other technological advances. IoT devices can provide computing functionality, data storage, and network connectivity for equipment that previously lacked them, enabling new efficiencies and technological capabilities for the equipment, such as remote access for monitoring, configuration, and troubleshooting. IoT can also add the abilities to analyze data about the physical world and use the results to better inform decision making, alter the physical environment, and anticipate future events.
While the full scope of IoT is not precisely defined, it is vast.
Quite a few organizations are not necessarily aware they are using a large number of IoT devices. It is important organizations understand their use of IoT because IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do. Once organizations are aware of their existing IoT usage and possible future usage, they need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response — accepting, avoiding, mitigating, sharing, or transferring risk.
This publication identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IoT devices as compared to conventional IT devices:
1. IoT devices interact with the physical world in ways conventional IT devices usually do not. The potential impact of some IoT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.
2. IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IoT devices, expanding staff knowledge and tools to include a much wider variety of IoT device software, and addressing risks with manufacturers and other third parties having remote access or control over IoT devices.
3. Availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.
Cybersecurity and privacy risks for IoT devices can be thought of in terms of three high-level risk mitigation goals:
1. Protect device security. Prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment.
2. Protect data security. Protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device.
3. Protect individuals’ privacy. Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data security protection.
Each goal builds on the previous goal and does not replace it or negate the need for it. Meeting each of the risk mitigation goals involves addressing a set of risk mitigation areas. Each risk mitigation area defines an aspect of cybersecurity or privacy risk mitigation thought to be most significantly or unexpectedly affected for IoT by the risk considerations. For each risk mitigation area, there are one or more expectations organizations usually have for how conventional IT devices help mitigate cybersecurity and privacy risks for the area.
The publication provides three recommendations for organizations to ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle:
1. Understand the IoT device risk considerations and the challenges they may cause to mitigating cybersecurity and privacy risks for IoT devices in the appropriate risk mitigation areas.
2. Adjust organizational policies and processes to address the cybersecurity and privacy risk mitigation challenges throughout the IoT device lifecycle. This publication cites many examples of possible challenges, but each organization will need to customize these to take into account its mission requirements and other organization-specific characteristics.
3. Implement updated mitigation practices for the organization’s IoT devices as you would any other changes to practices.