NIST Comes Out With A Proposal For The Security Of IoT Devices

  • IoT is rapidly evolving and expanding with a myriad of technologies interacting with the physical world.
  • While it is truly revolutionising the present systems of communications, it is also bringing with itself a certain risk of loss of privacy.
  • To counter this, the already implemented cybersecurity laws and practices must become even more stringent. 

The cybersecurity and privacy risks for IoT devices can be broken down into three categories: device security, data security and security of an individual’s privacy.

Device security refers to how an organisation prevents an IoT based device from being used to conduct malicious cyberattacks, which includes denial-of-service attacks against other organisations and individuals and eavesdropping on network traffic. 

Robust data security ensures the confidentiality, integrity and availability of data being protected when gathered, stored, and transmitted to or from the device.

Finally, an individual’s privacy should be of utmost importance and needs to be considered in the deployment of IoT. Organisations need to assure their customers that they will not compromise with their privacy in order to obtain data for business purposes.

A step towards ensuring safety

The National Institute of Standards and Technology (NIST), an organisation for innovation of measurement science, standards, and technology to enhance economic security and quality of life, released a guide for managing the privacy and cybersecurity risks posed by IoT. 

In October last year, NIST issued a draft, which laid out the top considerations that can impact the management of IoT devices across an enterprise. 

According to the NIST researches, the full scope of IoT is not precisely defined yet as it is very vast. Every sector that has its own type of IoT devices, such as healthcare, banking, transportation, etc. should understand their use because many IoT devices affect cybersecurity and privacy risks differently than the conventional IT devices.

If organisations can gain insight into the workings of IoT devices that are already in use, then they can quickly begin to manage the risk that this technology poses.

Ways to do so 

First of all, enterprises need to adjust their policies and processes to mitigate the challenges and vulnerabilities that will come throughout the IoT lifecycle.

However, if it fails to do so, then the error rates will turn to be high for the context in which IoT device might be used in the wrong way.

NIST researchers stated that an effective IoT sensor data management is important when mitigating physical attacks on sensor technology, such as attacks performed through wireless signals, that could cause sensors to produce false results.

The potential impact of this needs to be deeply recognised and addressed from cybersecurity and privacy perspectives. Any compromise could allow an attacker to use an IoT device to endanger human safety, damage or destroy equipment and facilities, or cause major operational disruptions.

Challenges lying ahead

One of the biggest challenges is that many IoT devices can’t be accessed, managed, or monitored as compared to handling a typical IT device. While conventional devices give the IT team the ability to leverage hardware and software access, IoT devices are typically more complicated.

Due to the lack of transparency, IoT gives little to no access or management capabilities of the software or configuration.

This leads to a further lack of management features and interfaces, along with difficulties in managing IoT at scale and differing lifespan expectations. Organisations may also struggle to manage the wide variety of software on its network, or find some hardware is unserviceable.

Jonathan Langer, CEO, Medigate puts forward his positive stance on interoperability where there is a clear definition of security for both health systems and device manufacturers of all sizes – including specific guidelines aimed at each stakeholder’s unique role. This requires experts from the IT, security and healthcare sectors who are equipped with the industry knowledge necessary to inform a standard that provides an adequate baseline for security.