Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:

  • Connected vehicle IoT, which includes technologies enabling “vehicles, roads, and other infrastructure to communicate and share vital transportation information,”
  • Consumer IoT, consisting of “IoT applications in residences as well as wearable and mobile devices,”
  • Health IoT, encompassing those systems and devices that process “data derived from sources such as electronic health records and patient-generated health data,”
  • Smart building IoT, which includes “energy usage monitoring systems, physical access control security systems and lighting control systems,” and
  • Smart manufacturing IoT, those applications which enable “enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services.”

How Those Areas are Mitigating Cyber Risk

The Report goes on to assess the current methods used to mitigate the cybersecurity risks common to the five categories and the available standards for evaluating those methods. It does so by applying a separate cybersecurity framework developed under NISTIR 8074 Volume 2: Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objects for Cybersecurity (2015). The 8074 framework breaks down cybersecurity measures into a taxonomy of twelve unique groups, which together represent “key attributes of cybersecurity that broadly impact the overall cybersecurity” of a system, and which “may be interdependent.” The twelve divisions of the 8074 framework include:

  • Cryptographic techniques,
  • Cyber incident management,
  • Hardware assurance,
  • Identity and access management,
  • Information security management systems (ISMS),
  • IT system security evaluation,
  • Network security,
  • Physical security,
  • Security Automation and continuous monitoring (SACM),
  • Software assurance,
  • Supply chain risk management (SCRM), and
  • System security engineering.

For the twelve divisions of the framework, the Report evaluates the effectiveness of available risk mitigation methods used among the five major IoT technology divisions, and their related standards. The Report summarizes the progress in development of these risk mitigation methods with the following table (pp. 56-57 of the report, Table 4).

Throughout the Report, NIST is careful to note that the traditional IT cybersecurity objectives hierarchy of “Confidentiality, then Integrity, and lastly Availability” may be prioritized differently by parties in the IoT space, given that “IoT systems cross multiple sectors as well as use cases within those sectors.” As such, developing and evaluating IoT cybersecurity standards will require “tailoring existing standards and creating new standards to address challenges,” especially where standards gaps exist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Paul Mathis Paul Mathis

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation…

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation, and arbitration matters, most often involving high technology industries or sectors. Paul’s experience in privacy and cybersecurity law includes data incident response, compliance reviews, and the representation of clients in incident-based litigation. He also has experience counseling technology and media companies on broad regulatory compliance and litigation matters, both in nascent markets, such as that for autonomous vehicles, and mature markets, such as that for satellite and cable broadcasting.

Photo of Cheryl A. Falvey Cheryl A. Falvey

Cheryl A. Falvey helps clients launch innovative new products while protecting their brand and reputation, avoiding and defending liability in the marketing of their products, building safety and security into their products with science-based risk assessment, and successfully navigating product safety challenges with…

Cheryl A. Falvey helps clients launch innovative new products while protecting their brand and reputation, avoiding and defending liability in the marketing of their products, building safety and security into their products with science-based risk assessment, and successfully navigating product safety challenges with rapid response.

An experienced trial lawyer, and a former general counsel of the United States Consumer Product Safety Commission (CPSC), Cheri defends class actions, unfair competition, product liability and other mass tort claims arising out of consumer, occupational, and environmental exposures. She also provides brand and consumer protection counseling services, with a focus on product safety and security, including the Internet of Things; privacy; anti-counterfeiting; and digital media. Cheri represents a wide range of clients, from emerging companies to multinational Fortune 500 conglomerates.

Cheri is widely recognized as a leader in her field. She is one of an elite group of attorneys to be ranked in Chambers USA, Band 1 for Product Liability: Regulatory. She is highly regarded for her considerable experience advising clients on regulatory issues, including risk assessments, product recalls and CPSC investigations.

She represents clients on litigation and counseling matters regarding:

  • Compliance with statutes and regulations enforced by the CPSC, FDA, NHTSA, and the FTC.
  • Handles product recalls conducted in cooperation with NHTSA, CPSC, and FDA, and defends clients in agency enforcement actions seeking civil and criminal penalties.
  • Advises manufacturers faced with the potential release of unfair and inaccurate information by the government.
  • Counsels and defends clients on the sale and marketing of consumer products on the Internet, including compliance with the Children’s Online Privacy Protection Act, the FTC’s Green Guides, and state and federal privacy laws.

Prior to joining Crowell & Moring, Cheri served as the general counsel of the CPSC. In that capacity, she oversaw all federal court litigation, including civil and criminal cases referred by the Commission to the Department of Justice. Her tenure at the CPSC included advising the agency on the implementation of the Consumer Product Safety Improvement Act, a sweeping change to its statutes that had an impact across diverse industry sectors.

Cheri serves as Vice -chair of the American Bar Association’s Consumer Products Regulation Committee, Administrative Law & Regulatory Practice Section. She was named to the National Law Journal’s 2014 list of Governance, Risk & Compliance Trailblazers & Pioneers. Prior to joining the CPSC, Cheri had over 20 years of private practice experience as a partner with another international law firm where she chaired the firm’s D.C. litigation practice. Cheri is also a former member of Crowell & Moring’s Management Board.