Cheryl A. FalveyGabriel RamseyKate M. Growley, CIPP/G, CIPP/USPaul Mathis

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:

  • Connected vehicle IoT, which includes technologies enabling “vehicles, roads, and other infrastructure to communicate and share vital transportation information,”
  • Consumer IoT, consisting of “IoT applications in residences as well as wearable and mobile devices,”
  • Health IoT, encompassing those systems and devices that process “data derived from sources such as electronic health records and patient-generated health data,”
  • Smart building IoT, which includes “energy usage monitoring systems, physical access control security systems and lighting control systems,” and
  • Smart manufacturing IoT, those applications which enable “enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services.”

How Those Areas are Mitigating Cyber Risk

The Report goes on to assess the current methods used to mitigate the cybersecurity risks common to the five categories and the available standards for evaluating those methods. It does so by applying a separate cybersecurity framework developed under NISTIR 8074 Volume 2: Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objects for Cybersecurity (2015). The 8074 framework breaks down cybersecurity measures into a taxonomy of twelve unique groups, which together represent “key attributes of cybersecurity that broadly impact the overall cybersecurity” of a system, and which “may be interdependent.” The twelve divisions of the 8074 framework include:

  • Cryptographic techniques,
  • Cyber incident management,
  • Hardware assurance,
  • Identity and access management,
  • Information security management systems (ISMS),
  • IT system security evaluation,
  • Network security,
  • Physical security,
  • Security Automation and continuous monitoring (SACM),
  • Software assurance,
  • Supply chain risk management (SCRM), and
  • System security engineering.

For the twelve divisions of the framework, the Report evaluates the effectiveness of available risk mitigation methods used among the five major IoT technology divisions, and their related standards. The Report summarizes the progress in development of these risk mitigation methods with the following table (pp. 56-57 of the report, Table 4).

Throughout the Report, NIST is careful to note that the traditional IT cybersecurity objectives hierarchy of “Confidentiality, then Integrity, and lastly Availability” may be prioritized differently by parties in the IoT space, given that “IoT systems cross multiple sectors as well as use cases within those sectors.” As such, developing and evaluating IoT cybersecurity standards will require “tailoring existing standards and creating new standards to address challenges,” especially where standards gaps exist.