Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:

  • Connected vehicle IoT, which includes technologies enabling “vehicles, roads, and other infrastructure to communicate and share vital transportation information,”
  • Consumer IoT, consisting of “IoT applications in residences as well as wearable and mobile devices,”
  • Health IoT, encompassing those systems and devices that process “data derived from sources such as electronic health records and patient-generated health data,”
  • Smart building IoT, which includes “energy usage monitoring systems, physical access control security systems and lighting control systems,” and
  • Smart manufacturing IoT, those applications which enable “enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services.”

How Those Areas are Mitigating Cyber Risk

The Report goes on to assess the current methods used to mitigate the cybersecurity risks common to the five categories and the available standards for evaluating those methods. It does so by applying a separate cybersecurity framework developed under NISTIR 8074 Volume 2: Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objects for Cybersecurity (2015). The 8074 framework breaks down cybersecurity measures into a taxonomy of twelve unique groups, which together represent “key attributes of cybersecurity that broadly impact the overall cybersecurity” of a system, and which “may be interdependent.” The twelve divisions of the 8074 framework include:

  • Cryptographic techniques,
  • Cyber incident management,
  • Hardware assurance,
  • Identity and access management,
  • Information security management systems (ISMS),
  • IT system security evaluation,
  • Network security,
  • Physical security,
  • Security Automation and continuous monitoring (SACM),
  • Software assurance,
  • Supply chain risk management (SCRM), and
  • System security engineering.

For the twelve divisions of the framework, the Report evaluates the effectiveness of available risk mitigation methods used among the five major IoT technology divisions, and their related standards. The Report summarizes the progress in development of these risk mitigation methods with the following table (pp. 56-57 of the report, Table 4).

Throughout the Report, NIST is careful to note that the traditional IT cybersecurity objectives hierarchy of “Confidentiality, then Integrity, and lastly Availability” may be prioritized differently by parties in the IoT space, given that “IoT systems cross multiple sectors as well as use cases within those sectors.” As such, developing and evaluating IoT cybersecurity standards will require “tailoring existing standards and creating new standards to address challenges,” especially where standards gaps exist.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Paul Mathis Paul Mathis

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation…

Paul C. Mathis is an associate in Crowell & Moring’s Washington, D.C. office. He is a member of the firm’s Privacy & Cybersecurity and International Dispute Resolution groups.

Paul represents a diverse set of clients on a wide range of counseling, regulatory, litigation, and arbitration matters, most often involving high technology industries or sectors. Paul’s experience in privacy and cybersecurity law includes data incident response, compliance reviews, and the representation of clients in incident-based litigation. He also has experience counseling technology and media companies on broad regulatory compliance and litigation matters, both in nascent markets, such as that for autonomous vehicles, and mature markets, such as that for satellite and cable broadcasting.