{"id":13213,"date":"2019-06-29T15:28:40","date_gmt":"2019-06-29T15:28:40","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=13213"},"modified":"2022-10-14T18:28:40","modified_gmt":"2022-10-14T22:28:40","slug":"this-is-why-nist-announced-cybersecurity-guidelines-for-iot","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/this-is-why-nist-announced-cybersecurity-guidelines-for-iot.html","title":{"rendered":"This is why NIST Announced Cybersecurity Guidelines for IoT"},"content":{"rendered":"\n<p>We recently broke the news that <a href=\"https:\/\/www.apextechservices.com\/topics\/articles\/441013-corporate-iot-breaches-invisible-half.htm\">half\nof IoT breaches in corporations are invisible<\/a>.<\/p>\n\n\n\n<p>Perhaps nothing can or should be more scary to corporate boards\nand management.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>\u201cGiven the increase in the number of IoT-enabled devices, it&#8217;s extremely worrying to see that businesses still can&#8217;t detect if they have been breached,\u201d said Jason Hart, CTO, Data Protection, Gemalto. \u201cWith no consistent regulation guiding the industry, it&#8217;s no surprise the threats &#8211; and, in turn, vulnerability of businesses &#8211; are increasing. This will only continue unless governments step in now to help industry avoid losing control.\u201d<\/p><\/blockquote>\n\n\n\n<p>There are numerous companies handling the challenge. A GlobalSign IoT security expert <a href=\"https:\/\/www.globalsign.com\/en\/company\/news-events\/news-archive\/globalsign-iot-security-expert-to-speak-at-iot-evolution-expo\/\">spoke <\/a>at this past <a href=\"http:\/\/www.iotevolutionexpo.com\">IoT Evolution Expo<\/a> in Florida on securing smart meters via the Wi-SUN Alliance\u2019s Field Area Network.<\/p>\n\n\n\n<p>IoT Evolution also evaluated and <a href=\"https:\/\/www.iotevolutionworld.com\/newsroom\/articles\/440062-iot-evolution-world-announces-winners-2018-iot-security.htm\">gave out awards<\/a> in the IoT security space late last year.<\/p>\n\n\n\n<p>Dr. Mike Lloyd, CTO of RedSeal recently <a href=\"https:\/\/www.iotevolutionworld.com\/iot\/articles\/442179-security-a-time-iot.htm\">wrote<\/a>:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>The Internet of Things (IoT), made up of special-purpose devices designed to do a particular job well, presents a significant problem for security professionals. Several of their traditional approaches to security won\u2019t work. Fortunately, it\u2019s not all doom and gloom. We can use a three-step strategy for dealing with security and IoT. <\/p><\/blockquote>\n\n\n\n<p>He goes on to describe the need for finding and understand the threats &#8211; in context and then addressing them.<\/p>\n\n\n\n<p>Other companies focusing on this problem are <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/iot\/exclusive-atombeam-looks-to-become-standard-in-iot-data-transmission-and-storage.html\">AtomBeam<\/a> which we broke the news on, as well as <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/technology\/longview-iot-boosts-energy-and-wireless-efficiency.html\">LongView IoT<\/a>. <\/p>\n\n\n\n<p>There are a great deal of companies in the IoT cybersecurity space because there are nearly infinite ways to configure solutions. Between disparate networks, LoRaWAN, NB-IoT, WiFi, bluetooth, etc. and so many different sensors and modules which may or may not be designed to work together securely.<\/p>\n\n\n\n<p>The situation is complex. Far more challenging than data center and office computers in many ways.<\/p>\n\n\n\n<p>This is in part because the constraints on IoT devices are far greater than PCs and even phones. Developers don&#8217;t worry so much about code bloat or adding layers of heavy security on these platforms as there are few constraints.<\/p>\n\n\n\n<p>IoT devices need to be lightweight, transmit the bare minimum number of packets and have great battery performance. <\/p>\n\n\n\n<p>You can&#8217;t exactly run full-time anomaly detection in such environments, right?<\/p>\n\n\n\n<p>One last challenge is nation-state revenge hacking. We recently <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/massive-new-iranian-cyber-threat-to-u-s-companies.html\">predicted <\/a>and <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/as-we-warned-iran-strikes-back-with-new-silex-malware-bricking-iot-devices.html\">reported <\/a>Iran would attack the U.S. and one way they did was by bricking IoT devices which didn&#8217;t change default passwords.<\/p>\n\n\n\n<p>For these and many other reasons, the government has stepped in to assist.<\/p>\n\n\n\n<p><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/nistir\/8228\/final\"><em>Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks<\/em>(NISTIR 8228)<\/a>\u00a0is the first in a planned series of documents NIST is developing to help IoT users protect themselves, their data and their networks from potential compromise. Developed by the\u00a0<a href=\"https:\/\/www.nist.gov\/programs-projects\/nist-cybersecurity-iot-program\">NIST Cybersecurity for IoT Program<\/a>\u00a0over more than two years of workshop discussions and interaction with the public, NISTIR 8228 is primarily aimed at federal agencies and other big organizations that are incorporating IoT devices into their workplace \u2014 organizations that may already be thinking about cybersecurity on a large-scale, enterprise level.\u00a0<\/p>\n\n\n\n<p>\u201cThe report is mainly for any organization that is thinking about\nsecurity on the level of the&nbsp;<a href=\"https:\/\/www.nist.gov\/cyberframework\">NIST Cybersecurity Framework<\/a>,\u201d\nsaid Mike Fagan, a NIST computer scientist and one of the authors of the\nreport. \u201cIt\u2019s targeted at the mode of thinking that an organization would have\n\u2014 more resources, more people, more ability, but also more risk of attack because\nof all those things. It\u2019s bad when a single house is attacked, but if a million\nbank account passwords are stolen, that has a much larger impact.\u201d<\/p>\n\n\n\n<p>Larger organizations may already be using the Cybersecurity\nFramework and&nbsp;<a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/draft\">NIST SP 800-53 Rev. 5<\/a>,\ntwo NIST resources that offer guidance for mitigating risk to information\nsystems and the activities that involve them. NISTIR 8228 takes the security\nand privacy focus from these other documents and considers it in the context of\nIoT products, from thermostats to voice-operated devices, which may not have\ntraditional interfaces such as a keyboard.&nbsp;<\/p>\n\n\n\n<p>\u201cAn IoT device might even have no interface at all, or have no way\nto install security software,\u201d Fagan said. \u201cBut it still might connect to your\nnetwork and be visible electronically to an enemy looking for a potential way\nin. It\u2019s this kind of incongruency with expectations that we want to help an\norganization think through before they bring IoT devices onto their network.\u201d<\/p>\n\n\n\n<p>The report is a companion document to the Cybersecurity Framework\nand SP 800-53 Rev. 5. However, NISTIR 8228 offers only advice; none of its\ncontents are requirements under the Federal Information Security Management Act\n(FISMA). After distinguishing IoT devices from conventional computers and\noutlining the type of risks they carry, the authors suggest three high-level\nrisk mitigation goals:&nbsp;<\/p>\n\n\n\n<ol><li><strong>Protect device\nsecurity,<\/strong>&nbsp;i.e., prevent an IoT device from being used to conduct attacks;&nbsp;<\/li><li><strong>Protect security\nof data,<\/strong>&nbsp;including personally identifiable information; and&nbsp;<\/li><li><strong>Protect\nindividuals\u2019 privacy.<\/strong>&nbsp;&nbsp;<\/li><\/ol>\n\n\n\n<p>\u201cIoT is still an emerging\nfield,\u201d Fagan said. \u201cSome challenges may vanish as the technology becomes more\npowerful. For now, our goal is awareness.\u201d<\/p>\n\n\n\n<p>Specifics are around the corner, though. In the near future, NIST plans to release a core baseline document that aims to identify fundamental cybersecurity capabilities that IoT devices can include. The document will have all IoT devices in mind, including those for individual users and home networks.<\/p>\n\n\n\n<p>Learn more about IoT and cybersecurity at\u00a0<a href=\"https:\/\/www.iotevolutionexpo.com\/east\/\">IoT Evolution<\/a>, part of the\u00a0<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO\u00a0<\/a>TECHSUPERSHOW, Feb 12-14, 2020 in Fort Lauderdale, Florida. <\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"539\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2019\/06\/iot-evolution.jpg\" alt=\"\" class=\"wp-image-12742\" srcset=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2019\/06\/iot-evolution.jpg 1000w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2019\/06\/iot-evolution-768x414.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/nvlpubs.nist.gov\/nistpubs\/ir\/2019\/NIST.IR.8228.pdf\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>We recently broke the news that half of IoT breaches in corporations are invisible. Perhaps nothing can or should be more scary to corporate boards and management. \u201cGiven the increase in the number of IoT-enabled devices, it&#8217;s extremely worrying to see that businesses still can&#8217;t detect if they have been breached,\u201d said Jason Hart, CTO,<\/p>\n","protected":false},"author":44,"featured_media":13214,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[185,156],"tags":[1796,2172,1798,1500,2171],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/13213"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=13213"}],"version-history":[{"count":1,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/13213\/revisions"}],"predecessor-version":[{"id":13215,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/13213\/revisions\/13215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/13214"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=13213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=13213"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=13213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}