As part of our mission, the NIST Cybersecurity for the Internet of Things (IoT) Program develops guidelines for improving the cybersecurity of connected devices and the environments in which they are deployed. We are working on an introduction to managing IoT security and privacy risk for federal systems — an undertaking that would not be possible without stakeholder input.
To inform our approach to IoT security and privacy, we have been engaging with public and private sector stakeholders through conferences, meetings, and feedback submitted via email. We’ve also been participating in roundtables at industry events for facilitated dialogue with a range of stakeholders. This input and feedback has been critical in shaping our understanding of the IoT ecosystem and its associated risks.
The first three roundtables were held earlier this year. In January 2018, the Consumer Technology Association (CTA) hosted a roundtable during the Consumer Electronics Show (CES) in Las Vegas. There was another discussion that month at the IoT Evolution Expo in Orlando, Florida. Most recently, our staff attended a working session at the Industrial Internet Consortium (IIC) February 2018 quarterly meeting in Reston, Virginia.
While each session took place in different places and with different stakeholders, common themes emerged. This is the first in a series of blogs detailing what we heard in these discussions.
What exactly is IoT?
Across the board, there is a difference of opinion on whether there is value in defining the Internet of Things — and what to include in such a description or definition. Some stakeholders believe that defining IoT would allow organizations to understand whether they are using IoT in their systems, thus understanding there is a separate set of risks to address; others are concerned that the IoT is evolving too rapidly and that prematurely defining it could be prohibitive as the technological advancements outpace the definition. Further complicating the discussion is where the concern lies with IoT: with the “I” (that is, the connectedness) or the “T” (the device or endpoint itself).
Amongst those who agreed that there is a need to define the Internet of Things, there is disagreement on what that definition should entail. The scope of IoT varies widely, with some definitions being narrow while others are all-encompassing, considering practically every device with any sort of computing capability to be IoT.
Over the course of these three roundtables, stakeholders discussed whether to define IoT based on many characteristics, including the ability to have machine-to-machine conversations, use of the Internet Protocol (IP), connectivity to any network, any interaction with a network-connected device, any data transfer into or out of the device, and the presence of a sensor or actuator. While this is a long list, it is not a comprehensive one – the debate on what can and should be considered IoT is a dynamic, ongoing discussion.
In the three roundtables, stakeholders tended to agree that the Internet of Things should be considered as an ecosystem — no device or connection exists in a vacuum. The device, interfaces, communications, applications, gateways, cloud, and network are inextricably linked.
It’s an Internet of very different Things
Stakeholders, for the most part, agreed that there can be no one-size-fits-all solution for IoT security and privacy: each sector and market has a specific set of risks and considerations, as well as different levels of criticality. The deployment environment and use case can affect risk — this risk often differs by sectors and verticals, and may differ within a single sector or vertical. Further, depending on the sector or use, there are varying levels of concern for trustworthiness, safety, reliability, cybersecurity, privacy, and resilience.
A wide range of devices exist and are being deployed. While some offer high levels of transparency and customization options, others are considered “black boxes” — that is, they are inflexible and opaque. This could negatively impact the ability to manage, control and monitor the devices and their activities. Stakeholders emphasized the known and unknown security and privacy implications and concerns driven by the inability to see into these systems.
While some stakeholders suggested doing a range of sector-specific use cases to identify cybersecurity and privacy risks, others suggested focusing on a specific use case and applying the lessons learned to other sectors and verticals.
Boundaries should be considered beyond the device
Devices often create data of some kind, share that data, and receive data — whether that be with other devices on the network, the cloud, the manufacturer, or another third party. Stakeholders pointed out that when considering IoT security, the device is the first step in determining the boundaries of the system: the data and where it is sent expands those boundaries. When securing their IoT, stakeholders are looking at the bigger picture, which includes devices, device data, and the environments in which they are deployed and interacting.
Further, stakeholders explained that the consideration is multifaceted, with the nature of the data, use case, and industry all impacting the level of sensitivity. Understanding the data, where it resides, how it is used, and where it goes informs its importance for the organization. This context is important.
While some data presents little risk for one type of organization, another may need to have additional considerations in safeguarding the same data. For example, a connected thermostat deployed in a public retail store presents a different set of risks than if the same thermostat were deployed at a critical infrastructure facility. If that thermostat is set to a lower-than-usual temperature for an extended period of time, it could indicate that nobody is expected to be there — the security risk of this information is different for a store than it is for a secure facility. At the same time, compromising the integrity of the data sent from the thermostat to falsely engage the heating system during a hot summer day can have tremendous operational impacts on both organizations.
These roundtable discussions have been invaluable in shaping the our understanding of the IoT ecosystem and its associated risks. Feedback collected in these sessions have informed our evolving approach. For example, we had been evaluating the merits of different risk-based approaches (device-centric or ecosystem-based). Thoughtful stakeholder feedback validated that the ecosystem approach is the right one to take.
Have any ideas? We want to hear from you! We’ll be at RSA Conference in San Francisco from April 16 to 20, 2018, where we’ll host a roundtable discussion on Thursday, April 19, from 9 a.m. to 11 a.m. RSVP at email@example.com. Hope to see you at the NIST booth (4509) and on the expo floor!
Check out our Program page to learn more about our efforts and submit feedback to firstname.lastname@example.org. Remember to follow @NISTcyber and #IoTSecurityNIST on Twitter for updates on where we’ll be next.