Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Taking Measure

Just a Standard Blog

'Cybersecuring' the Internet of Things

Concept of internet of things ecosystem
Credit: © chesky/fotolia.com

I recently had the chance to talk with the legendary Vint Cerf, one of the founding fathers of the internet. We had a wide-ranging discussion about the past, present and future of the internet, network security and what it would take to successfully, safely and reliably merge the digital and physical worlds, a concept known as the “Internet of Things,” or IoT.

As its name suggests, the internet of things will connect all kinds of things, bringing us a wealth of data about, well, everything that we can use to improve our lives. For example, internet-connected smart parking meters are helping people find available parking spaces, saving time, fuel and probably more than a few relationships. People are using fitness trackers to log their daily activity and achieve their fitness goals, making them healthier and happier. And technologies that promise to make travel safer and more convenient, such as self-driving cars and highway sensors that detect and adapt to real-time road conditions, are quickly moving from concept to reality.

But with all the exciting new functionality and features that IoT will grant, it will also bring a host of new cybersecurity risks and challenges. Some of these risks could be seen as relatively innocuous. For instance, hackers could virtually raid your internet-connected refrigerator and instruct it to order too much milk as a prank. Other risks are far more serious, such as hackers being able to take control of your self-driving vehicle or medical device.

The point is, the more devices that are connected to the internet, the more potential weak spots there are for hackers to exploit.

Because of this, it’s really important that the data IoT systems generate and disseminate be protected against unauthorized access, just as you would protect any sensitive system. Except in limited cases, even authorized users shouldn’t be able to change this data. And, while some data should be public so that people can slice it and dice it in different ways for research purposes—for instance, data on traffic patterns or pollution—some data, such as medical and genetic information, needs to be kept confidential, so we’ll need layers of permissions. As we become more dependent on these connected devices, ensuring their availability can also be critical. Vital networks that control the power grid or the access to health records should never go down—even for a second. And if they do, we need to be able to get them back up and running quickly.

My work on cybersecurity at NIST has made clear that standards and best practices are critical to keeping computer systems secure and creating trust in these systems. Similarly, cybersecurity standards and best practices can provide industry with the tools they need to build a secure and interoperable IoT. Today, even though standards and best practices can be used to support IoT systems, manufacturers, service providers and system developers are still working toward developing consensus security standards. Unless they can reach a consensus, we could end up with a patchwork of protections in which some IoT systems are more secure than others, and many such systems will not be adequately protected against cyberattacks.

NIST’s Cybersecurity for IoT Program is designed to cultivate trust in IoT and promote U.S. leadership in this space. The researchers in this program work with industry to produce definitions, reference data, guidance and best practices, as well as perform research and coordinate standards within and across sectors in the digital economy.

For example, one of the things we’re doing is investigating cryptographic algorithms that can be used to secure devices that are far more constrained than your average desktop computer in terms of memory or power capacity. These “constrained” devices, which include radio-frequency identification (RFID) tags and wireless sensors, are used in a variety of applications such as tracking of physical assets—be they packaged foods or automobile parts—and monitoring of physical structures such as roads, bridges and buildings.

Also, in collaboration with the health care community and medical device manufacturers, NIST’s National Cybersecurity Center of Excellence (NCCoE) recently developed guidance and a demonstration on securing wireless infusion pumps, which deliver fluids, medication or nutrients intravenously into a patient's bloodstream. Being connected to a computer network enables these devices to collect data about patients that can be shared and monitored by several medical practitioners at the same time. Being on the network also makes it easier to update them with new dosing instructions or operating software. The work of NIST computer scientists has demonstrated how standards-based, commercially available cybersecurity technologies can be used to better protect infusion pumps and the networks they are connected to.

Such efforts are paving the way toward more secure IoT devices in the future. Ultimately, only by adopting a common set of standards and best practices will the manufacturers of IoT systems, along with service providers and system developers, to be able to bring a high level of security for IoT devices and protect the data they generate, making us all safer in the process.

 

About the author

Donna Dodson

Donna Dodson is the Chief Cybersecurity Advisor for the NIST Information Technology Laboratory and Director of the National Cybersecurity Center of Excellence (NCCoE). Since joining NIST in 1987,...

Related posts

Top 5 NIST Blog Posts of 2019

It’s December, and that means it’s time for us to reflect on the past year, and what a year it was! This year tens of thousands of people tuned into the

Discovering Careers in Cybersecurity

We were excited to celebrate National Cybersecurity Career Awareness Week (NCCAW), November 11-16, 2019. Technology and cybersecurity play a vital role in many

Comments

One of the most problematic elements of cyber security is the quickly and constantly evolving nature of security risks. According to Forbes, the global cyber security market reached $75 billion for 2015 and is expected to hit $170 billion in 2020. NIST doing a great job!
Hello Donna Dodson, I am developing US patent 8799022 to address IOT cyber security issues and when "commercially available" I think the NIST would be interested in the role de-identification is going to play. Could you direct me to someone at NIST that I could introduce this technology to so I might have be able to incorporate their view point while things are still in the pre market design phase. I really hate paying to rewriting code. Our tech alters the digital transmission process de-identifying the data in transit and as stored in our cloud rendering it useless to cyber punks that will not have access to our tech to re-identify it which we do at the intended destination. Thanks, Jim O'Brien

Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.