Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

NIST initiatives in IoT

Back to Cybersecurity for IoT program home

IoT Cybersecurity-Related Initiatives at NIST

 

Initiative Description
BLE Bluetooth
Special Publication 800-121, Revision 2: Guide to Bluetooth Security
  • Discusses security considerations for devices that might implement Bluetooth or Bluetooth Low Energy communication protocols
Cloud Security
Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing
  • Cloud definition
Cybersecurity for Cyber Physical Systems
Framework Document
  • CPS research and standards development are carried out in multiple NIST Laboratories, including programs in advanced manufacturing, cybersecurity, buildings and structures, disaster resilience, and smart grid. 
Cybersecurity for Smart Grid Systems
NISTIR 7628 revision 2: Guidelines for Smart Grid Cybersecurity, Volume 1
  • Possible explosive growth in numbers of sensors and actuators, with security requirements
  • Exploring opportunity to map to IoT models (like SP 800-183)
Cybersecurity Framework
Framework
  • This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk.  The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
Cybersecurity Framework Profile for Manufacturing
White Paper
  • Profile maps manufacturing processes to the Cybersecurity Framework
  • Multi-laboratory effort within NIST
Digital Identity Guidelines
Special Publication 800-63
  • SP 800-63: Digital Identity Guidelines
Galois IoT authentication & PDS Pilot
Pilot Project
  • Pilot deploying strong authentication for IoT-connected smart building
  • Enables access to IoT devices and sharing device data across organizational entities
GSMA Trusted Identities Pilot
Pilot Project
  • GSMA, NIST and San Diego Health Connect working together to enable more secure access to electronic health records to emergency first responders in the field
Guide to Industrial Control Systems (ICS) Security
Special Publication 800-82
  • SP 800-82, Rev 2: Guide to Industrial Control Systems (ICS) Security
  • Overlay for SP 800-53 for control system environments, taking into account their specialized challenges
Lightweight Encryption
NISTIR 8114
  • NISTIR 8114: Report on Lightweight Cryptography

Low Power Wide Area IoT
More

  • This project is developing a LoRaWAN infrastructure in order to study the security of communications based on Low Power Wide Area Networks, with the objective of Identifying and evaluating security vulnerabilities and countermeasures.

Mitigating IoT-Based DDoS/Botnet Report
Building Block

  • The NCCoE aims to improve the resiliency of IoT devices against distributed attacks and improve the service availability characteristics of the internet by mitigating the propagation of attacks across the network. 
National Vulnerability Database
Database
  • The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). 

NCCoE IoT-Based Automated Distributed Threats
Building Block

  • Aims to improve the resiliency of IoT devices against distributed attacks and improve the service availability characteristics of the internet by mitigating the propagation of attacks across the network

NCCoE Use Case: Capabilities Assessment for Securing Manufacturing Industrial Control System
Building Block

  • NCCoE and EL will demonstrate behavioral anomaly detection and prevention mechanisms, to support a multifaceted approach of counteracting cyber attacks against ICS devices that provide the functionality necessary to run manufacturing processes. The goal is to provide industry with detailed information to establish an anomaly detection and prevention capability in their own environments.
Network of Things
Special Publication 800-183
  • SP 800-183: Network of 'Things'
  • Provides a model and terminology for describing IoTs
  • Opportunity to map the model to lower-level architectures and designs
Privacy Engineering
Program
  • Given concerns about how information technologies may affect privacy at individual and societal levels, the NIST privacy engineering program (PEP) supports the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect privacy and, by extension, civil liberties.

Report on State of International Cybersecurity Standards for IoT
NISTIR

  • NISTIR 8200 (DRAFT): Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)
RFID Security Guidelines
Special Publication 800-98
  • SP 800-98: Guidelines for Securing Radio Frequency Identification (RFID) Systems
  • Information disclosure issue; impoverished version of an IoT

Security and privacy concerns of intelligent virtual assistances
More

  • Security diagnostics expose vulnerabilities and privacy threats that exist in commercial Intelligent Virtual Assistants (IVA)-- diagnostics offer the possibility of securer IVA ecosystems. This paper explores security and privacy concerns with these popular consumer devices.
Security Content Automation Protocol (SCAP) Standards and Guidelines
Special Publication 800-126 revision 2
  • SP 800-126, Rev 2: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
  • Specifications for representing security configuration and vulnerability information
Security of Interactive and Automated Access Management Using Secure Shell (SSH)
NISTIR 7966
  • NISTIR 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH)
  • Essential utility for management of distributed devices
Security Systems Engineering
Special Publication 800-160
  • SP 800-160: Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems

Software Assessment Management Standards and Guidelines
NISTIR 8060

  • NISTIR 8060: Guidelines for the Creation of Interoperable Software Identification (SWID) Tags

Supply Chain Risk Management
Special Publication 800-161

  • Supply chain risk management practices
Vehicle-to-vehicle transportation
  • NIST participates in international standard development for vehicle cybersecurity
  • NIST consults domestically on automotive security
NCCoE Wireless Medical Infusion Pumps
Building Block
  • Working with industry partners to develop implementation guidance for the wireless medical infusion pumps use case

 

graphic depicting the road ahead
Potential Future NIST Efforts

NIST Publication on The Status of International Cybersecurity Standardization for the Internet of Things (IoT)

A publication of the current state of international cybersecurity technical standards related to IoT security.

IoT Publications and Industry Initiatives Review

Set of references (standards, academic papers, industry white papers, etc.) describing current IoT technology, anticipated use cases, and active industry initiatives

IoT Definition, Vocabulary, and Conceptual Architecture

Describes IoT-specific aspects of a device or set (network) of devices (and backend support systems), building on existing industrial resources and NIST’s Network of Things publication (SP 800-183)

Use-Case and Sector-Specific IoT Architectures and Key Features

Describes IoT across sectors and key use cases, demonstrates how the architecture and key features of each can be generalized to an overarching IoT architecture

NIST Cybersecurity Framework application to IoT

Describes how the NIST Cybersecurity Framework can be used to apply security practices and security controls to IoT system components

IoT Threat Modeling

Describes how to apply threat modeling to IoT systems, map architectures and key functions to security and privacy capabilities

Risk Management for IoT

Guidance for system developers, owners, and operators for managing risks using the suitable risk management framework (e.g., NIST Risk Management Framework)

National Thing Behavior Database (NTBD)

Make available, on a national basis, behavioral information on IoT devices (such as signatures), as a service similar to the National Vulnerability Database, using industry standard specifications (e.g., MUD [Manufacturer Usage Description] IETF draft) as starting points

Configuration Scanning for Consumer-Owned IoT

Guidance for standardized data formats and protocols for applications that scan and perform configuration analysis when connected to consumer-owned IoTs—primary goal would be to provide a level of safety and security to consumers without requiring that they apply IoT expertise themselves—would also benefit experts

 

Complementary IoT Research

Data

The IoT will generate vast amounts of data for decision making, prediction, and autonomous physical action. For more, see NIST’s Big Data Public Working Group, developing methods and testing infrastructure to measure and compare the performance of data analytic algorithms.

Privacy Engineering

Due in significant part to the anticipated ubiquity of sensors and their ability to collect volumes of information about people in multiple environments, the IoT will create challenges for protecting the privacy of individuals. NIST’s Privacy Engineering Program Privacy supports the development of trustworthy systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools, and standards that protect individuals’ privacy and, by extension, civil liberties. To learn more about the NIST Privacy Engineering Program, click here.

Back to Cybersecurity for IoT program home

Created June 6, 2017, Updated April 11, 2018