Industry Collaboration and the Cybersecurity Framework

[As prepared.]

Thank you for that kind introduction. It is a pleasure to be with all of you here at Internet of Things World to discuss IoT in Action.

This is a particularly exciting time to be engaged in IoT-related technologies. We are starting to see the benefits that these technologies can provide, and we are getting a very good sense for the associated challenges. So, we are at the right time and in the right place to shape the trajectory for this technology. I look forward to the discussions that result from these meetings and to engaging with you all.

NIST is part of the Department of Commerce and opportunities and challenges presented by IoT really resonate with many important aspects of the work of the department.

A list of these might include: 

• facilitating U.S. exports,
• addressing spectrum availability,
• ensuring that standards for IoT are interoperable,
• developing measurement solutions and technology that will enable wireless connectivity for IoT,
• or applying these technological solutions for improving weather forecasts or monitoring our fishery stocks.

There are many ways IoT is relevant to our goals.

NIST's mission is to focus on U.S. competitiveness and innovation, and NIST is widely regarded as U.S. industry’s national lab.

You are well-acquainted with the many economic opportunities that IoT promises to deliver. Consumers are ready and waiting for autonomous cars, or truly smart homes and hospitals, smart cities, an improved grid or any living environment where devices communicate seamlessly, securely and effortlessly in ways that improve the quality of our lives.

Consumers are not the only ones anxiously waiting for the bounty of IoT wares. Manufacturers will realize an uptick in production, employing better quality control mechanisms and experiencing greater stability in their supply chain. Business owners will see improvement in their efficiency, which in turn, will lead to a larger sales volume, higher profits and will create more and better-paying jobs.

IoT impact is predicted to have anywhere from a several hundred-billion-dollar footprint by 2020 to several trillion dollars by 2025. IoT promises to have the potential to influence business both large and small. 

This truly is an exciting time, and I can’t wait to see what new innovations come from our American inventors.

To fully realize these opportunities, we must first overcome several key challenges. Some are technology based, some relate to lack of standardized approaches, and some are about establishing the infrastructure that will drive consumer confidence. 

Take security. A few years ago, botnet denial-of-service attacks generated lots of attention and much debate. But today, many now consider this type of threat a simple fact of our connected lives and a risk that we must manage in order to take advantage of the benefits of connectivity.

To move the field forward, we must work together to secure the IoT ecosystem. We must efficiently identify and isolate an attack, halt the attack and recover from any damage caused.

We must secure our data. Data contains valuable, sensitive and private information that we must protect from unauthorized access and exploitation.

IoT systems must perform as expected. Autonomous cars should take us to our destination, medical devices should deliver the proper dosage and report accurate measurements. Robotics on the assembly line should accurately assemble. They must be difficult for hackers to access or to alter.

Investments in IoT applications should not result in vendor lock-in. Lack of adaptability and the fear of stranded investment will stifle consumer confidence and stagnate the adoption of IoT solutions. 

Likewise, consumer frustration resulting from poor performance, whether due to bandwidth overload or signal interference, will slow consumer response to IoT.

These challenges are not unsurmountable. But time is of the essence.

The Administration’s high-level technology priorities align well with addressing these challenges. Namely:

• Protecting a free and open internet,
• Removing unnecessary regulatory burdens on emerging technologies and promoting the safe deployment of these technologies for the benefit of the American people; and,
• A firm commitment to defending and protecting American technologies abroad.

We can see that each of these is essential to the growth and expansion of IoT technologies and applications in a way that provides the best possible competitive environment. These priorities have shaped the U.S. government and NIST’s efforts focused on the IoT.

Methods for addressing these challenges align with the interests that the U.S. government and NIST have in IoT more broadly. The President’s Management Agenda and the Department of Commerce’s Strategic Plan place renewed focus on American leadership.

The U.S. government’s interests in IoT is multifaceted. The federal government will be a consumer of IoT application, ranging from fleet management to ensuring warfighters have the needed supplies and logistics. It will be called upon to regulate aspects of IoT—possibly ensuring the safe deployment of drones and UAVs in the national airspace or ensuring that consumer data is adequately protected. We will champion U.S. exports of these technologies and U.S. companies being able to access and compete in foreign markets. Maintaining U.S. technical leadership in advanced communication capabilities and networks supporting IoT is of high concern, as is protecting the security of IoT ecosystems.

NIST will be supporting IoT innovation through the measurements and standards tools that enable interoperability and confidence in IoT technologies and their applications. These efforts further trust, mission delivery and promote citizen engagement in emerging technologies. I will address NIST’s specific efforts in regards to the IoT in more detail.

We are a bit different than other national labs. We focus on pre-competitive, pre-proprietary areas where NIST’s tools and expertise can be used broadly. We are charged with working to help U.S. industry, and we are nonregulatory. This allows us to be neutral and to work with all IoT stakeholders.

Our participation in documentary standards development helps U.S. consumers trust that the items they purchase will fit and will operate as expected. Our IoT technology standards efforts instill trust that the protocols used to secure systems, devices and applications are robust and reflect the state of the art.

NIST tools and solutions are in our daily lives in very visible ways and in underlying technologies such as encryption algorithms that help you browse the internet securely, generating confidence in the accuracy of lab tests, timing signals used to synchronize clocks and GPS systems, and tools for forensics that help criminal investigations, to name a few.

IoT is a strategic priority area for us. We have broad efforts focused on IoT related cybersecurity, interoperability, connectivity and the data element.

We complement what the private sector is doing. We address elements that the private sector can utilize and build upon. We are looking at topics lacking private-sector investment—either due to the high costs or due to knowledge gaps and barriers. Our work in IoT supports three main tenets:

• Trust (security and privacy), 
• Interoperability, and
• Connectivity.

Trust in IoT technologies is built on security and privacy, and this Administration recognizes the importance of this element. Strengthening the cybersecurity of federal networks and critical infrastructure is a key initiative for NIST. NIST, NTIA and DHS delivered the report called for by this executive order that identifies how to reduce threats from automatic and distributed botnet attacks.

In these areas where there is broad impact and strong private-sector interest and equity, we work with industry, academia and the international community often through public working groups to form consensus pathways forward. The National Cybersecurity Center of Excellence is a collaborative hub where industry organizations, government agencies and academic institutions work together to address businesses’ most pressing cybersecurity issues. 

A current project, Mitigating IoT-based Distributed Denial of Service, has the objective to reduce the vulnerability of IoT devices to botnets and other automated distributed threats, while limiting the utility of compromised IoT devices to malicious actors.

NIST is leading a range of activities that address other aspects of security and privacy.  A key effort is the NIST coordinated effort to develop an agile and standards-based Cybersecurity Framework.

The Framework was developed in response to threats to the nation’s critical infrastructure, with active engagement of over 3,000 experts from industry, government and academia. Last month, we released an update to the Framework that incorporates experience and lessons learned over the past 4 years. The Framework has been embraced by many in industry because of the alignment of the technical approaches with the business use-case and the heavy dependence on standards.

NIST security work addresses aspects such as cybersecurity for cyber-physical systems, for smart grid systems, for industrial control systems, etc.

To address the many challenges around privacy, we have a Privacy Engineering Program that is facilitating the development of trustworthy information systems. The NIST Privacy Engineering Program’s mission is to support the development of trustworthy information systems by applying measurement science and system engineering principles to the creation of frameworks, risk models, guidance, tools and standards that protect privacy and, by extension, civil liberties.

In addition, NIST will host the Assessing Privacy Controls Workshop on May 18 in Gaithersburg, Maryland. We are also accepting comments through June 22 on Updated Risk Management Framework, Incorporating Privacy Considerations.

In 2018, NIST received $2 million for work on IoT cybersecurity. In collaboration with industry and academia, primarily through grants NIST will:

• Conduct foundational research to identify and develop new approaches, specifications, algorithms and architectures to address current and future IoT cybersecurity needs,
• Inform and develop cybersecurity standards and specifications to improve the cybersecurity for IoT devices and processes, and
• Develop and issue guidance to help organizations improve cybersecurity for IoT and the environments in which they operate.

A key question for anyone interested in buying or deploying an IoT system is “will this system work with something that I already have or something that I may purchase in the future”? That is the challenge of interoperability.

There are both technical and business aspects of interoperability. NIST focuses on a systems-level approach to remove technical barriers to interoperability. We have worked with a broad community of stakeholders to help develop vocabulary and reference architectures, identified use cases to help determine and evaluate common IoT characteristics, actors and interfaces. NIST has invested in the development of interoperability test beds, allowing us to simulate, and real-world systems to validate system and device interoperability.

Our strong ties and partnerships with the private sector have helped us make important contributions to international organizations such as the Industrial Internet Consortium and International Standards Organization committees.

Our third priority focus is reliable connectivity.

NIST is exploring the many facets of the connectivity puzzle. For example, we’re improving measurement techniques to ensure a larger number of IoT devices can perform reliably in increasingly congested wireless spectrum bands. We’re studying how devices can share spectrum in a more efficient manner such as through software defined networks by using machine learning approaches, or through the development of cognitive networks.

5G communication technologies play a critical role in the development of IoT applications. Full-scale deployment will benefit from NIST work on designing and testing antennas and antenna arrays.

NIST’s Boulder laboratory has a unique test facility called the National Advanced Spectrum and Communications Test Network. A partnership between NIST, the Dept. of Defense and NTIA, it provides a neutral testing platform for addressing spectrum-sharing challenges. We’re also facilitating partnerships that bring together technological and policy aspects.

An effort we initiated in 2014 has now evolved into a global effort known as the Global Cities Team Challenge, or GCTC.  More than 400 companies and universities collaborate with cities and communities to develop solutions to specific community challenges such as urban transportation, infrastructure monitoring, public safety, health care delivery, etc. The program now has more than 200 projects. Teams share their experiences and lessons learned with others in the community.  This, in turn, helps spur development of consensus standards based on these lessons learned.

In all our technical work on IoT issues, we pride ourselves on understanding and championing U.S. industry’s priorities and concerns. We do our best to represent those concerns through organizations like the Joint Technical Committee 1 of the International Organization for Standardization and the International Electrotechnical Commission (ISO-IEC/JTC1), the IEEE, etc. In bodies such as ITU, we have partnered with U.S. government, the U.S. private sector and other foreign stakeholders to ensure that standards development activities in ITU do not duplicate work that is underway in other bodies and where there is a natural locus of expertise. In multilateral organizations such as the G20, we work to ensure that governments around the world recognize the overarching importance of industry-led standardization activities.

We are just starting to scratch the surface of what IoT can do and will do. IoT is radically changing what’s possible in our lives. 

But before we can realize those dreams, we must increase confidence in IoT technologies by strengthening those three essential pillars — trust, interoperability and connectivity.  While we have much to do, the people in this room are ideally positioned to help us get there.

I strongly urge you to engage in standards development. There are a wide range of standards organizations developing standards for every aspect of IoT technologies and their applications. We are very proud of the widespread use of our Cybersecurity Framework 1, and I encourage everyone to adopt the guiding principles to help us all have a safe and secure cyber experience.

Many federal and state-level agencies are asking for IoT-related opinions. Make your voice heard at community hearings on deployment of smart city technologies or provide feedback documents from federal agencies like NIST. Collaboration and partnerships will make the difference.  This is almost always the best way to find practical solutions to complex challenges.  And it’s the only way we’ll realize the full promise of IoT for advancing US competitiveness.

Thanks for your attention and I'm looking forward to hearing about your progress.