NIST’s New Guidance Document on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft of a guidance document that will assist federal agencies and companies with safeguarding Internet of Things (IoT) devices and managing cybersecurity and privacy risks which IoT devices can introduce.

The guidance document, entitled Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228), is the first document in a series that will address both cybersecurity and privacy issues. This document will form the foundation on which several other guidance documents will be based, with further guidance documents covering specific elements of privacy and cybersecurity related to IoT devices.

NIST explained that IoT is a constantly changing and broadening collection of different technologies that interact with the physical world. Many organizations are not always cognizant of the quantity of IoT devices there’re already utilizing, and neither how IoT devices could introduce cybersecurity and privacy risks in a way that traditional information technology devices do not.

NIST pinpoints in the guidance document the three high-level concerns that could impact the management of risks which IoT devices could introduce:

  • IoT devices often interact with the physical world in a different way to regular IT devices.
  • IoT devices are not normally accessed, managed, and checked in the same way as regular IT devices.
  • The availability and efficiency of cybersecurity and privacy controls of IoT devices are not the same as regular IT devices.

Cybersecurity and privacy risks must be managed for the complete lifecycle of IoT devices and cover three high-level mitigation targets:

  • Preventing IoT devices from being used for cyberattacks
  • Safeguarding the confidentiality, integrity and availability of data saved on the devices
  • Ensuring the privacy of individuals

The guidance document proposes several ways to meet these goals and discusses the difficulties that organizations might encounter reaching those targets. Since IoT devices are so varied, it is hard to make recommendations that are applicable to all conditions, levels of risk and types of device.

NIST is seeking public comments on the document up to October 24, 2018. The draft document is available here.