IoT Poses Special Cyber Risks

Internet-connected devices pose special risks for federal agencies, and the National Institute of Standards and Technology is developing guidance to meet the need.

Connected sensors, smart-building technology, drones and autonomous vehicles can't be managed in the same way as traditional IT, according to a NIST draft publication, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The document points out that basic cybersecurity capabilities often aren't available in IoT devices.

Federal agencies must “consider that IoT presents challenges in achieving those [cybersecurity] outcomes or there are challenges that IoT may present in achieving security controls -- and we wanted to highlight those,” Katerina Megas, program manager for NIST's Cybersecurity for Internet of Things program, told FCW at the Internet of Things Global Summit on Oct. 4.

"We felt putting out something initial on IoT was the most important -- to get something out as quickly as possible," she said. "There will be plans in the future to get more focused, more specialized."

One of NIST's next steps is to develop a potential baseline of cybersecurity standards for IoT devices, she said.

NIST is accepting comments on the draft through Oct. 24. Before a final version is published, Megas said, "we plan on starting to release iterative discussion documents to talk about if there were a baseline for IoT devices."

Robert S. Metzger, a government contracting attorney at Rogers Joseph O'Donnell, said that the federal government is exposed to the security and privacy risks of the IoT ecosystem through relationships with vendors.

"The IoT is all over us whether we know it or not,"  Metzger said. "Even if government is not buying it, so many surfaces upon which government depends are using it. Vendors are using it, and so the government becomes, if you will, not so much a hostage but among those exposed to the IoT deployment by commercial enterprises."

Although the IoT creates new and more attack surfaces for potential bad actors, and it opens up both networks and hardware to potential threats, that doesn’t mean it should be shunned, Metzger said at the conference.

One place the government can begin to ask for better security is in the procurement process for these technologies, according to Tom McDermott, the deputy assistant secretary of cyber policy at the Department of Homeland Security.

"We are always looking to think about how we can use federal procurement authority and federal procurement power to drive better cybersecurity outcomes," McDermott said.

A bill proposed by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) last year would impose basic cybersecurity standards on IoT devices procured by the federal government, including changeable passwords and a requirement that software and firmware be patchable. So far, the bill hasn't advanced, although a companion measure was introduced in the House of Representatives.

Separately, NIST put out a call in April for ideas on lightweight encryption, with an eye to developing security measures that could be deployed on resource-constrained IoT devices.

FCW:

You Might Also Read:

Security Flaws In Smart City Technology

« Moscow Challenges The Hague About Alleged Cyber Attack
Robotics Will Soon Become Mainstream In Finance »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Radically Open Security

Radically Open Security

Radically Open Security is the world's first not-for-profit computer security consultancy company.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

Unlimited Technology

Unlimited Technology

Unlimited Technology offers a wide range of talent and experience, from assessing your requirements to implementing technologically advanced security solutions to best fit your needs.

Logit.io

Logit.io

Logit.io is a log analysis & management platform that provides a scalable solution for hosting the open-source tools Elasticsearch, Logstash, and Kibana.

E2E Technologies

E2E Technologies

E2E Technologies are a proactive, SLA-beating, managed service provider that busts the common stereotypes surrounding IT.

Dr Web

Dr Web

Since 1992 the Russian anti-virus Dr.Web has been helping companies to keep their digital assets protected and operate in a secure digital environment.

Defentry

Defentry

Defentry have created an Ecosystem that lets our users easily monitor, train and resolve their digital security issues.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

Techstep

Techstep

Techstep is a complete mobile technology enabler, making positive changes to the world of work; freeing people to work more effectively, securely and sustainably.

NorthStar

NorthStar

NorthStar provide the visibility needed to track and reduce risk through risk-based vulnerability management and vulnerability exploit prediction.

CodeLock

CodeLock

Codelock is a patent-pending solution that continuously provides software security at the code level, while providing advanced management insights with performance metrics and data analytics.

StealthPath

StealthPath

StealthPath is focused on endpoint protection, securing the “implicit trust” vulnerabilities of current leading information security solutions.

OneZero Solutions

OneZero Solutions

OneZero specialize in cybersecurity operations, information assurance, computer network operations, solutions engineering, and project management.

TetherView

TetherView

TetherView provides leading virtual desktop and email security technology to help businesses stand up and manage digital workspaces.

Sasken Technologies

Sasken Technologies

Sasken’s Cybersecurity Services enables enterprises to develop, maintain, and take digital products to the market with security postures that empower operational excellence.