Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

NIST Surveys and Assesses Broad Landscape of IoT Cybersecurity Standards in Interagency Report

By Kate M. Growley, CIPP/G, CIPP/US, Paul Mathis, Gabriel M. Ramsey & Cheryl A. Falvey on December 26, 2018
Email this postTweet this postLike this postShare this post on LinkedIn

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:

  • Connected vehicle IoT, which includes technologies enabling “vehicles, roads, and other infrastructure to communicate and share vital transportation information,”
  • Consumer IoT, consisting of “IoT applications in residences as well as wearable and mobile devices,”
  • Health IoT, encompassing those systems and devices that process “data derived from sources such as electronic health records and patient-generated health data,”
  • Smart building IoT, which includes “energy usage monitoring systems, physical access control security systems and lighting control systems,” and
  • Smart manufacturing IoT, those applications which enable “enterprise-wide integration of data, technology, advanced manufacturing capabilities, and cloud and other services.”

How Those Areas are Mitigating Cyber Risk

The Report goes on to assess the current methods used to mitigate the cybersecurity risks common to the five categories and the available standards for evaluating those methods. It does so by applying a separate cybersecurity framework developed under NISTIR 8074 Volume 2: Supplemental Information for the Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objects for Cybersecurity (2015). The 8074 framework breaks down cybersecurity measures into a taxonomy of twelve unique groups, which together represent “key attributes of cybersecurity that broadly impact the overall cybersecurity” of a system, and which “may be interdependent.” The twelve divisions of the 8074 framework include:

  • Cryptographic techniques,
  • Cyber incident management,
  • Hardware assurance,
  • Identity and access management,
  • Information security management systems (ISMS),
  • IT system security evaluation,
  • Network security,
  • Physical security,
  • Security Automation and continuous monitoring (SACM),
  • Software assurance,
  • Supply chain risk management (SCRM), and
  • System security engineering.

For the twelve divisions of the framework, the Report evaluates the effectiveness of available risk mitigation methods used among the five major IoT technology divisions, and their related standards. The Report summarizes the progress in development of these risk mitigation methods with the following table (pp. 56-57 of the report, Table 4).

Throughout the Report, NIST is careful to note that the traditional IT cybersecurity objectives hierarchy of “Confidentiality, then Integrity, and lastly Availability” may be prioritized differently by parties in the IoT space, given that “IoT systems cross multiple sectors as well as use cases within those sectors.” As such, developing and evaluating IoT cybersecurity standards will require “tailoring existing standards and creating new standards to address challenges,” especially where standards gaps exist.

Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US
Read more about Kate M. Growley, CIPP/G, CIPP/USEmail
Photo of Paul Mathis Paul Mathis
Read more about Paul MathisEmail
Photo of Gabriel M. Ramsey Gabriel M. Ramsey
Read more about Gabriel M. RamseyEmail
Photo of Cheryl A. Falvey Cheryl A. Falvey
Read more about Cheryl A. FalveyEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    Data Law Insights
  • Organization:
    Crowell & Moring LLP
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Pro Policyholder
  • The Way on FDA
  • Crypto Digest
  • Inside Cybersecurity & Privacy Law
  • La Oficina Legal Ayala Hernández
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo