Analysis of “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, NISTTIR 8228, Final, June 2019

PART 1Goals of the Document

NIST is beginning to focus in on to the risks of risks of IoT. Unfortunately , the horse has already left the barn as all manner of issues (read hack/breach) have already shown up. That said, I welcome them aboard as their input, standards, and advice are sorely needed in this sector of the IT industry, which is sort of like the “Wild West” at moment.

They advise “Before Connecting an IoT Device, Check Out a New NIST Report for Cybersecurity Advice” The sounds like an “Implementation Guide.” It is not. In this Part 1 of my analysis, I wish to underscore the goals and scope of NIST 8228. Let’s start.

They clearly understand and state that

While the full scope of IoT is not precisely defined, it is clearly vast. Every sector has its own types of IoT devices, such as specialized hospital equipment in the healthcare sector and smart road technologies in the transportation sector, and there is a large number of enterprise IoT devices that every sector can use. Versions of nearly every consumer electronics device, many of which are also present in organizations’ facilities, have become connected IoT devices—kitchen appliances, thermostats, home security cameras, door locks, light bulbs, and TVs.

Many organizations are not necessarily aware they are using a large number of IoT devices. It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do. Once organizations are aware of their existing IoT usage and possible future usage, they need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response—accepting, avoiding, mitigating, sharing, or transferring risk.

Again, this is not a definitive implementation guide, but rather a really a risk mitigation document whose purpose is

to help organizations better understand and manage the cybersecurity and privacy risks associated with individual Internet of Things (IoT) devices throughout the devices’ lifecycles. This publication emphasizes what makes managing these risks different for IoT devices in general, including consumer, enterprise, and industrial IoT devices, than conventional information technology (IT) devices. It omits all aspects of risk management that are largely the same for IoT and conventional IT, including all aspects of risk management beyond the IoT devices themselves, because these are already addressed by many other risk management publications.

Key point: It emphasizes the risks that make IoT different and OMITs all aspects of risk that are now standard for conventional IT systems. This is an important nuance because so many people to whom I speak view IoT as a beast unto itself. It is not. The vast majority of IoT system implementations, as of this writing, need and should be implemented with conventional IT security. This NIST report underscores this:

However, this does not mean cybersecurity and privacy risks for an IoT device can all be addressed within the device itself. Every IoT device operates within a broader IoT environment where it interacts with other IoT and non-IoT devices, cloud-based services, people, and other components.

They further qualify the risks that are out-of-scope of the document:

For some IoT devices, additional types of risks, including safety, reliability, and resiliency, need to be managed simultaneously with cybersecurity and privacy risks because of the effects addressing one type of risk can have on others. Only cybersecurity and privacy risks are in scope for this publication.

Again this is an important nuance as we see a great deal of confusion in the market as to what IoT really is and is not. Many like to lump Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC) into the IoT bucket. That is a mistake.

SCADA Systems have been around since the 1960s and involved electro-mechanical sensors and actuators, alarms, bells, etc. PLCs have traditionally gathered data from connected sensors and processed and output results pre-programmed metrics. As computer and robotic systems improved, SCADA systems improved with it and became much more complex and sophisticated.

Where IoT and SCADA systems now overlap is in the area of sensors.The sensors help the SCADA systems collect their data. Example temperature sensors, measurement sensors of all sorts – heat, humidity, tolerances, etc. Sensors need to talk to something. They can talk to SCADA systems for industrial applications or to Alarm Panels for Perimeter Security Systems, or your smart phone and some cloud system for your refrigerator or house temperature. Here is where one of the major security risks lie – sensors talking, or practically, the interconnection between the sensor and the system to which it speaks. That is what is new and shiny. The system itself should already be secured via well established convectional IT methods.

Key point: IoT is not SCADA and SCADA is not IoT. That said, IoT and SCADA overlap and that overlap is often in the sensor arena. I plan to discuss this in a separate article at some point. (For those looking for a more technical guide Guide to Industrial Control Systems (ICS) Security see NIST Guide to Industrial Control Systems (ICS) Security  SP 800-82 Rev. 2 (DOI) June 3, 2015.

But I digress, this NIST 8228 and this analysis focuses on IoT security and that is what we shall do.

Click here for Part 2
Click here for Part 3