Now that the foundational concepts presented in part 1 and 2 of this analysis are understood, it is time to look at NIST 8228’s Section 4 Challenges with Cybersecurity and Privacy Risk Mitigation for IoT Devices and Section 5 Recommendations for Addressing Cybersecurity and Privacy Risk Mitigation Challenges for IoT Devices
First, Section 4, Challenges with Cybersecurity and Privacy Risk Mitigation for IoT Devices. This section presents 3 goals
- Protect device security
- Protect data security
- Protect individuals’ privacy
Each goal builds on the previous and cannot be taken in isolation. I will quote the details on each goal as it these are used extensively in the document’s challenges and recommendations tables.
- Risk mitigation areas for Goal 1, Protect Device Security:
Asset Management: Maintain a current, accurate inventory of all IoT devices and their relevant characteristics throughout the devices’ lifecycles in order to use that information for cybersecurity and privacy risk management purposes.
- Vulnerability Management: Identify and eliminate known vulnerabilities in IoT device
software and firmware in order to reduce the likelihood and ease of exploitation and
- Access Management: Prevent unauthorized and improper physical and logical access to, usage of, and administration of IoT devices by people, processes, and other computing devices.
- Device Security Incident Detection: Monitor and analyze IoT device activity for signs of incidents involving device security.
Risk mitigation areas for Goal 2, Protect Data Security:
- Data Protection: Prevent access to and tampering with data at rest or in transit that might expose sensitive information or allow manipulation or disruption of IoT device
- Data Security Incident Detection: Monitor and analyze IoT device activity for signs of incidents involving data security.
Risk mitigation areas for Goal 3, Protect Individuals’ Privacy:
- Information Flow Management: Maintain a current, accurate mapping of the information lifecycle of PII, including the type of data action, the elements of PII being
processed by the data action, the party doing the processing, and any additional relevant contextual factors about the processing to use for privacy risk management purposes.
- PII Processing Permissions Management: Maintain permissions for PII processing to prevent unpermitted PII processing.
- Informed Decision Making: Enable individuals to understand the effects of PII processing and interactions with the device, participate in decision-making about the PII
processing or interactions, and resolve problems.
- Disassociated Data Management: Identify authorized PII processing and determine how PII may be minimized or disassociated from individuals and IoT devices.
- Privacy Breach Detection: Monitor and analyze IoT device activity for signs of breaches involving individuals’ privacy.
These goals are examined in Sections 4.1, 4.2, and 4.3 of the document and delineate the “challenges” for cybersecurity and risk managers because these differ from conventional IT systems. They accomplish this by using a table that has 4 columns, the purpose of which needs to be understood:
- First column: a brief statement of the challenge, with each challenge uniquely numbered to make it easy to reference, and the numbers of the risk considerations from Section 3 that cause the challenge.
- Second column: examples of draft NIST SP 800-53 Revision 5 controls that might be negatively affected to some extent for some individual IoT devices.
- Third column: the potential implications for the organization if a substantial number of IoT devices are affected by the challenge.
- Fourth column: examples of Cybersecurity Framework Subcategories that might be negatively affected to some extent by the implications.
The NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations is still in draft form and is geared to conventional IT systems. This is good because it alerts the reader to the real differences that IoT devices have with respect to conventional IT with which the reader is more than likely familiar.
The reference to the Cybersecurity Framework Subcategories is actually a reference to the NIST Framework for Improving Critical Infrastructure Cybersecurity subcategories
Subcategories further divide a Category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each Category. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.”
Three tables are presented that tie back to the goals, specifically, the challenges to meet these goals
- Table 1: Potential Challenges with Achieving Goal 1, Protect Device Security -aims to help cybersecurity and privacy risk managers
understand how IoT devices may or may not fit into their existing mitigations and/or impact how cybersecurity and privacy outcomes for their organization are currently achieved.
- Table 2: Potential Challenges with Achieving Goal 2, Protect Data Security follows the same conventions as Table 1, but for protecting data security. It is assumed that if data security needs to be protected, device security needs protection as well, so the challenges in both tables would need to be considered
- Table 3: Potential Challenges with Achieving Goal 3, Protect Individuals’ Privacylists potential challenges with achieving goal 3, protecting individuals’ privacy by mitigating privacy risk arising from authorized PII processing. It follows the same conventions as the previous tables, but it omits mappings to Cybersecurity Framework Subcategories since the Cybersecurity Framework does not address privacy risks from authorized PII processing.
Section 5. Recommendations for Addressing Cybersecurity and Privacy Risk Mitigation Challenges for IoT Devices
This section presents the recommendations and presents a threee step process of understanding, adjusting, and implementation:
1. Understand the IoT device risk considerations (Section 3) and the challenges they may cause to mitigating cybersecurity and privacy risks for IoT devices in the appropriate risk mitigation areas (Section 4).
2. Adjust organizational policies and processes to address the cybersecurity and privacy risk mitigation challenges throughout the IoT device lifecycle. Section 5.1 provides more information on this. Section 4 of this publication cites many examples of possible challenges, but each organization will need to customize these to take into account mission requirements and other organization-specific characteristics.
3. Implement updated mitigation practices for the organization’s IoT devices as you would any other changes to practices (Section 5.2).
Section 5 of the NIST 8228 again drives home the point that organizations need to address the risk “throughout the IoT device lifecycle in their cybersecurity and privacy policies and processes”. They warn the reader that “some IoT devices may affect other types of risks and introduce new risks to safety, reliability, resiliency, performance, and other areas.” They admit this may be difficult and that trade-offs will be need to be made especially when safety issues are at hand.
For example, suppose a particular IoT device is critical for safety. Requiring personnel in a physically secured area to enter a password in order to gain local access to the IoT device could delay intervention during a malfunction. Additional requirements involving password length, password complexity, and automatic account lockouts after consecutive failed authentication attempts could cause far longer delays, increasing the likelihood and magnitude of harm.
The current lack of a secure unified central IoT management platform for many IoT devices only compounds this difficulty in my opinion.
The rest of Section 5 ties back to the areas of the Cybersecurity Framework Subcategories that are “are most likely to need adjustments so the organizational policies and processes adequately address cybersecurity risk throughout the IoT device lifecycle.” It is a sobering read. Likewise, it also ties back to the tasks in NIST SP 800-37 Revision 2 -Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy that will also need to be adjusted, namely:
- Prepare, Organization Level, Task P-1: Risk Management Roles
- Prepare, Organization Level, Task P-2: Risk Management Strategy
- Prepare, Organization Level, Task P-3: Risk Assessment—Organization
- Prepare, System Level, Task P-8: Mission or Business Focus
- Prepare, System Level, Task P-13: Information Life Cycle
- Prepare, System Level, Task P-14: Risk Assessment—System
- Prepare, System Level, Task P-15: Requirements Definition
I think the concluding summary in “5.2 Implementing Updated Risk Mitigation Practices” of document is accurate as it contrasts the challenges of mitigating cybersecurity and privacy risks to that of conventional IT with which an organization is already accustomed to dealing:
In contrast, most organizations may have many more types of IoT devices than conventional IT devices because of the single-purpose nature of most IoT devices. An organization may need to determine how to manage risk for hundreds or thousands of IoT device types. Capabilities vary widely from one IoT device type to another, with one type lacking data storage and centralized management capabilities, and another type having numerous sensors and actuators, using local and remote data storage and processing capabilities, and being connected to several internal and external networks at once. The variability in capabilities causes similar variability in the cybersecurity and privacy risks involving each IoT device type, as well as the options for mitigating those risks.
In addition, an organization may need to determine how to manage risk not just by device type, but also by device usage. The way a device is to be used may indicate that one security objective, such as integrity, is more important than another, such as confidentiality, and that in turn may necessitate different mechanisms to risk mitigation. Similarly, a device might be used in such a way that some of its capabilities are not needed and can be disabled, which could reduce the device’s risk.
My own conclusion aligns with this. Organizations of all sizes, and SOHO and consumers, need to understand the cybersecurity and privacy risks that associated with deploying IoT devices. Not doing so will open up organizations to serious issues, including liability, in the event of a breach that results in a critical failure or leakage of private information. Consumers need to be especially wary because the deployment of IoT devices is often done on home or SOHO office FLAT networks.