NIST NISTIR 8228 Analysis – Part 2  Analysis of “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, NISTTIR 8228, Final, June 2019

Today I will dive into section 2. Device Capabilities and section 3. Cybersecurity and Privacy Risk Considerations.

2. Device Capabilities

As stated in the document, it is not an exhaustive list of IoT capabilities, but addresses those that are a concern for cybersecurity and privacy risk. The NIST 8228 lists 3 overall areas

  1. Transducer capabilities – Sensors and Actuators
  2. Interface capabilities –
    • Application interface e.g., an API
    • Human user Interface e.g., touch screen, microphones, cameras, etc.
    • Network interface – e.g., Ethernet, Wi-Fi, Bluetooth, etc. [Every IoT device has at least one enabled network interface capability and
    • may have more than one]
  3. Supporting capabilities – functionality which supports the IoT device. e.g., device management, security, privacy.

A picture is worth a thousand words!

IoT Device Capabilities
IoT Device Capabilities Potentially Affecting Cybersecurity and Privacy Risk

3 Cybersecurity and Privacy Risk Considerations

Ok – here we begin to get to the heart of the matter. Firstly risk is

defined in NIST SP800-37 Revision 2 as “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

The document segments this into cybersecurity risk and privacy risk where:

cybersecurity risk is about threats—the exploitation of vulnerabilities by threat actors to compromise device or data confidentiality, integrity, or availability.

and privacy risk which

is about problematic data actions—operations that process personally identifiable information (PII) through the information lifecycle to meet mission or business needs of an organization or “authorized” PII processing and, as a side effect, cause individuals to experience some type of problem(s).

There is an overlap of course which can be seen by the following graphic

Relationship Between Cybersecurity and Privacy Risks
Relationship Between Cybersecurity and Privacy Risks

It is instructive that the document again underscores that  “IoT devices generally face the same types of cybersecurity and privacy risks as conventional IT devices, though the prevalence and severity of such risks often differ.”

What are the cybersecurity and privacy risk considerations to which organizations need to address through the entire IoT lifecycle? .

  1. Consideration 1: Device Interactions with the Physical World
  2. Consideration 2: Device Access, Management, and Monitoring Features
  3. Consideration 3: Cybersecurity and Privacy Capability Availability, Efficiency, and Effectiveness

I will briefly summarize each. Keep in mind this document is about risk

Consideration 1: Device Interactions with the Physical World. In summary: “Many IoT devices interact with the physical world in ways conventional IT devices usually do not. “

These include

  • IoT sensor data, representing measurements of the physical world, always has uncertainties associated with it.
  • The ubiquity of IoT sensors in public and private environments can contribute to the aggregation and analysis of enormous amounts of data about individuals
  • IoT devices with actuators have the ability to make changes to physical systems and thus affect the physical world.
  • IoT network interfaces often enable remote access to physical systems that previously could only be accessed locally.

The NIST 8228 correctly underscores that IoT devices interactions with the physical world are quite different from that of conventional IT systems

IoT device interactions with the physical world is the operational requirements devices must meet in various environments and use cases. Many IoT devices must comply with stringent requirements for performance, reliability, resilience, safety, and other objectives. These requirements may be at odds with common cybersecurity and privacy practices for conventional IT. For example, practices such as automatic patching are generally considered essential for conventional IT, but these practices could have far greater negative impacts on some IoT devices with actuators, making critical services unavailable and endangering human safety

…..

Another way to think of this is in terms of general cybersecurity objectives: confidentiality, integrity, and availability. For conventional IT devices, confidentiality often receives the most attention because of the value of data and the consequences of a breach of confidentiality. For many IoT devices, availability and integrity are more important than confidentiality because of the potential impact to the physical world. Imagine an IoT device that is critical for preventing damage to a facility. An attacker who can view the IoT device’s stored or transmitted data might not gain any advantage or value from it, but an attacker who can alter the data might trigger a series of events that cause an incident.

Consideration 2: Device Access, Management, and Monitoring Features In summary: “Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.” 

Very true and it presents many challenges which are enumerated

  • Lack of management features
  • Lack of interfaces
  • Difficulties with management at scale
  • Wide variety of software to manage
  • Differing lifespan expectations
  • Unserviceable hardware
  • Lack of inventory capabilities
  • Heterogeneous ownership

This is a pretty scary list which gives rise to my opinion that, in many respects, deploying IoT without understanding the risk aspects will lead to serious negative consequences.

Consideration 3: Cybersecurity and Privacy Capability Availability, Efficiency, and Effectiveness. In summary:  The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.”

The NIST 8228 makes two important distinctions: “pre-market and post-market capabilities.”

built-in cybersecurity and privacy capabilities are called pre-market capabilities. [These ship with the product]

Post-market  capabilities are those capabilities that organizations select, acquire, and deploy themselves in addition to pre-market capabilities.

Both pre and post markets capabilities are different from conventional IT for the following main reasons

  • Many IoT devices do not or cannot support the range of cybersecurity and privacy capabilities typically built into conventional IT devices.
  • The level of effort needed to manage, monitor, and maintain pre-market capabilities on each IoT device may be excessive.
  • Some post-market capabilities for conventional IT, such as network-based intrusion prevention systems, antimalware servers, and firewalls, may not be as effective at protecting IoT devices as they are at protecting conventional IT. IoT devices often use protocols that cybersecurity and privacy controls for conventional IT cannot understand and analyze. Also, IoT devices may communicate directly with each other, such as through point-to-point wireless communication, instead of using a monitored infrastructure network.

Click here for Part 1

Click here for Part 3