IoT Poses Special Cyber Risks

Uploaded on 2018-10-12 in TECHNOLOGY--Developments, NEWS-News Analysis, FREE TO VIEW, TECHNOLOGY-Key Areas-Internet of Things

Internet-connected devices pose special risks for federal agencies, and the National Institute of Standards and Technology is developing guidance to meet the need.

Connected sensors, smart-building technology, drones and autonomous vehicles can't be managed in the same way as traditional IT, according to a NIST draft publication, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The document points out that basic cybersecurity capabilities often aren't available in IoT devices.

Federal agencies must “consider that IoT presents challenges in achieving those [cybersecurity] outcomes or there are challenges that IoT may present in achieving security controls -- and we wanted to highlight those,” Katerina Megas, program manager for NIST's Cybersecurity for Internet of Things program, told FCW at the Internet of Things Global Summit on Oct. 4.

"We felt putting out something initial on IoT was the most important -- to get something out as quickly as possible," she said. "There will be plans in the future to get more focused, more specialized."

One of NIST's next steps is to develop a potential baseline of cybersecurity standards for IoT devices, she said.

NIST is accepting comments on the draft through Oct. 24. Before a final version is published, Megas said, "we plan on starting to release iterative discussion documents to talk about if there were a baseline for IoT devices."

Robert S. Metzger, a government contracting attorney at Rogers Joseph O'Donnell, said that the federal government is exposed to the security and privacy risks of the IoT ecosystem through relationships with vendors.

"The IoT is all over us whether we know it or not,"  Metzger said. "Even if government is not buying it, so many surfaces upon which government depends are using it. Vendors are using it, and so the government becomes, if you will, not so much a hostage but among those exposed to the IoT deployment by commercial enterprises."

Although the IoT creates new and more attack surfaces for potential bad actors, and it opens up both networks and hardware to potential threats, that doesn’t mean it should be shunned, Metzger said at the conference.

One place the government can begin to ask for better security is in the procurement process for these technologies, according to Tom McDermott, the deputy assistant secretary of cyber policy at the Department of Homeland Security.

"We are always looking to think about how we can use federal procurement authority and federal procurement power to drive better cybersecurity outcomes," McDermott said.

A bill proposed by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) last year would impose basic cybersecurity standards on IoT devices procured by the federal government, including changeable passwords and a requirement that software and firmware be patchable. So far, the bill hasn't advanced, although a companion measure was introduced in the House of Representatives.

Separately, NIST put out a call in April for ideas on lightweight encryption, with an eye to developing security measures that could be deployed on resource-constrained IoT devices.

FCW:

You Might Also Read:

Security Flaws In Smart City Technology

« Moscow Challenges The Hague About Alleged Cyber Attack
Robotics Will Soon Become Mainstream In Finance »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Nmap Project

Nmap Project

Nmap Project is a Free and open source tool for network discovery, administration, and security auditing.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

Cyber Akademie (CAk)

Cyber Akademie (CAk)

Cyber Akademie is a training and education center providing high-quality training and information events on information security and data protection.

X-act Forensics

X-act Forensics

X-act forensics are computer forensic experts with experience in cases of computer fraud, intellectual property theft, and social networking cases.

Igloo Security

Igloo Security

Igloo Security is a leader and pioneer in SIEM (Security Information & Event Management), PSIM (Physical Security Information Management) and MSS (Managed Security Services).

Bunifu Technologies

Bunifu Technologies

Bunifu Technologies is an Information Security and Custom Software Development Company.

National Cyber Security Centre (NCSC) - New Zealand

National Cyber Security Centre (NCSC) - New Zealand

The role of the NCSC is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats.

Systems Assessment Bureau (SAB)

Systems Assessment Bureau (SAB)

Systems Assessment Bureau is an internationally recognized ISO Certification Body with a unique vision of “Excel together with global standards”.

Cyphere

Cyphere

Cyphere is a cyber security company that helps to secure most prized assets of a business. We provide technical risk assessment (pen testing/ethical hacking) and managed security services.

InferSight

InferSight

InferSight can help you design an architecture that takes into account security, performance, availability, functionality, resiliency and future capacity to avoid technological lock in and limitations

ImpactQA

ImpactQA

ImpactQA is a global leading software testing & QA consulting company. Ten years of excellence. Delivering unmatched services & digital transformation to SMEs & Fortune 500 companies.

Winmill Software

Winmill Software

Winmill is a technology services company that provides expert consulting services in Application Development, Application Security and Cyber Security.

Istari

Istari

ISTARI is a new kind of cyber risk management company. We’re an agile collective of best-in-class capabilities and experts, who build ongoing partnerships with clients.

Arctic Group

Arctic Group

Arctic Group is a Swedish service provider focusing on cybersecurity, integration services and deployment of software development tools.

Hetz Ventures

Hetz Ventures

Hetz Ventures is a global-facing VC investing in highly talented and ambitious Israeli founders who operate at the cutting edge of deep technology.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.