IoT Poses Special Cyber Risks

Internet-connected devices pose special risks for federal agencies, and the National Institute of Standards and Technology is developing guidance to meet the need.

Connected sensors, smart-building technology, drones and autonomous vehicles can't be managed in the same way as traditional IT, according to a NIST draft publication, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The document points out that basic cybersecurity capabilities often aren't available in IoT devices.

Federal agencies must “consider that IoT presents challenges in achieving those [cybersecurity] outcomes or there are challenges that IoT may present in achieving security controls -- and we wanted to highlight those,” Katerina Megas, program manager for NIST's Cybersecurity for Internet of Things program, told FCW at the Internet of Things Global Summit on Oct. 4.

"We felt putting out something initial on IoT was the most important -- to get something out as quickly as possible," she said. "There will be plans in the future to get more focused, more specialized."

One of NIST's next steps is to develop a potential baseline of cybersecurity standards for IoT devices, she said.

NIST is accepting comments on the draft through Oct. 24. Before a final version is published, Megas said, "we plan on starting to release iterative discussion documents to talk about if there were a baseline for IoT devices."

Robert S. Metzger, a government contracting attorney at Rogers Joseph O'Donnell, said that the federal government is exposed to the security and privacy risks of the IoT ecosystem through relationships with vendors.

"The IoT is all over us whether we know it or not,"  Metzger said. "Even if government is not buying it, so many surfaces upon which government depends are using it. Vendors are using it, and so the government becomes, if you will, not so much a hostage but among those exposed to the IoT deployment by commercial enterprises."

Although the IoT creates new and more attack surfaces for potential bad actors, and it opens up both networks and hardware to potential threats, that doesn’t mean it should be shunned, Metzger said at the conference.

One place the government can begin to ask for better security is in the procurement process for these technologies, according to Tom McDermott, the deputy assistant secretary of cyber policy at the Department of Homeland Security.

"We are always looking to think about how we can use federal procurement authority and federal procurement power to drive better cybersecurity outcomes," McDermott said.

A bill proposed by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) last year would impose basic cybersecurity standards on IoT devices procured by the federal government, including changeable passwords and a requirement that software and firmware be patchable. So far, the bill hasn't advanced, although a companion measure was introduced in the House of Representatives.

Separately, NIST put out a call in April for ideas on lightweight encryption, with an eye to developing security measures that could be deployed on resource-constrained IoT devices.

FCW:

You Might Also Read:

Security Flaws In Smart City Technology

« Moscow Challenges The Hague About Alleged Cyber Attack
Robotics Will Soon Become Mainstream In Finance »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ComSec LLC

ComSec LLC

ComSec perform threat assessments to identify vulnerabilities and help protect businesses against corporate espionage via electronic eavesdropping.

MobileIron

MobileIron

MobileIron provides EMM capabilities to IT organizations that need to secure mobile devices, applications and content.

Open Networking Foundation (ONF)

Open Networking Foundation (ONF)

The Open Networking Foundation (ONF) is a non-profit operator led consortium driving transformation of network infrastructure and carrier business models.

QTS

QTS

QTS Realty Trust, Inc. is a leading provider of secure, compliant data center, hybrid cloud and managed services.

Sogeti

Sogeti

Sogeti deliver solutions that enable digital transformation and offer cutting-edge expertise in Cloud, Cybersecurity, Digital Manufacturing, Quality Assurance, Testing, and emerging technologies.

Emerson Electric Co

Emerson Electric Co

Emerson provides industrial automation systems and associated cybersecurity solutions to protect critical process control systems from cyber attack.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

KeepSolid

KeepSolid

KeepSolid is a Virtual Private Network services provider offering secure encrypted access to the internet.

Infosistem

Infosistem

Infosistem is a Croatian ICT company with extensive expertise and experience in enterprise and SMB ICT projects and solutions.

Redborder

Redborder

Redborder is an Open Source network visibility, data analytics, and cybersecurity Big Data solution that is scalable up to the needs of enterprise networks and service providers.

Sentinel

Sentinel

Sentinel works with governments, media and defence agencies to help protect democracies from disinformation campaigns by developing a state-of-the-art AI detection platform.

Cyber Security Services

Cyber Security Services

Cyber Security Services is a cyber security consulting firm and security operations center (SOC).

Peris.ai

Peris.ai

Peris.ai is a cybersecurity as a service startup that protects businesses and organizations from online threats.

c0c0n

c0c0n

c0c0n is the longest running conferences in the area of Information Security and Hacking, in India.

US Cyber Games

US Cyber Games

US Cyber Games is committed to inform and inspire the broader community on ways to develop tomorrow’s cybersecurity workforce.

Exertis Cybersecurity

Exertis Cybersecurity

Exertis Cybersecurity is a sub-division of Exertis Enterprise. We provide market-leading cybersecurity solutions that help to address the cybersecurity challenges that organisations face today.