Feedback Needed on NIST’s New Guidance for Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) produced a draft of the guidance that is made to support federal agencies and other firms understand the problems associated with securing Internet of Things (IoT) tools and dealing with the cybersecurity and privacy threats brought in by IoT devices.

The first guidance document named Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a sequence of publications that will address cybersecurity and privacy concerns. This document is the fundamentals for a sequence of other guides which study IoT device cybersecurity and privacy in finer detail.

NIST mentioned that IoT is a swiftly evolving and widening collection of diverse technologies being used in the physical world. Plenty of organizations aren’t always aware of the IoT devices they’re already employing and how IoT devices is impacting cybersecurity and privacy risks in varied ways than standard IT devices.

In the guidance document, NIST talks about the three high-level issues that can affect the management of risks brought about by IoT devices:
1. IoT devices typically interact with the physical world in a distinct way unlike standard IT devices.
2. IoT devices aren’t usually accessed, managed, and inspected just as standard IT devices.
3. The availability and effectiveness of cybersecurity and privacy settings of IoT devices aren’t similar to standard IT devices.

Cybersecurity and privacy risks should be taken care of to finish the lifecycle of IoT devices and must be in line with the three high-level mitigation goals:
Not using IoT devices to run attacks
Protecting the availability, confidentiality and integrity of data stored in the devices
Protecting personal privacy

The guidance report offers a few ways to satisfy these goals and talks about the issues that companies might face getting to those goals. Nonetheless, taking into consideration that IoT devices are so different, it is not likely that all recommendations are helpful to all situations, levels of risk and kinds of device.

NIST would like to receive the comments of the public concerning the document and will get feedback until October 24, 2018. The draft document can be found on this link.