THE NIST SECURITY FRAMEWORK is rapidly becoming the gold standard for designing complete layered defense strategies. Now NIST guidelines are available specifically for IoT environments in the form of the recently published NISTIR 8228 document, titled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”
“NIST 8228 includes a strong set of recommendations for companies implementing IoT,” says Jeff Wilbur, technical director of the Online Trust Alliance (OTA), part of the Internet Society.
NIST 8228 directly applies to integrators and technicians building and managing IoT networks. In the introduction, the document identifies three high-level considerations:
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
In addition, NIST 8228 lists three major “risk mitigation goals.” First, protect device security and stop devices from being used to launch attacks. Second, protect data security by keeping all data collected or processed by the device confidential. Finally, protect all personally identifiable information the device encounters. These goals are on page 11, and most of the remaining pages of the 44-page document go into detail on ways to achieve these three goals.
According to Wilbur, NIST 8228 is chiefly targeted at federal users. “It outlines a spectrum of risks in IoT for implementers, and they can choose where on that spectrum they feel comfortable,” he says.