NIST offers guidance to aid security of IoT initiatives
A new report aims to help healthcare providers manage cybersecurity and privacy risks when Internet of Things devices are linked to a network.
The advice comes from the National Institute of Standards and Technology, a federal agency in the Commerce Department with a mission to promote U.S. innovation and technology. The report, “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks,” is the first in series of documents the agency is creating to help IoT users protect themselves, data and networks from possible compromise.
Initial guidance focuses on large agencies and organizations, including sizable healthcare entities that are incorporating IoT into the workplace, but the content is appropriate for a variety of entities.
“The report is mainly for any organization that is thinking about security on the level of the NIST Cybersecurity Framework,” says Mike Fagan, a computer scientist and one of the report authors. “It’s targeted at the mode of thinking that a large organization would have more resources, more people, more ability, but also more risk of attack.”
Security concerns can come from anywhere, from thermostats to voice-operated devices that may not have traditional interfaces, report authors note.
“An IoT device might even have no interface at all, or have no way to install security software,” Fagan explains. “But it still might connect to your network and be visible electronically to an enemy looking for a potential way in. It’s this kind of incongruity, with expectations that we want to help organizations think through before they bring IoT devices onto their network.”
At present, IoT remains an emerging field, and some challenges may disappear as the technology becomes more powerful, Fagan believes. “For now, our goal is awareness.”
This month, NIST will issue a draft of the baseline document for public comment and then conduct a workshop on August 13 to gather feedback from the industry.
“We would like to help all IoT users be aware of the risks to their security and privacy and help them approach those risks with open eyes,” Fagan concludes.
More information on the workshop is available here.