NIST seeks industry help to secure tiny IoT medical devices

Register now

Cryptography experts specializing in secure communications at the National Institute of Standards and Technology are looking for ways to protect data created by tiny networked devices that are being used in Internet of Things applications and projects.

These tiny IoT devices, which include sensors, actuators (components of a machine that move or control a mechanism or system) and other micromachines will need a new class of defense mechanisms against cyberattacks.

The devices will work on scant electrical power and use less complex circuitry than chips found in the simplest cell phone, according to the NIST. Some of these small electronics exist today, such as in the keyless entry fobs to turn on cars.

Also See: NIST offers guidance for securing wireless infusion pumps

A major challenge to using the devices is how to encrypt them; current encryption methods may demand more electronic resources than the devices can hold, experts say.

NIST has sent out a call for a project to develop ways to secure data in a constrained environment and seeks help in developing requirements and guidelines. The agency released a draft document, available here, to the software community and will soon make a formal request to developers to produce appropriate encryption algorithms.

“The IOT is exploding, but there are tons of devices that have nothing for security,” says Kerry McKay, a NIST computer scientist. “There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider and lots of variations. Our thinking has to be broad for that reason.”

McKay and other NIST professionals have spent four years consulting with power grid experts and automobile manufacturers among other industries. Based on that work, the decision was made that submitted algorithms for a project must have been published previously and also been analyzed by a third-party.

“We feel it’s a fair request because people have been working on crypto for constrained environments for several years now, McKay says. “We want to see things that the world has looked at already,” she adds.

Some tiny device manufacturers have told NIST that now is the time to establish effective standards for the development and safety of devices.

“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices,” says Matt Robshaw, a technical fellow at Imping, a company that develops technology to track small devices. “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.”

A report from NIST on “lightweight” cryptography is available here. The draft document of NIST's plan is here.

For reprint and licensing requests for this article, click here.