News

NIST Report Urges IT Organizations To Adjust to IoT Challenges

• By Michael Desmond
• July 10, 2019

By 2020, research firm IoT Analytics projects that some 9.3 billion connected, Internet of Things (IoT) devices will be deployed worldwide, up from 7 billion in 2018. By 2025, that figure could rise to 21.5 billion, according to the firm's projections.

That kind of runaway proliferation can only worsen the challenges that come with deploying, managing and securing diverse fleets of IoT devices and sensors. Limited on-board functionality, inscrutable (or non-existent) interfaces, and uneven management capabilities all combine to increase the risk to devices, data and personal privacy.

A recent report from the National Institute of Standards and Technology (NIST), titled "Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks," finds that most IT organizations are ill-equipped to deal with their growing IoT deployments. According to the report, current IT tooling and practices, designed to address conventional infrastructures, fail to account for the unique dynamics, vulnerabilities and challenges of IoT devices.

The report calls out three major differences in the way IoT devices interact and behave, compared to traditional IT system.

First, many IoT devices interact with the physical world. As the report states, these devices may operate under requirements for "performance, reliability, resilience and safety that may be at odds with common cybersecurity and privacy practices for conventional IT devices." In some cases, these operations may pose direct threats to human safety, while in others the ability to remotely access physical systems poses a new threat to previously inaccessible systems.

Second, IoT devices are often "black boxes," with limited facilities for access, management or monitoring compared to traditional IT systems. Lack of management features, interfaces and unified software tooling can stymie organization's efforts to manage fleets of IoT devices in the field, adding to risk.

Third, IoT devices often possess limited cybersecurity and privacy capabilities compared to established IT systems. Limitations with on-board logging, encryption and authentication can impair robust management and add to effort. Likewise, discreet tooling like firewalls, anti-malware servers and intrusion prevention packages, may be limited in their ability to effectively secure IoT systems, which often employ protocols and communication patterns distinct from IT systems.

To protect device security, data security and individual privacy, the report urges IT organizations to "ensure they are addressing the cybersecurity and privacy risk considerations and challenges throughout the IoT device lifecycle for the appropriate risk mitigation goals and areas."

This advice distills down to understanding IoT device risk considerations and mitigation challenges, adjusting policies and processes to account for these concerns, and then implementing the updated mitigation practices.