National Institute of Standards and Technology releases papers on its IoT including a paper on the future of the IoT Cybersecurity

June 24, 2022 |

The National Institute of Standards Technology (“NIST”) has released a very interesting Discussion Easy titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity  and Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity as a prelude to a seminar, that took place on 22 June 2022.

The abstract provides:

Abstract

Some of the interesting issues arising from the esssay:

  •  a manufacturer can identify its expected customers and use cases for a product, then build the product to best address the needs and goals of those expected customers based on identified risks related to the IoT product.
  • an IoT product brings together different technologies;
    • at least one transducer
    • networking technology

which can have varying implications for risk, even at this most basic level.

  • technologies may be adopted for multiple use cases, which in turn may be relevant to multiple customers.
  • IoT products may be used by unexpected customers or for unexpected use cases even by expected customers in what can be called emergent use cases.
  • most IoT products are inherently heterogeneous in their composition: combining networking capabilities with transduction capabilities.
  • an IoT device combines networking and computing technologies with sensing and actuating modules . They may be further supported by other kinds of technology such as:
    • a real-time control network,
    • a controller console and/or app,
    • often a cloud server or private server,
    • wireless and/or wired networks, and
    • a wide variety of other components.
  • when manufacturers recognize the heterogeneity factors within their IoT products they are better able to identify the risks throughout all the IoT product components.
  • IoT technology heterogeneity within a device/product can bring together many disparate risks and even create a variety of unique risks for the specific combination of technologies.
  • cybersecurity risks can be similar for IoT products with comparable computing, connectivity, and features, additional considerations about how the product will be used by customers can change those risks and/or the appropriate support expected by the customer
  • who is to use the IoT product must also be considered to determine the pertinent risks and especially appropriate support to help customers address those risks.
  • Industrial IoT product customers may need different cybersecurity capabilities than home IoT product customers, even for a similar use case.
  • another complicating factor for IoT risk identification is the interplay of cybersecurity risks with other forms of risk that IoT products may face contextually based on their technologies, customers, and use cases.
  • a manufacturer can plan for expected customers and use cases of their IoT devices during the pre-market phase of development.
  • emergent customers and use cases poses a challenge for IoT because of the dynamic nature of IoT adoption and use, and sometimes conflicting demands of disparate customers and use cases. There may be risks different from the intended customer/use case that the IoT product and manufacturer cannot ever support the emergent case.
  • where possible, off-the-shelf IoT products being usable for broad sets of customers and use cases can help reduce costs, increase efficiencies, foster adoption, and increase the cybersecurity of IoT overall.

Leave a Reply





Verified by MonsterInsights