Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks. Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks aims to increase awareness of federal agencies and other organizations concerning the cybersecurity and privacy risks related to IoT devices throughout their lifecycles. NIST intends for NISTIR 8228 to be a high-level baseline publication for IoT device risk mitigation since few recommendations can apply to all IoT concerns due to the myriad uses for and types of IoT devices. NIST plans to issue subsequent publications that provide more detailed recommendations for certain IoT device categories. Notably though, Appendix A of the Draft NISTIR 8228 lists examples of possible universal IoT risk mitigation recommendations.
In the Draft NISTIR 8228, NIST highlights the unique risks that IoT devices present since they interact differently with information systems compared to traditional IT devices. In addition, NIST raises the concern that many organizations are not aware of the large volume of IoT devices functioning within their information system environment, as well as how IoT devices can affect cybersecurity and privacy risk management, especially in terms of risk response. The Draft NISTIR 8228 presents the following three risk mitigations goals for organizations:
- Protect device security by preventing devices from being used to conduct attacks;
- Protect data security by safeguarding the confidentiality, integrity, and availability of data handled by the device, including personally identifiable information (PII); and
- Protect the privacy of individuals impacted by PII processing.
This draft publication is a much-anticipated addition to the NIST regulatory compendium, as IoT interfacing shows no signs of ceasing.