NIST for IoT
THE NIST SECURITY FRAMEWORK is rapidly becoming the gold standard for designing complete layered defense strategies. Now NIST guidelines are available specifically for IoT environments in the form of the recently published NISTIR 8228 document, titled “Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.”
“NIST 8228 includes a strong set of recommendations for companies implementing IoT,” says Jeff Wilbur, technical director of the Online Trust Alliance (OTA), part of the Internet Society.
NIST 8228 directly applies to integrators and technicians building and managing IoT networks. In the introduction, the document identifies three high-level considerations:
- Many IoT devices interact with the physical world in ways conventional IT devices usually do not.
- Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can.
- The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.
In addition, NIST 8228 lists three major “risk mitigation goals.” First, protect device security and stop devices from being used to launch attacks. Second, protect data security by keeping all data collected or processed by the device confidential. Finally, protect all personally identifiable information the device encounters. These goals are on page 11, and most of the remaining pages of the 44-page document go into detail on ways to achieve these three goals.
According to Wilbur, NIST 8228 is chiefly targeted at federal users. “It outlines a spectrum of risks in IoT for implementers, and they can choose where on that spectrum they feel comfortable,” he says.
Wilbur adds that a separate set of guidelines intended for the manufacturing industry, NIST 8259, has entered the comment stage, and references the 8228 implementation framework extensively.
Implementers like Austin Justice, vice president of Justice IT Consulting, an MSP in the Dallas/Fort Worth area, are already making use of 8228. “We started with NIST because we work with government contractors,” says Justice. “Most of our customers are manufacturers, and many of them make parts for a major Department of Defense aviation manufacturer, Lockheed [Martin], on the west side of Fort Worth.”
Justice finds NIST 8228’s best practices helpful, especially compared with the legally binding requirements in HIPAA. “NIST was done by professionals rather than Congress,” he explains. “About 90% of NIST is good cybersecurity guidelines in a framework people should be following.”
Acceptance is building for NIST 8228 in the security community, which is generally happy with the guidelines. “Everyone had an opportunity to give input to NIST, so those with problems had a chance to speak up,” Wilbur explains. “There’s lots of momentum building around a common core of security principals for integrators and manufacturers. We hope to see major progress on the vendor side in the next year or so.”
For Justice’s part, NIST 8228 is a way to capitalize on a growing opportunity. “We didn’t start out focusing on IoT,” he says, “but our customers have security cameras, parts vending machines, [and] IoT monitoring on all their big equipment all the way down to time clocks.”
James E. Gaskin is a ChannelPro contributing editor and former reseller based in Dallas.
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.