Security of the Internet of Things takes on new urgency
As attacks and surveillance ramp up, all product developers and systems providers should adopt NIST guidelines
By Gary Stoller, ThirdCertainty
Uncle Sam certainly understands how vital it is for the Internet of Things to be made secure.
The National Institute of Standards and Technology has spent four years working with a cross-section of experts to hammer out a framework for establishing an appropriate level of IoT security.
The final version of Systems Security Engineering, also known as NIST Special Publication 800–160, was released in mid-November. You might call it a guide for retrofitting security and privacy onto the Internet of Things.
Related video: As the Internet of Things expands, so do the risks
This NIST guide is intended to help software and system engineers adopt a security mind-set, much as the auto industry adopted a safety mind-set 50 years ago, says Ron Ross, a longtime cybersecurity expert at NIST.
“We need to encourage commercial product developers to build security features into their products and systems—just like the auto industry builds safety features in the automobiles we buy,” Ross says. “My first car barely had a seat belt. Over the years, you saw the evolution: seat belts to air bags to steel-reinforced doors to safety features that help you not shift lanes and avoid a crash. That is all built into the car.”
The NIST guide is intended to foster a comparable mind-set among builders of computers, tablets, smartphones, baby monitors, medical devices and industrial control systems. IoT device makers and system providers certainly are capable of producing systems that are trustworthy and thus instill consumer confidence in IoT, Ross says.
The guide incorporates systems and software engineering standards published by the International Organization for Standardization, the International Electrotechnical Commission, and the Institute of Electrical and Electronics Engineers. Ross says it is the most important document in his two-decade career at NIST.
Critical need arises
The need for trustworthy and secure systems, the new NIST guide says, “has never been more important to the long-term economic and national security interests of the United States.” The nation faces frequent, intense cyber attacks that threaten federal, state and local governments, the military, businesses and “the critical infrastructure,” the publication says.
Work on the project began in 2012 and a first draft was released in 2014. A second draft, which was substantially different than the first, appeared in May, and a third draft was released in September.
The final document gives organizations that build systems “a vehicle, a structure and a disciplined process to move through every stage of the life cycle and make sure that every important detail for security is considered at the right place in the life cycle,” Ross says.
“We treat security in this document like NASA treats safety,” he says. “Safety is an emergent property of the system. You don’t get a safe system by just hoping for a safe system. You have to engineer the system to achieve the emergent property of a safe system.”
NIST recognizes that organizations have diverse security needs, so the guide doesn’t provide “a specific recipe for execution.” Organizations can view the document as “a catalog or a handbook” and select whatever processes and security-related initiatives they wish.
The NIST standards are voluntary. The agency will encourage IoT device manufacturers, internet services companies and infrastructure providers to embrace them.
Organizations have made significant improvements in reactive security measures—including intrusion detection and response capabilities—but they do not address “the fundamental weaknesses in system architecture and design, Ross says. Such weaknesses can only be addressed “with a holistic approach based on sound systems security engineering techniques and security design principles.”
United front most effective
A holistic approach, he says, will make systems more “penetration-resistant; capable of limiting damage from disruptions, hazards and threats, and sufficiently resilient, so they can continue to support critical missions and business functions after they are compromised.”
Ross likens present cybersecurity threats facing individuals, government agencies, businesses and the nation’s infrastructure and industrial base to threats by terrorists or threats America experienced during the Cold War.
Overcoming such threats will require a large investment of resources and the involvement of government, industry and the academic community, he says. “It will take a concerted effort on a level we haven’t seen since President Kennedy dared us to do the impossible and put a man on the moon over a half-century ago.”
Until some urgency kicks in, and legit organizations starts down this road, consumers and businesses can expect hackers with malicious intent to accelerate already too-easy exploitation of the Internet of Things.
More stories related to security of the Internet of Things:
Data security even more critical as Internet of Things multiplies, morphs
Privacy questions echo across the Internet of Things
Why more attacks leveraging the Internet of Things are inevitable