Security of the Internet of Things takes on new urgency

As attacks and surveillance ramp up, all product developers and systems providers should adopt NIST guidelines

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Uncle Sam cer­tain­ly under­stands how vital it is for the Inter­net of Things to be made secure.

The Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy has spent four years work­ing with a cross-sec­tion of experts to ham­mer out a frame­work for estab­lish­ing an appro­pri­ate lev­el of IoT security.

The final ver­sion of Sys­tems Secu­ri­ty Engi­neer­ing, also known as NIST Spe­cial Pub­li­ca­tion 800–160, was released in mid-Novem­ber. You might call it a guide for retro­fitting secu­ri­ty and pri­va­cy onto the Inter­net of Things.

Relat­ed video: As the Inter­net of Things expands, so do the risks

This NIST guide is intend­ed to help soft­ware and sys­tem engi­neers adopt a secu­ri­ty mind-set, much as the auto indus­try adopt­ed a safe­ty mind-set 50 years ago, says Ron Ross, a long­time cyber­se­cu­ri­ty expert at NIST.

We need to encour­age com­mer­cial prod­uct devel­op­ers to build secu­ri­ty fea­tures into their prod­ucts and systems—just like the auto indus­try builds safe­ty fea­tures in the auto­mo­biles we buy,” Ross says. “My first car bare­ly had a seat belt. Over the years, you saw the evo­lu­tion: seat belts to air bags to steel-rein­forced doors to safe­ty fea­tures that help you not shift lanes and avoid a crash. That is all built into the car.”

The NIST guide is intend­ed to fos­ter a com­pa­ra­ble mind-set among builders of com­put­ers, tablets, smart­phones, baby mon­i­tors, med­ical devices and indus­tri­al con­trol sys­tems. IoT device mak­ers and sys­tem providers cer­tain­ly are capa­ble of pro­duc­ing sys­tems that are trust­wor­thy and thus instill con­sumer con­fi­dence in IoT, Ross says.

The guide incor­po­rates sys­tems and soft­ware engi­neer­ing stan­dards pub­lished by the Inter­na­tion­al Orga­ni­za­tion for Stan­dard­iza­tion, the Inter­na­tion­al Elec­trotech­ni­cal Com­mis­sion, and the Insti­tute of Elec­tri­cal and Elec­tron­ics Engi­neers. Ross says it is the most impor­tant doc­u­ment in his two-decade career at NIST.

Crit­i­cal need arises

The need for trust­wor­thy and secure sys­tems, the new NIST guide says, “has nev­er been more impor­tant to the long-term eco­nom­ic and nation­al secu­ri­ty inter­ests of the Unit­ed States.” The nation faces fre­quent, intense cyber attacks that threat­en fed­er­al, state and local gov­ern­ments, the mil­i­tary, busi­ness­es and “the crit­i­cal infra­struc­ture,” the pub­li­ca­tion says.

Work on the project began in 2012 and a first draft was released in 2014. A sec­ond draft, which was sub­stan­tial­ly dif­fer­ent than the first, appeared in May, and a third draft was released in September.

The final doc­u­ment gives orga­ni­za­tions that build sys­tems “a vehi­cle, a struc­ture and a dis­ci­plined process to move through every stage of the life cycle and make sure that every impor­tant detail for secu­ri­ty is con­sid­ered at the right place in the life cycle,” Ross says.

We treat secu­ri­ty in this doc­u­ment like NASA treats safe­ty,” he says. “Safe­ty is an emer­gent prop­er­ty of the sys­tem. You don’t get a safe sys­tem by just hop­ing for a safe sys­tem. You have to engi­neer the sys­tem to achieve the emer­gent prop­er­ty of a safe system.”

No one-size-fits-all

NIST rec­og­nizes that orga­ni­za­tions have diverse secu­ri­ty needs, so the guide doesn’t pro­vide “a spe­cif­ic recipe for exe­cu­tion.” Orga­ni­za­tions can view the doc­u­ment as “a cat­a­log or a hand­book” and select what­ev­er process­es and secu­ri­ty-relat­ed ini­tia­tives they wish.

The NIST stan­dards are vol­un­tary. The agency will encour­age IoT device man­u­fac­tur­ers, inter­net ser­vices com­pa­nies and infra­struc­ture providers to embrace them.

Orga­ni­za­tions have made sig­nif­i­cant improve­ments in reac­tive secu­ri­ty measures—including intru­sion detec­tion and response capabilities—but they do not address “the fun­da­men­tal weak­ness­es in sys­tem archi­tec­ture and design, Ross says. Such weak­ness­es can only be addressed “with a holis­tic approach based on sound sys­tems secu­ri­ty engi­neer­ing tech­niques and secu­ri­ty design principles.”

Unit­ed front most effective

A holis­tic approach, he says, will make sys­tems more “pen­e­tra­tion-resis­tant; capa­ble of lim­it­ing dam­age from dis­rup­tions, haz­ards and threats, and suf­fi­cient­ly resilient, so they can con­tin­ue to sup­port crit­i­cal mis­sions and busi­ness func­tions after they are compromised.”

Ross likens present cyber­se­cu­ri­ty threats fac­ing indi­vid­u­als, gov­ern­ment agen­cies, busi­ness­es and the nation’s infra­struc­ture and indus­tri­al base to threats by ter­ror­ists or threats Amer­i­ca expe­ri­enced dur­ing the Cold War.

Over­com­ing such threats will require a large invest­ment of resources and the involve­ment of gov­ern­ment, indus­try and the aca­d­e­m­ic com­mu­ni­ty, he says. “It will take a con­cert­ed effort on a lev­el we haven’t seen since Pres­i­dent Kennedy dared us to do the impos­si­ble and put a man on the moon over a half-cen­tu­ry ago.”

Until some urgency kicks in, and legit orga­ni­za­tions starts down this road, con­sumers and busi­ness­es can expect hack­ers with mali­cious intent to accel­er­ate already too-easy exploita­tion of the Inter­net of Things.

More sto­ries relat­ed to secu­ri­ty of the Inter­net of Things:
Data secu­ri­ty even more crit­i­cal as Inter­net of Things mul­ti­plies, morphs
Pri­va­cy ques­tions echo across the Inter­net of Things
Why more attacks lever­ag­ing the Inter­net of Things are inevitable


Posted in Data Privacy, Data Security, Featured Story