NIST lays out roadmap for Internet of Things security

As lawmakers seek a “seal of approval” for the Internet of Things, the National Institute of Standards and Technology recently gave federal agencies and private industry a better roadmap to future IoT cybersecurity concerns.

In the Feb. 14 draft version of its interagency report on the state of IoT cyber standards, NIST warned that without a standardized set of cybersecurity requirements in place, many IoT devices — from smart cars to the energy-efficiency sensors in the General Service Administration headquarters building — could be vulnerable to cyber attack.

While the Internet of Things has become prevalent in many consumer electronics over the last few years, the agency warns that as the technology becomes more widespread, it presents more of an opportunity for malicious actors.

“It is expected to be even more revolutionary and ubiquitous in the future. Yet, the adoption of IoT brings cybersecurity risks that pose a significant threat to the nation,” NIST wrote in its report.

Advertisement

On Capitol Hill, Sen. Ed Markey (D-Mass.) and Rep. Ted Lieu (D-Calif.) have encouraged lawmakers to take action on their Cyber Shield Act, which would create a voluntary cybersecurity certification program for IoT devices.

“The IoT era could also be considered the ‘Internet of Threats’ era if appropriate cybersecurity safeguards are not in place,” Markey said during a prerecorded video statement released during the Institute for Critical Infrastructure Technology’s winter summit on Jan. 29.

In 2017, the research company Gartner estimated there were more than 8.4 billion IoT devices in use. It expects more than 20 billion devices will be online by 2020.

The Cyber Shield Act, if passed, would establish an advisory committee of cybersecurity experts from academia, industry and consumer advocacy groups to create cybersecurity benchmarks for IoT devices.

The Commerce secretary would appoint members of the advisory committee, and the Commerce Department’s inspector general would have oversight over the regulatory body.

Under the legislation, device manufacturers would voluntarily submit their products for evaluation. Products that meet the advisory board’s cybersecurity standards would carry a cyber shield logo. The system has been compared to the Energy Star program developed by the Environmental Protection Agency more than 20 years ago.

“We put the information out there so that there is an understanding as to the level of security that any one of these devices has,” Markey said.

During a Feb. 14 Brookings Institution cybersecurity panel discussion, Tom Wheeler,  former chairman of the Federal Communication Commission, said the FCC could some day play a role in certifying cyber best practices, much like how it currently reviews all products that emit radio frequencies.

“If we think that protecting the airwaves from interefence is important enough that there should be type acceptance of products, why shouldn’t one of those inspections that have to be made be a cyber assurance for that product?” Wheeler said.

While FCC testing would mark a significant regulatory change for IoT device manufacturers, Wheeler said private industry hasn’t done enough to regulate the cybersecurity of its products.

“There is a market failure here. When you’re making the chip that goes to the board, that goes in the camera, that goes to Best Buy, that goes to the consumer, nobody in that supply chain is asking any question about cybersecurity. Mostly they’re saying, ‘Talk to me about price,'” he said.

To give a sense of the security risk at hand, NIST cited the October 2016 cyber attack on Dyn, a company that monitors and routes internet traffic. By infecting internet-connected devices with malware, malicious actors overwhelmed Dyn’s systems through a denial-of-service attack, and temporarily brought down a number of major websites

“The disruption of Dyn and associated Internet services underscores the significant, systemic harm that may be caused by malware dedicated to exploiting the security vulnerabilities of IoT components,” the NIST report said.

Looking ahead to technology-based solutions, NIST said blockchain could help fill in some of the security gaps with internet-connected devices.

“Blockchain is an evolving technology that could revolutionize IoT security. The blockchain model favors peer-to-peer interactions between devices and thus de-centralizes security,” the report said.

NIST will take public comments its draft report until April 18.