NIST: Cybersecurity for IoT (Internet of Things)

Summary:

The potential benefits of new guidance and technologies that have emerged should be considered by all users. Documents such as Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations Revision 1 (SP 800-161r1), Guide to Industrial Control Systems (ICS) Security Revision 3 (SP 800-82r3), the Secure Software Development Framework (SSDF) and the Risk Management Framework, and documents such as NISTIRs 8259/A/B and SPs 800-213/A can offer different perspectives that help inform the discussion of assessing and mitigating risk when IoT devices and systems are part of the equation. NIST's "Cybersecurity for IoT Program" will be hosting an event on June 22, 2022, to discuss the IoT landscape and the team’s next steps.

Additional Discussion:

Devices with constraints may often, but not always, face different, possibly lower risk than other equipment. NIST heard that these challenges are compounded when IoT systems are assembled from many constrained devices (e.g., a distributed sensor network), possibly creating a larger scale break of expectations about the cybersecurity capabilities of the system and its components. Additionally, IoT devices and systems of constrained or highly distributed architectures may face challenges implementing common technical (e.g., cybersecurity state awareness) and non-technical (e.g., documentation) cybersecurity measures. NISTIR 8228 considers some of these aspects, but stakeholders may benefit from more specific considerations based on what NIST has learned.