Draft Interagency Report, NISTIR 8200, Summarizes International Efforts to Standardize Internet of Things Cybersecurity
February 14, 2018
The Interagency International Cybersecurity Standardization Working Group (IICS WG) was established in December 2015 by the National Security Council's Cyber Interagency Policy Committee. The purpose of the IICS WG is to coordinate on major issues in international cybersecurity standardization and thereby enhance U.S. federal agency participation in international cybersecurity standardization.
The IICS WG has developed this report, Draft NIST Interagency Report (NISTIR) 8200, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT). The intended audience is both the government and the public. The purpose is to inform and enable policymakers, managers, and standards participants as they seek timely development of and use of cybersecurity standards in IoT components, systems, and services.
This draft report:
provides a functional description for IoT (Section 4);
describes several IoT applications that are representative examples of IoT (Section 5);
summarizes the cybersecurity core areas and provides examples of relevant standards (Section 6);
describes IoT cybersecurity objectives, risks, and threats (Section 7);
provides an analysis of the standards landscape for IoT cybersecurity (Sections 8 and 9); and
maps IoT relevant cybersecurity standards to cybersecurity core areas (Appendix D).
The Interagency International Cybersecurity Standardization Working Group (IICS WG) was established in December 2015 by the National Security Council’s Cyber Interagency Policy Committee (NSC Cyber IPC). Its purpose is to coordinate on major issues in international cybersecurity standardization and thereby enhance U.S. federal agency participation in international cybersecurity standardization. Effective U.S. government participation involves coordinating across the U.S. government and working with the U.S. private sector. There is a much greater reliance in the U.S. on the private sector for standards development than in many other countries. Companies and industry groups, academic institutions, professional societies, consumer groups, and other interested parties are major contributors. Further, the many Standards Developing Organizations (SDOs) who provide the infrastructure for the standards development are overwhelmingly private sector organizations. On April 25, 2107, the IICS WG established an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT. This Report is intended for use by the IICS WG member agencies to assist them in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT. Other organizations may also find this useful in their planning.
This draft report is based upon the information available to the participating agencies. Comments are now being solicited to augment that information, especially on the information about the state of cybersecurity standardization for IoT that is found in Sections 8, 9, 10, and Annex D.
Source: https://csrc.nist.gov/News/2018/Report-International-IoT-Cybersecurity-Standards
Executive Summary
The Interagency International Cyber Security Working Group (IICS WG) was created in response to recommendations from NISTIR 8074 Volume 1 [1]. The IICS WG coordinates on major issues in international cybersecurity standardization. The IICS WG established an Internet of Things (IoT) Task Group to develop this Report on the status of international cybersecurity standards that are relevant to IoT.
The Internet of Things (IoT) consists of network connected devices, systems, and resulting services. The adoption of IoT and its applications is rapidly growing and the ensuing opportunities and benefits are significant. However, to reap the substantial benefits and to minimize the potentially significant risks, IoT security and resiliency are critical.
The timely availability of international cybersecurity standards is a dynamic and critical component for the cybersecurity and resilience of all information and communications systems and supporting infrastructures. The intended audience is both the government and public. The purpose is to inform and enable policymakers, managers, and standards participants as they seek timely development of and use of such standards in IoT components, systems, and services.
The Report relies upon terms and definitions that are defined in Annex A
– Terms and Definitions of NISTIR 8074 Volume 2
Rather than attempting to define “IoT,” employs a functional description to establish a common understanding of IoT components, systems and applications for which the standards could be relevant. This analysis starts with a functional description of IoT components, which are the basic building blocks of IoT systems.
To gain insight on the present state of IoT cybersecurity standardization, five IoT technology application areas are described. These application areas are not exhaustive but are sufficiently representative to use in an analysis of the present state of IoT cybersecurity standardization.
Building upon NISTIR 8074 Volume 2, this Report describes eleven cybersecurity core areas and provides examples of relevant standards. IoT cybersecurity objectives, risks, and threats are then analyzed for IoT applications in general and for each of the five IoT technology application areas. Cybersecurity objectives for traditional IT systems generally prioritize Confidentiality, then Integrity, and lastly Availability. IoT systems cross multiple sectors as well as use cases within those sectors. As such, the priority of the individual’s cybersecurity objectives may be prioritized very differently, depending on the application. The proliferation and increased ubiquity of IoT components and systems are likely to heighten the risks they present.
Standards-based cybersecurity risk management will continue to be a major factor in the trustworthiness of IoT applications. Through analysis of the application areas, cybersecurity for IoT is unique and will require tailoring of existing standards, as well as, creation of new standards to address pop-up network connections, shared system components, the ability to change physical aspects of the environment, and related connections to safety.
With this foundational basis, this Report provides an analysis of the standards landscape for IoT cybersecurity. The basis for this analysis is the information in Annex D, which maps IoT relevant cybersecurity standards to the eleven cybersecurity core areas. The annotated listings in Annex D are not exhaustive but do represent an extensive effort to identify presently relevant IoT cybersecurity standards. The market impacts of existing standards are noted and possible gaps in standards identified. While the Annex D listing is a onetime snapshot, Annex D should prove useful as a point of departure for maintaining awareness of the evolving standards landscape. A summary on the status of cybersecurity standardization for the five specific examples of IoT applications is provided in Table 4:
Status of Cybersecurity Standardization for Several IoT Applications.
The Report’s conclusions focus upon the issue of standards gaps and the effective use of existing standards. For identified priorities, agencies should work with industry to initiate new standards projects in Standards Developing Organizations (SDOs) to close such gaps. In accordance with USG policy, agencies should participate in the development of IoT cybersecurity standards and, based upon each agency’s mission, agencies should cite appropriate standards in their procurements. Also, in accordance with USG policy, agencies should work with industry to support the development of appropriate conformity assessment schemes to the requirements in such standards.
Source: https://csrc.nist.gov/CSRC/media/Publications/nistir/8200/draft/documents/nistir8200-draft.pdf