National Institute of Standards and Technology (NIST), US Department of Commerce have published a new document: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles.
Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do.
NIST defines cybersecurity and privacy risks for IoT devices in terms of three high-level risk mitigation goals:
1. Protect device security.
In other words, prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. This goalapplies toall IoT devices.
2. Protect data security.
Protect the confidentiality, integrity, and/or availability of data(including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IoT device.This goalapplies toeach IoT device except those withoutany data that needs protection.
3. Protect individuals’ privacy.
Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data securityprotection.This goalapplies to all IoT devices that process PII or that directly or indirectly impactindividuals.
This report, the first in a series addressing the IoT, looks at higher level considerations, NIST says future reports will go into greater depth and detail about related issues.