Draft NISTIR 8228, Considerations for Managing IoT Cybersecurity 2018-10-04¢  NIST IR 8228 (DRAFT) CONSIDERATIONS

  • View

  • Download

Embed Size (px)

Text of Draft NISTIR 8228, Considerations for Managing IoT Cybersecurity 2018-10-04¢  NIST IR 8228...

  • Draft NISTIR 8228 1

    Considerations for Managing 2 Internet of Things (IoT) 3

    Cybersecurity and Privacy Risks 4 5 6 7

    Katie Boeckl 8 Michael Fagan 9 William Fisher 10

    Naomi Lefkovitz 11 Katerina N. Megas 12

    Ellen Nadeau 13 Danna Gabel O’Rourke 14

    Ben Piccarreta 15 Karen Scarfone 16


    This publication is available free of charge from: 18 https://doi.org/10.6028/NIST.IR.8228-draft 19




  • Draft NISTIR 8228 22

    Considerations for Managing 23 Internet of Things (IoT) 24

    Cybersecurity and Privacy Risks 25 26

    Katie Boeckl 27 Michael Fagan 28 William Fisher 29

    Naomi Lefkovitz 30 Katerina N. Megas 31

    Ellen Nadeau 32 Ben Piccarreta 33

    Applied Cybersecurity Division 34 Information Technology Laboratory 35

    36 Danna Gabel O’Rourke 37 Deloitte & Touche LLP 38

    Arlington, Virginia 39 40

    Karen Scarfone 41 Scarfone Cybersecurity 42

    Clifton, Virginia 43 44

    This publication is available free of charge from: 45 https://doi.org/10.6028/NIST.IR.8228-draft 46

    September 2018 47 48

    49 50

    U.S. Department of Commerce 51 Wilbur L. Ross, Jr., Secretary 52

    53 National Institute of Standards and Technology 54

    Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 55


  • National Institute of Standards and Technology Internal Report 8228 (Draft) 56 52 pages (September 2018) 57

    This publication is available free of charge from: 58 https://doi.org/10.6028/NIST.IR.8228-draft 59

    Certain commercial entities, equipment, or materials may be identified in this document in order to describe an 60 experimental procedure or concept adequately. Such identification is not intended to imply recommendation or 61 endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best 62 available for the purpose. 63 There may be references in this publication to other publications currently under development by NIST in 64 accordance with its assigned statutory responsibilities. The information in this publication, including concepts and 65 methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, 66 until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain 67 operative. For planning and transition purposes, federal agencies may wish to closely follow the development of 68 these new publications by NIST. 69 Organizations are encouraged to review all draft publications during public comment periods and provide feedback 70 to NIST. Many NIST cybersecurity publications, other than the ones noted above, are available at 71 https://csrc.nist.gov/publications. 72

    Public comment period: September 24, 2018 through October 24, 2018 73 National Institute of Standards and Technology 74

    Attn: Applied Cybersecurity Division, Information Technology Laboratory 75 100 Bureau Drive (Mail Stop 2000) Gaithersburg, MD 20899-2000 76

    Email: iotsecurity@nist.gov 77

    All comments are subject to release under the Freedom of Information Act (FOIA). 78


    https://doi.org/10.6028/NIST.IR.8228-draft https://csrc.nist.gov/publications mailto:iotsecurity@nist.gov



    Reports on Computer Systems Technology 80

    The Information Technology Laboratory (ITL) at the National Institute of Standards and 81 Technology (NIST) promotes the U.S. economy and public welfare by providing technical 82 leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test 83 methods, reference data, proof of concept implementations, and technical analyses to advance 84 the development and productive use of information technology. ITL’s responsibilities include the 85 development of management, administrative, technical, and physical standards and guidelines for 86 the cost-effective security and privacy of other than national security-related information in 87 federal information systems. 88


    Abstract 90

    The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse 91 technologies that interact with the physical world. Many organizations are not necessarily aware 92 of the large number of IoT devices they are already using and how IoT devices may affect 93 cybersecurity and privacy risks differently than conventional information technology (IT) 94 devices do. The purpose of this publication is to help federal agencies and other organizations 95 better understand and manage the cybersecurity and privacy risks associated with their IoT 96 devices throughout their lifecycles. This publication is the introductory document providing the 97 foundation for a planned series of publications on more specific aspects of this topic. 98


    Keywords 100

    cybersecurity risk; Internet of Things (IoT); privacy risk; risk management; risk mitigation 101




    Acknowledgments 103

    The authors wish to thank all contributors to this publication, including the participants in the 104 workshops and other interactive sessions, the individuals and organizations from the public and 105 private sectors who provided comments on the preliminary ideas, and the following individuals 106 from NIST: Curt Barker, Matt Barrett, Barbara Cuthill, Donna Dodson, Jim Foti, Ned Goren, 107 Nelson Hastings, Jody Jacobs, Suzanne Lightman, Jeff Marron, Vicky Pillitteri, Tim Polk, Matt 108 Scholl, Eric Simmon, Matt Smith, Murugiah Souppaya, Jim St. Pierre, Kevin Stine, and David 109 Wollman. 110


    Audience 112

    The primary audience for this publication is personnel at federal agencies with responsibilities 113 related to managing cybersecurity and privacy risks for IoT devices, although personnel at other 114 organizations may also find value in the content. Personnel within the following Workforce 115 Categories and Specialty Areas from the National Initiative for Cybersecurity Education (NICE) 116 Cybersecurity Workforce Framework [1] are most likely to find this publication of interest, as 117 are their privacy counterparts: 118

    • Securely Provision (SP): Risk Management (RSK), Systems Architecture (ARC), 119 Systems Development (SYS) 120

    • Operate and Maintain (OM): Data Administration (DTA), Network Services (NET), 121 Systems Administration (ADM), Systems Analysis (ANA) 122

    • Oversee and Govern (OV): Cybersecurity Management (MGT), Executive Cyber 123 Leadership (EXL), Program/Project Management (PMA) and Acquisition 124

    • Protect and Defend (PR): Cybersecurity Defense Analysis (CDA), Cybersecurity Defense 125 Infrastructure Support (INF), Incident Response (CIR), Vulnerability Assessment and 126 Management (VAM) 127

    • Investigate (IN): Digital Forensics (FOR) 128

    In addition, IoT device manufacturers and integrators may find this publication useful for 129 understanding concerns regarding managing cybersecurity and privacy risks for IoT devices. 130


    Trademark Information 132

    All registered trademarks and trademarks belong to their respective organizations. 133





    Note to Reviewers 136

    NIST welcomes feedback on any part of the publication, but there is particular interest in the 137 following: 138

    1. Our approach has been to articulate the differences from our perspective between 139 managing cybersecurity and privacy risk for conventional IT and for IoT. This is so 140 personnel can more easily adapt their conventional IT risk mitigation practices for IoT, 141 no matter what risk management practices or methodologies they currently use. Is this 142 approach helpful? Does the publication emphasize these differences too much, not 143 enough, or the right amount? Would a different approach be more effective? 144

    2. This publication focuses on mitigating risk and does not address other forms of risk 145 response (accepting, avoiding, sharing, and transferring.) Our analysis has shown that 146 mitigation options may be significantly different for IoT devices than conventional IT 147 devices, but other forms of risk response are generally not different. Is this a reasonable 148 assertion? 149

    3. There has been a great deal of interest from many organizations in establishing 150 cybersecurity and privacy baselines1 for IoT device risk mitigation. NIST analysis of 151 existing standards and guidelines for IoT device cybersecurity and privacy has 152 determined that because IoT devices and their uses and needs are so varied, few 153 recommendations can be made that apply to all IoT devices. NIST is creating a high-154 level, widely applicable baseline, with the first examples shown in Appendix A of this 155 publication, and also developing more specific and actionable recommendations for 156 particular types of IoT devices. Therefore, feedback on the Appendix A examples is 157 particularly important. 158

    4. This publication is the introductory document pr