By Donna Dodson
The Internet of Things will connect all kinds of things, bringing us a wealth of data about, well, everything that we can use to improve our lives. For example, Internet-connected smart parking meters are helping people find available parking spaces, saving time, fuel and probably more than a few relationships.
People are using fitness trackers to log their daily activity and achieve their fitness goals, making them healthier and happier. And technologies that promise to make travel safer and more convenient, such as self-driving cars and highway sensors that detect and adapt to real-time road conditions, are quickly moving from concept to reality.
But with all the exciting new functionality and features that IoT will grant, it will also bring a host of new cybersecurity risks and challenges. Some of these risks could be seen as relatively innocuous. For instance, hackers could virtually raid your Internet-connected refrigerator and instruct it to order too much milk as a prank. Other risks are far more serious, such as hackers being able to take control of your self-driving vehicle or medical device.
The point is, the more devices that are connected to the Internet, the more potential weak spots there are for hackers to exploit.
Because of this, it’s really important the data IoT systems generate and disseminate be protected against unauthorized access, just as you would protect any sensitive system.
Except in limited cases, even authorized users shouldn’t be able to change this data. And, while some data should be public so people can slice it and dice it in different ways for research purposes — for instance, data on traffic patterns or pollution — some data, such as medical and genetic information, needs to be kept confidential, so we’ll need layers of permissions. As we become more dependent on these connected devices, ensuring their availability can also be critical. Vital networks that control the power grid or the access to health records should never go down. And if they do, we need to be able to get them back up and running quickly.
My work on cybersecurity at NIST has made clear that standards and best practices are critical to keeping computer systems secure and creating trust in these systems. Similarly, cybersecurity standards and best practices can provide industry with the tools they need to build a secure and interoperable IoT.
Today, even though standards and best practices can be used to support IoT systems, manufacturers, service providers and system developers are still working toward developing consensus security standards. Unless they can reach a consensus, we could end up with a patchwork of protections in which some IoT systems are more secure than others, and many such systems will not be adequately protected against cyberattacks.
NIST’s Cybersecurity for IoT Program should to cultivate trust in IoT and promote U.S. leadership in this space.
Researchers in this program work with industry to produce definitions, reference data, guidance and best practices, as well as perform research and coordinate standards within and across sectors in the digital economy.
One of the things we’re doing is investigating cryptographic algorithms that can end up used to secure devices that are far more constrained than your average desktop computer in terms of memory or power capacity.
These “constrained” devices, which include radio-frequency identification (RFID) tags and wireless sensors, see use in a variety of applications such as tracking of physical assets — be they packaged foods or automobile parts — and monitoring of physical structures such as roads, bridges and buildings.
Also, in collaboration with the health care community and medical device manufacturers, NIST’s National Cybersecurity Center of Excellence (NCCoE) just developed guidance and a demonstration on securing wireless infusion pumps, which deliver fluids, medication or nutrients intravenously into a patient’s bloodstream.
Being connected to a computer network enables these devices to collect data about patients that can be shared and monitored by several medical practitioners at the same time. Being on the network also makes it easier to update them with new dosing instructions or operating software. The work of NIST computer scientists has demonstrated how standards-based, commercially available cybersecurity technologies can be used to better protect infusion pumps and the networks they are connected to.
Such efforts are paving the way toward more secure IoT devices in the future. Ultimately, only by adopting a common set of standards and best practices will the manufacturers of IoT systems, along with service providers and system developers, to be able to bring a high level of security for IoT devices and protect the data they generate, making us all safer in the process.
Donna Dodson is the deputy cyber security advisor at National Institute of Standards and Technology.