‘Cybersecuring’ the Internet of Things
I recently had the chance to talk with the legendary Vint Cerf, one of the founding fathers of the internet. We had a wide-ranging discussion about the past, present and future of the internet, network security and what it would take to successfully, safely and reliably merge the digital and physical worlds, a concept known as the “Internet of Things,” or IoT.
As its name suggests, the internet of things will connect all kinds of things, bringing us a wealth of data about, well, everything that we can use to improve our lives. For example, internet-connected smart parking meters are helping people find available parking spaces, saving time, fuel and probably more than a few relationships. People are using fitness trackers to log their daily activity and achieve their fitness goals, making them healthier and happier. And technologies that promise to make travel safer and more convenient, such as self-driving cars and highway sensors that detect and adapt to real-time road conditions, are quickly moving from concept to reality.
But with all the exciting new functionality and features that IoT will grant, it will also bring a host of new cybersecurity risks and challenges. Some of these risks could be seen as relatively innocuous. For instance, hackers could virtually raid your internet-connected refrigerator and instruct it to order too much milk as a prank. Other risks are far more serious, such as hackers being able to take control of your self-driving vehicle or medical device.
The point is, the more devices that are connected to the internet, the more potential weak spots there are for hackers to exploit.
Because of this, it’s really important that the data IoT systems generate and disseminate be protected against unauthorized access, just as you would protect any sensitive system. Except in limited cases, even authorized users shouldn’t be able to change this data. And, while some data should be public so that people can slice it and dice it in different ways for research purposes—for instance, data on traffic patterns or pollution—some data, such as medical and genetic information, needs to be kept confidential, so we’ll need layers of permissions. As we become more dependent on these connected devices, ensuring their availability can also be critical. Vital networks that control the power grid or the access to health records should never go down—even for a second. And if they do, we need to be able to get them back up and running quickly.
My work on cybersecurity at NIST has made clear that standards and best practices are critical to keeping computer systems secure and creating trust in these systems. Similarly, cybersecurity standards and best practices can provide industry with the tools they need to build a secure and interoperable IoT. Today, even though standards and best practices can be used to support IoT systems, manufacturers, service providers and system developers are still working toward developing consensus security standards. Unless they can reach a consensus, we could end up with a patchwork of protections in which some IoT systems are more secure than others, and many such systems will not be adequately protected against cyberattacks.
NIST’s Cybersecurity for IoT Program is designed to cultivate trust in IoT and promote U.S. leadership in this space. The researchers in this program work with industry to produce definitions, reference data, guidance and best practices, as well as perform research and coordinate standards within and across sectors in the digital economy.
For example, one of the things we’re doing is investigating cryptographic algorithms that can be used to secure devices that are far more constrained than your average desktop computer in terms of memory or power capacity. These “constrained” devices, which include radio-frequency identification (RFID) tags and wireless sensors, are used in a variety of applications such as tracking of physical assets—be they packaged foods or automobile parts—and monitoring of physical structures such as roads, bridges and buildings.
Also, in collaboration with the health care community and medical device manufacturers, NIST’s National Cybersecurity Center of Excellence (NCCoE) recently developed guidance and a demonstration on securing wireless infusion pumps, which deliver fluids, medication or nutrients intravenously into a patient’s bloodstream. Being connected to a computer network enables these devices to collect data about patients that can be shared and monitored by several medical practitioners at the same time. Being on the network also makes it easier to update them with new dosing instructions or operating software. The work of NIST computer scientists has demonstrated how standards-based, commercially available cybersecurity technologies can be used to better protect infusion pumps and the networks they are connected to.
Such efforts are paving the way toward more secure IoT devices in the future. Ultimately, only by adopting a common set of standards and best practices will the manufacturers of IoT systems, along with service providers and system developers, to be able to bring a high level of security for IoT devices and protect the data they generate, making us all safer in the process.Donna Dodson is the Chief Cybersecurity Advisor for the NIST Information Technology Laboratory and Director of the National Cybersecurity Center of Excellence (NCCoE). This post was originally published on Taking Measure, the official blog of the National Institute of Standards and Technology (NIST).