The NIST Framework and its Implications on Cybersecurity and the Internet of Things

Felix Uribe, University of Maryland University College (UMUC) adjunct associate professor of Cybersecurity Management and Policy, provides an overview of NIST and its implications on cybersecurity and IoT at recent Dominican Republic Cyber Event.

At the II Digital Forensic and Cybersecurity Conference, held at the Ocean Blue and Sand Resort in Punta Cana, Dominican Republic from May 17-20, 2018, Uribe joined an international roster of speakers from Spain, Colombia, Chile, Mexico and the United States to discuss a host of topics related to digital forensics, cybersecurity and cybercrime, as well as the Dominican Republic’s “digital government” initiative and its cybersecurity and privacy challenges and solutions.

For his part, Uribe presented an overview of the NIST Risk Management Framework (RMF) and the NIST Cybersecurity Framework and its implications on the Internet of Things (IoT). He kicked off his talk with a brief history of NIST and an explanation of what it is.

Established in 1901 as the National Bureau of Standards, the National Institute of Standards and Technology (NIST), as the agency has been known since 1988, is a measurement standards laboratory that is a non-regulatory agency of the US Department of Commerce. The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations, from nanoscale devices to earthquake-resistant skyscrapers and global communication networks.

The Computer Security Resource Center (CSRC) provides access to NIST’s cybersecurity and information security related projects, one of which is the Risk Management Framework (RMF), six steps (Categorize, Select, Implement, Assess, Authorize and Monitor) to ensure that organizations integrate security, privacy and risk management activities into the system development life cycle.

NIST developed the RMF to provide a more flexible, dynamic, approach for effective management of information system-related security and privacy risk in highly diverse environments and throughout the system development life cycle.

In short, the RMF addresses risk management by:

  • Building security and privacy capabilities into information systems throughout the System Development Life Cycle.
  • Maintaining awareness of the security and privacy posture of information systems on an ongoing basis through continuous monitoring processes.
  • Providing information to senior leaders and executives to facilitate decisions regarding the acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the operation and use of systems.

The voluntary NIST Cybersecurity Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Framework’s goal is promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

Cybersecurity and Privacy Challenges in the Internet of Things (IoT)

Uribe also discussed IoT cybersecurity and privacy challenges. He defines IoT as the network of devices (things) capable of interacting with other devices and/or living things via the Internet or through a private local or global network not connected to the Internet. He explained that the components of an IoT device can be microcontrollers, sensors, actuators, memory, storage, and other components that is embedded or connected to the device and that forms part of its operation.

IoT projections suggest that by the year 2020 the number of connected devices worldwide will reach approximately 20 billion (The Gartner Group 2017, retrieved from https://www.gartner.com/newsroom/id/3598917). As such, the number of IoT devices compromised by cybercriminal is also expected to intensify. Both the NIST RMF and the Cybersecurity Framework strive to provide organizations security and privacy safeguards to protect information and information systems and the future of complex interconnected IoT environments.

NIST Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations was developed to addresses the selection of security controls (“Select” step in the RMF). It provides guidelines for selecting the security controls for organization and information systems.

The latest version of SP 800-37 (Revision 5) provides a comprehensive set of safeguarding regarding Internet of Things (IoT) devices. As stated by NIST, “privacy is now fully integrated throughout the new draft. For example, one privacy control addresses the data captured by sensors such as those used in traffic-monitoring cameras in smart cities. The control advises configuring such sensors in a way that minimizes their capturing data about individuals that’s not necessary for the traffic-monitoring system to carry out its function.” In addition, “…an IT system may employ cameras. Security experts determine security controls for the camera sensor, while privacy professionals decide on privacy controls such as a control to preserve a passerby’s privacy.”

The exponential growth of IoT devices and their everyday applications calls for the use of the NIST RMF and the Cybersecurity framework in order to address today’s security and privacy concerns affecting the trustworthiness of the world’s current IoT domain. IoT device manufacturers should take into account the security and privacy controls provided by the RMF when designing and manufacturing IoT devices and its components to ensure that security and privacy is implemented by design and does not come up as an afterthought during the IoT device development life cycle.

About the Author

UribeFelix Uribe is an information technology (IT) security professional with extensive experience in the field of information security, cybersecurity, privacy, software development and teaching in the private and public sectors. He currently serves as an IT security analyst at the US Department of the Interior serving as associate privacy officer for the National Park Service. Prior to this, he served as an IT security auditor (Infosec) at the US Department of Justice Office of the Inspector General. As an academic, Uribe serves as adjunct associate professor at UMUC in the Cybersecurity Management and Policy program.

Uribe holds a Bachelor’s and Master’s degree in Computer Science from the Herbert H. Lehman College of the City University of New York.