Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

'Cybersecuring' the Internet of Things

Concept of internet of things ecosystem
Credit: © chesky/fotolia.com

I recently had the chance to talk with the legendary Vint Cerf, one of the founding fathers of the internet. We had a wide-ranging discussion about the past, present and future of the internet, network security and what it would take to successfully, safely and reliably merge the digital and physical worlds, a concept known as the “Internet of Things,” or IoT.

ConversatioNIST: The Internet and Cybersecurity
ConversatioNIST: The Internet and Cybersecurity

As its name suggests, the internet of things will connect all kinds of things, bringing us a wealth of data about, well, everything that we can use to improve our lives. For example, internet-connected smart parking meters are helping people find available parking spaces, saving time, fuel and probably more than a few relationships. People are using fitness trackers to log their daily activity and achieve their fitness goals, making them healthier and happier. And technologies that promise to make travel safer and more convenient, such as self-driving cars and highway sensors that detect and adapt to real-time road conditions, are quickly moving from concept to reality.

But with all the exciting new functionality and features that IoT will grant, it will also bring a host of new cybersecurity risks and challenges. Some of these risks could be seen as relatively innocuous. For instance, hackers could virtually raid your internet-connected refrigerator and instruct it to order too much milk as a prank. Other risks are far more serious, such as hackers being able to take control of your self-driving vehicle or medical device.

The point is, the more devices that are connected to the internet, the more potential weak spots there are for hackers to exploit.

Because of this, it’s really important that the data IoT systems generate and disseminate be protected against unauthorized access, just as you would protect any sensitive system. Except in limited cases, even authorized users shouldn’t be able to change this data. And, while some data should be public so that people can slice it and dice it in different ways for research purposes—for instance, data on traffic patterns or pollution—some data, such as medical and genetic information, needs to be kept confidential, so we’ll need layers of permissions. As we become more dependent on these connected devices, ensuring their availability can also be critical. Vital networks that control the power grid or the access to health records should never go down—even for a second. And if they do, we need to be able to get them back up and running quickly.

My work on cybersecurity at NIST has made clear that standards and best practices are critical to keeping computer systems secure and creating trust in these systems. Similarly, cybersecurity standards and best practices can provide industry with the tools they need to build a secure and interoperable IoT. Today, even though standards and best practices can be used to support IoT systems, manufacturers, service providers and system developers are still working toward developing consensus security standards. Unless they can reach a consensus, we could end up with a patchwork of protections in which some IoT systems are more secure than others, and many such systems will not be adequately protected against cyberattacks.

NIST’s Cybersecurity for IoT Program is designed to cultivate trust in IoT and promote U.S. leadership in this space. The researchers in this program work with industry to produce definitions, reference data, guidance and best practices, as well as perform research and coordinate standards within and across sectors in the digital economy.

For example, one of the things we’re doing is investigating cryptographic algorithms that can be used to secure devices that are far more constrained than your average desktop computer in terms of memory or power capacity. These “constrained” devices, which include radio-frequency identification (RFID) tags and wireless sensors, are used in a variety of applications such as tracking of physical assets—be they packaged foods or automobile parts—and monitoring of physical structures such as roads, bridges and buildings.

Also, in collaboration with the health care community and medical device manufacturers, NIST’s National Cybersecurity Center of Excellence (NCCoE) recently developed guidance and a demonstration on securing wireless infusion pumps, which deliver fluids, medication or nutrients intravenously into a patient's bloodstream. Being connected to a computer network enables these devices to collect data about patients that can be shared and monitored by several medical practitioners at the same time. Being on the network also makes it easier to update them with new dosing instructions or operating software. The work of NIST computer scientists has demonstrated how standards-based, commercially available cybersecurity technologies can be used to better protect infusion pumps and the networks they are connected to.

What is the Internet of Things (IoT) and how can we secure it?
What is the Internet of Things (IoT) and how can we secure it?

Such efforts are paving the way toward more secure IoT devices in the future. Ultimately, only by adopting a common set of standards and best practices will the manufacturers of IoT systems, along with service providers and system developers, to be able to bring a high level of security for IoT devices and protect the data they generate, making us all safer in the process.

About the author

Donna Dodson

Donna Dodson was a NIST Fellow. She was the Chief Cybersecurity Advisor for the NIST Information Technology Laboratory and was director of the National Cybersecurity Center of Excellence (NCCoE) from 2012 to 2020. She retired from NIST on May 8, 2020. Since joining NIST in 1987, Donna has been selected as a Fed 100 winner for innovations in cybersecurity, as one of the top 10 influential people in government IT in 2011, and as one of Fed Scoop’s Top 50 D.C. Women in Tech. In 2019, Donna was a recipient of the Presidential Rank Award. 

Related posts

Comments

One of the most problematic elements of cyber security is the quickly and constantly evolving nature of security risks. According to Forbes, the global cyber security market reached $75 billion for 2015 and is expected to hit $170 billion in 2020. NIST doing a great job!
Hello Donna Dodson, I am developing US patent 8799022 to address IOT cyber security issues and when "commercially available" I think the NIST would be interested in the role de-identification is going to play. Could you direct me to someone at NIST that I could introduce this technology to so I might have be able to incorporate their view point while things are still in the pre market design phase. I really hate paying to rewriting code. Our tech alters the digital transmission process de-identifying the data in transit and as stored in our cloud rendering it useless to cyber punks that will not have access to our tech to re-identify it which we do at the intended destination. Thanks, Jim O'Brien

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.