Privacy and Security for the Internet of Things: A Q&A with Katerina Megas

What IoT devices do you have? If none, then how has IoT affected your life?

I have a smartwatch, which comes in quite handy throughout the course of my day. It allows me to see messages as they arrive, get news alerts, and keeps me on time with calendar reminders. At home, I have a virtual assistant that can turn on the lights, adjust the temperature, and even queue the music for an impromptu disco. The convenience that IoT brings me (such as turning on my espresso machine from my bedroom upstairs 10 minutes before heading downstairs) has provided new ways of affording me convenience, making for a much less stressful cup of coffee in the morning before heading out for work!

Where are we with maturing of IoT? What are the roadblocks?

IoT is maturing across seemingly every vertical—industrial, consumer, medical, retail and other technologies continue to evolve at an incredible pace. And there seems to be no end in sight, as the innovation continues to progress. While not a roadblock to innovation, there has been a trend of some product designers not considering cybersecurity and privacy until the end stages of product development—if at all. While I understand that this must be balanced with market pressures, this could potentially become a roadblock to security and safety for consumers, as they may not know how secure their devices are, or if they are surprised by it later could pull back and grow hesitant to adopt these new technologies.

Have you seen IoT systems have an impact in the past year? Anything that has particularly impressed you?

We spent some time on the road last year, attending conferences, roundtables and meetings to hear from the widest range of stakeholders about what is needed for IoT cybersecurity. In that time, we saw no shortage of IoT technologies having a great impact—medical devices that allow people to see again, smart fabrics that can help performance for military and athletes and even a robot dog that moves and acts just like a real one! I was especially impressed by a connected wheelchair. Not only could it move in any direction over any terrain, it connects to an app and can be directed remotely, allowing people to bring the chair to themselves, park it outside their room, giving them independence they couldn’t have before. The potential for improving their quality of life was amazing! The manufacturer said that they hadn’t even imagined some of the ways that people were using their product to suit their needs. That really struck me.

What's NIST's role and present focus in IoT?

NIST works on a broad swath of IoT-related work—such as our work in Smart Cities, as well as projects in the National Cybersecurity Center of Excellence (NCCoE), such as the project on Mitigating IoT-Based DDoS, to our work focused on the lightweight crypto needs of constrained devices, often associated with IoT. As program manager for the NIST Cybersecurity for IoT Program, I coordinate IoT cybersecurity efforts across NIST. The program supports the development and application of standards, guidelines and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. We are currently seeking feedback on Draft NIST Internal Report (NISTIR) 8228: Considerations for Managing IoT Cybersecurity and Privacy Risks. Comments are due Oct. 24—be sure to let us know what you think!

What changes do you envision occurring over the next 5, 10, 20 years?

I think we are going to continue to see an increasingly connected world in the years to come. The research and advisory company Gartner predicts that there will be 20 million connected devices by 2020, and that number will continue to grow. I recently participated in a panel discussion on IoT at an industry event, and a large manufacturer of consumer appliances shared that their corporate objective is to make all their products able to be connected to the internet by 2020. The exciting thing about IoT innovation is all the use cases that come with it: Networked self-driving cars could share information with other vehicles and devices in order to find the best route to get us to work quickly and safely; networked industrial control systems could increase efficiency and reduce waste; and networked life-saving technologies could get us to the hospital faster, reduce medical errors and have other impacts that we can't even fathom. I also envision a more secure IoT ecosystem in the next 5, 10, 20 years as consumers become more focused on cybersecurity and drive the market in that direction.

Is there some problem or challenge that you would really like to see IoT be used to solve?

This is an interesting one. With so much potential, there are several problems and challenges IoT can be used to tackle. Smart home and office automation can drastically help with conserving energy, saving money and resources—you can get connected and go green! I am also interested to see what challenges IoT might be used to tackle in smart cities over the next 10 years. City planners could possibly use sensors and streetlights to help with traffic management, determine where potholes are most likely to form, help in the reporting and response to emergencies, and many more things that no one has even imagined at this point.

What question do you wish we had asked?

That one is easy—what’s next for the NIST Cybersecurity for IoT Program? Again, we just released NISTIR 8228 Considerations for Managing IoT Cybersecurity and Privacy Risks and are accepting comments until Oct. 24—then, we'll be hard at work incorporating your feedback and preparing to publish. In the longer term, the program has a lot of plans for next steps, including a widely applicable core baseline for IoT device cybersecurity and privacy. Have any ideas on next steps or potential partnerships? We want to hear from you at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov)!