Secure Technology Alliance Response: NIST “IoT Security and Privacy Risk Considerations” Questions
Publication Date: April 2018
The Secure Technology Alliance IoT Security Council developed and submitted a response to the NIST invitation for stakeholder input outlined in the NIST “IoT Security and Privacy Risk Considerations” document.
The NIST document discussed IoT security and privacy risk considerations and requests input on six questions:
- Is a network connection to an external network required for devices to be considered IoT?
- NIST selected the term “devices” over terms such as “objects” and “things” as there does not seem to be consensus among technology, security, and privacy professionals on the preferred term. Which term would be best for future guidance?
- Our expected focus for the guidance is security and privacy risks for two types of IoT ecosystem components: integrated IoT devices with built-in sensors and/or actuators, and composite IoT devices. Are these the areas where organizations need more guidance? Are there any others NIST should focus on?
- Are there any gaps in the capabilities list? (See page 3 of NIST document)
- What use cases would best document interactions between IoT capabilities?
- How could risk assessment and response processes be adjusted to take IoT characteristics into account?
About the Secure Technology Alliance IoT Security Council
The Secure Technology Alliance IoT Security Council was formed to develop and promote best practices and provide educational resources on implementing secure IoT architectures using “embedded security and privacy.” The Council focuses on IoT markets where security, safety and privacy are key requirements and leverages the industry expertise and knowledge gained from implementing embedded security technology for payment, identity, healthcare, transport and telecommunications systems to provide practical guidance for secure IoT implementations. The Council provides a unified voice for the industry to the broader IoT ecosystem.