The Internet of Things has unlimited possibilities for home and business use. Appliances from refrigerators to sensor networks are now available in models that interact with a wireless network, making them easier to control with a computer or smartphone. Estimates suggest that there will be more than 75 billion IoT devices in use by 2025, according to IHS Markit.
Along with this massive market adoption of IoT, though, comes a trove of security concerns that necessitate attention and action. The National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) is striving to make IoT more secure.
NCCoE’s work is done in conjunction with and informed by NIST’s Cybersecurity for the Internet of Things (IoT) Program. This program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed.
Below are the IoT projects that are currently underway at the NCCoE.
Network-layer onboarding of an IoT device is the provisioning of network credentials to that device. The current lack of trusted IoT device onboarding processes leaves many networks vulnerable to having unauthorized devices connect to them. It also leaves devices vulnerable to being taken over by networks that are not authorized to onboard them. This project focuses on approaches to trusted network-layer onboarding of IoT devices over IP networks and lifecycle management of the devices. Learn more about this project.
Medical facilities are more connected than ever before, making the delivery of healthcare more efficient and convenient for patients. The wireless infusion pump device is present in nearly every medical setting. Tampering with the wireless infusion pump ecosystem can expose a healthcare delivery organization (HDO) enterprise, and by extension its patients, to serious risks. This project resulted in defense-in-depth cybersecurity guidance applicable to any connected medical device to help HDOs protect their networks. Learn more about this project.
This project aims to improve the resiliency of IoT devices against network-based attacks by using the Internet Engineering Task Force’s Manufacturer Usage Description (MUD) architecture. When MUD is used, the network will automatically permit IoT devices to send and receive only the traffic they require to perform as intended, and the network will prohibit all other communication with the devices. Learn more about this project
This project focuses on data integrity and malware prevention, detection, and mitigation within industrial control systems (ICS). Major consideration is given to distributed energy resources (DERs)—particularly commercial-scale and utility-scale solar power installations—and their interconnection with the electricity distribution grid. Distributed energy resources introduce information exchanges between a utility’s distribution control system and the DERs, or an aggregator, to manage the flow of energy in the distribution grid. These information exchanges often employ Industrial Internet of Things (IIoT) technologies that lack the communications security present in traditional utility systems. Learn more about this project.
This project aims to provide data-driven cybersecurity information about the state of the consumer smart home market. This project provides technical security assessments of consumer home IoT products, with the aim of identifying security capabilities and recommendations for IoT device manufacturers. These technical assessments will also help the NCCoE better address consumer home IoT security in a holistic manner in future projects. In addition, the technical assessments informs the security tenets for IoT devices outlined in NISTIR 8259 (Draft), Core Cybersecurity Feature Baseline for Securable IoT Devices. Learn more about this project.
This project aims to demonstrate how resource-constrained sensors can have their firmware securely updated over the air (OTA). This project will align with draft NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline and seeks to utilize industry standards for interoperability. Learn more about this effort.
Telehealth is one of the fastest growing sectors within healthcare. It leverages network-connected devices to monitor and treat patients outside of a healthcare delivery organization’s (HDOs) closed environment. HDOs are leveraging a combination of telehealth capabilities, such as remote patient monitoring (RPM) and videoconferencing, to treat patients in their homes. These modalities are used to treat numerous conditions, such as patients battling chronic illness or requiring postoperative monitoring. As use of these capabilities continues to grow, it is important to ensure that the infrastructure supporting them can protect patient data. The NCCoE healthcare team and NIST Privacy teams are working together on this project. Learn more about this project.