Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Releases Draft Framework on the Internet of Things

500px-NIST_logo.svgThe National Institute of Standards and Technology (NIST) released the draft Framework for Cyber-Physical Systems on September 18. The Framework is intended to serve as a common blueprint for the development of safe, secure, and interoperable systems as varied as smart energy grids, wearable devices, and connected cars. The NIST Cyber-Physical Systems Public Working Group (CPS PWG) developed the draft document over the past year with input from several hundred experts from industry, academia, and government. NIST will be accepting public comment on the draft for the next 45 days.

The draft document tackles a set of complex challenges presented by the emergence of cyber-physical systems (also known as the Internet of Things). NIST recognizes that the same attributes of these systems that present boundless opportunity are also a source of vexing challenge. The pervasive interconnectedness and flexible design of modern systems allows cell phones to be effectively repurposed as mobile traffic sensors, providing drivers with real-time data about the road ahead. Yet as the channels for information sharing proliferate, so too do the opportunities for compromise. The Federal Bureau of Investigation (FBI) recently released a bulletin warning consumers of the increased risk of cyber crime presented by the Internet of Things. The bulletin notes that cyber criminals are increasingly exploiting unsecured wireless networks not only to steal data but also to remotely control devices.

NIST proposes to overcome these challenges by providing a common set of considerations for the design of devices and a common language to allow designers to promote interactions between devices. The latest release retains the organizing framework of earlier drafts, but includes significant revisions to focus on creating an actionable set of recommendations. As before, the document organizes systems into a set of “domains,” which are the broader environments in which CPS devices operate. “Facets” describe the common activities required to develop systems, while “aspects” are the cross-cutting concerns that accompany the development process. (We describe this Framework in more detail in a previous post regarding an earlier discussion draft).

Although the tripartite domains-facets-aspects structure remains, NIST overhauled much of the terminology to improve clarity and added significant detail to the Framework. For example, the Framework now recognizes that while some devices may be developed through a linear sequence, many devices emerge through reverse engineering, are layered on top of existing devices, or arise from gaps in between existing systems. These varied design processes are integrated into the Framework, providing a flexible structure for conceptualizing the development of new technologies.

If widely adopted, the CPS Framework could relieve some pressure on legislators and regulators to create more rigid regulatory frameworks. This year alone, the House and Senate have held hearings on the Internet of Things, and the FTC released a report on the privacy and security risks presented by the Internet of Things. But most lawmakers and regulators appear unpersuaded that specific regulation is necessary, at least in the near term. In March, the Senate unanimously approved a bipartisan resolution urging Congress to adopt a “light touch” to regulation of the Internet of Things. The FTC is likely to continue to use its flexible authority under Section 5 of the Federal Trade Commission Act to enforce privacy and security practices surrounding the Internet of Things. Despite its interest, the FTC has brought only one enforcement action relating to the Internet of Things, and Commissioner Maureen Ohlhausen recently urged regulators to practice “regulatory humility” with respect to the Internet of Things. Meanwhile, industry has proactively considered the privacy and security implications of the Internet of Things: the Auto Alliance released a set of consumer privacy principles that are enforceable by the FTC.

While it is too early to predict the impact of the NIST CPS Framework, the success of the NIST Cybersecurity Framework suggests that the CPS Framework is likely to have broad influence. Public comments on the document will be accepted until November 2, 2015, using a form available here. A NIST representative has indicated that a second draft release is likely following the CPS PWG’s review of public comments.