The National Institute of Standards and Technology (NIST) has released its IoT security model within a 25-page document aimed at offering an "underlying and foundational science to IoT based on a belief that IoT involves sensing, computing, communication and actuation."
NIST's new IoT guideline is based on five core primitives: Sensor, aggregator, communication channel, external utility and decision trigger, which it said belong to most distributed systems. According to NIST, the aforementioned primitives apply well to systems with large amounts of data, scalability concerns, heterogeneity concerns, temporal concerns and elements of unknown pedigree with possible nefarious intent.
"System primitives allow formalisms, reasoning, simulations and reliability and security risk-tradeoffs to be formulated and argued," wrote Jeffrey Voas, a computer scientist with NIST, in the document (PDF). "These primitives are the basic building blocks for a Network of 'Things' (NoT), including the Internet of Things (IoT)."
According to the report, security and reliability are concerns for all five primitives.
In addition to the primitives, the model identifies six elements that are "key players in trusting NoTs:" Environment, cost, geographic location, owner, Device_ID and snapshots, which Voas defined as instances in time that can vary depending on events, data transfers and computations.
"The elements lay out key contextual issues related to trustworthiness of a specific NoT. And the primitives are the building blocks of NoTs. Because trustworthiness is such a broad concept, this document has mainly focused on two 'ilities' related to the five primitives: Security and reliability," wrote Voas.
Voas went on to provide real and hypothetical examples of security and reliability concerns for each primitive. For example:
A car's speed sensor giving inconsistent readings after years of exposure to heat, water and dust
An attacker introducing a rogue sensor into a network that produces fake readings
An attacker conducting DDoS attacks on the smart security camera application provider's servers, giving them the ability to break into a house without the user being notified
"Without an actionable and universally accepted definition for IoT, the model and vocabulary presented here expresses how IoT, in the broad sense, behaves," wrote Voas. "These primitives are simply objects with attributes. The five, along with the context offered by the six elements, form a design catalog for those persons and organizations interested in exploring and implementing current and future IoT-based technology."
NIST's new IoT security model arrives as companies and analysts are projecting exponential growth for the amount of connected devices on networks. With the growth comes an expected spike in security threats. At Mobile World Congress in Barcelona earlier this year, AT&T released details of a commissioned report indicating that the operator had seen a 458 percent increase in vulnerability scans of IoT devices in the last two years.
- read the publication (PDF)