IoT Security and the Smart City part 1
The Smart City Expo USA is a couple of weeks away on October 4–5 in New York City https://www.smartcityexpousa.com/ and like last year I’m moderating two panels. This post will set the stage (literally) for an innovation forum on IoT, Digital Privacy, and Citizen Trust.
I’m thrilled to have on the panel with me: Bill Pugh, a nationally respected maker and shaper of smart city programs and analytics; Michael Dunaway, associate director for innovation in the IoT Devices and Infrastructure Group at the National Institute of Standards and Technology (NIST); and Raimundo Rodulfo, CIO for Coral Gables, FL a multi-award winning leader on smart city implementation.
The crux of the problem I want to explore in this panel crystallized for me when I had the honor to speak about cybersecurity challenges for local governments during a Smart Cities World Council event last spring at the National Press Club. In Washington DC, the event naturally focused on the federal initiatives involving all things “smart:” public EV charging stations, grid-connected buildings, broadband, etc. No matter the smart topic, officials directly or indirectly endorsed the adoption of IoT devices. Lots of examples were provided about the quality of life improvements that come from IoT integration with building systems and infrastructure. But curiously, when individual federal programs were discussed, cybersecurity and citizen data privacy matters weren’t mentioned specifically. I’m sure it wasn’t intentional, these were program status updates for the most part, but it made me stop to consider — is there a collective approach to security and privacy in public programs promoting the adoption of IoT? What are the frameworks for standards and enforcement that are in place?
One of the reasons I proposed the panel at Smart City Expo USA this year is to tackle these questions. In preparation, I’ve been scanning the landscape for guidelines and legislation. The feds have laid a lot of groundwork, but for now, it’s all advisory. Acts of Congress and Presidential executive orders going back to 2020 have set the guidance to define what a secure IoT device is and isn’t:
- IoT Cybersecurity Act of 2020 — assigned the National Institute of Standards and Technology (NIST) the responsibility for creating standards for IoT security-compliant devices and prohibits federal agencies (after the standards are published) from using and procuring non-compliant equipment.
- Executive Order 14028 of 2021 Improving the Nation’s Cybersecurity charged the Secretary of Commerce through NIST to “initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.” The EO but doesn’t go further than restating the directive for NIST to develop IoT security standards for federal agencies (from the 2020 IoT Cybersecurity Act).
- NISTIR 8259 — NIST’s guidance for manufacturers and their supporting third parties as they conceive, design, develop, test, sell, and support IoT devices (2022)
- NISTIR 8425 — NIST’s baseline of cybersecurity capabilities commonly needed for consumer IoT products (2022)
- NIST’s Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products (2022)
There are also the following notable frameworks and guidance:
- The IoT Security Foundation developed a quite thorough set of risk management guidelines for building and facility managers: https://iotsecurityfoundation.org/best-practice-guidelines/
- The Broadband Internet Technical Advisory Group has published a comprehensive overview of IoT security risks and mitigation steps: https://www.bitag.org/report-internet-of-things-security-privacy-recommendations.php
- The U.S. Department of Energy has IoT-specific guidance for building owners under its grid-connected buildings initiative https://connectedcommunities.lbl.gov/sites/default/files/2021-08/A%20National%20Roadmap%20for%20GEBs-20210712_1.pdf
What appears to be an evolution in a directive of federal EO 14208 occurred last August with a proposal by the Federal Communications Commission (FCC) to nudge the IoT marketplace to standardize and be more transparent about the level of security built into and supported by IoT devices. In cooperation with manufacturers and retailers, the feds intend to launch a “Cyber Trust Mark” labeling program for smart home devices in 2024.
Under the program, NIST is to define the state of compliance for IoT devices receiving a Cyber Trust Mark. Compliance is likely to include ever-increasing requirements for data security, incident detection capabilities, and corrective actions by device manufacturers. At this point the program is voluntary. How enforcement will work is still under development (early days) and a promising development in terms of providing consumers with information while unifying the marketplace on the NIST standards.
There’s more to dive into here, especially as to how state consumer privacy laws can be (like California) a way to enforce practical security standards on IoT devices. If you’re in NYC, come to the Smart City Expo USA for the innovation forum on IoT, Digital Privacy, and Citizen Trust at 9:40 am, Pier 36.
