NIST Cybersecurity Framework: IoT and PKI Security

In order to talk about any specialized field of knowledge, you need a common language with agreed upon terms, definitions and some level of accepted industry standards. Cybersecurity is no different. But as the industry has evolved, this critical foundational concept has somehow taken a backseat.

As both the public and private sector embrace digital transformation and face an increasingly sophisticated threat scape, presidential executive orders have sought to remedy that problem. President Obama and now President Trump have issued executive orders supporting The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

For those who are unfamiliar, the NIST Cybersecurity Framework was created in 2013 as an attempt to standardize practices and give guidance on common, high-level security and privacy risks. One of the main goals of the framework is to provide direction for federal agencies as they increase their adoption of cloud computing and other technologies.

NIST Cybersecurity Framework: IoT and PKI Security

This year, the framework became official federal policy for government agencies. But its guidance, created with years of input from stakeholders, applies to the private sector and to enterprises of all sizes.

Recently, NIST has been taking a closer look at the Internet of Things (IoT), inviting input on practical risks organizations face as they move into the age of connected devices.

The proliferation of connected devices offers enormous business benefit, across industries as diverse as manufacturing, healthcare and automotive.

Imagine the “smart factory” of the future offering real time data collection, predictive insight into machine maintenance or even remote factory monitoring for updates and disruptions. However, making that vision a widespread reality requires organizations to be confident enough to adopt new connected technologies. Put simply, trust is critical to the IoT.

According to Gartner, by 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT is expected to account for only 10% of IT security budgets.

As NIST works to develop its IoT centric guidelines for the NIST Cybersecurity Framework, it is posing questions to stakeholders including the following:

What aspect of the IoT ecosystem is your organization most concerned about?

One of the most challenging aspects of IoT security is not just the increased number of devices, but their diversity in terms of function, processing power, operating environment and whether security is baked in, bolted on, or completely absent.

There are really four categories of threats introduced into organizations with IoT use. These include the potential that the connected device could be:

  • Used as a network entry point
  • Used as a bot/remote control
  • Altered to perform a different function
  • Used for data capture

In addition, IoT devices rarely follow the principles of security by design. They are often delivered with default admin credentials that do not have to be changed, offer limited or no authentication support and may not have the means to update firmware – a critical need if a vulnerability is discovered that needs to be patched.

Public key infrastructure (PKI) helps to address many of these concerns. PKI is widely used for authentication and digital signing, and increasingly for the IoT to help create a root of trust that can be implanted at the time a device is manufactured.

Given the importance of PKI and digital certificates in the age of the IoT, I wanted to share some findings from our 2017 Global PKI Trends Study. These data points were gathered from a survey across 11 countries of over 1500 individuals involved with PKI:

  • Over one-third of respondents (36%) cite new applications like the IoT as the fastest growing area of PKI evolution (a number that has almost tripled since 2015)
  • In the next 2 years, almost half (43%) of IoT devices will use digital certificates for authentication
  • 43% of respondents believe PKI deployments supporting the IoT will be a combination of cloud-based and enterprise-based PKIs – a number that reflects both the desire to leverage enterprise PKI investments as well as a nod to the eventual scale of the IoT and resulting need to leverage the cloud.

It’s hard to overemphasize the importance of trust for organizations looking to realize the full potential of our connected future. A strong PKI security architecture together with encryption and code signing are core technology investments for organizations building a trusted IoT ecosystem. NIST is continuing to look for feedback on the Cybersecurity for IoT program with the next version of the overall framework expected to be finalized during the first half of 2018.

To learn how Thales eSecurity enables U.S. government agencies to meet the NIST Cybersecurity Framework, please click here.

For more information on how Thales eSecurity is helping organizations build trust in the IoT, please visit.

I also encourage you to subscribe to our newsletter to receive the latest data security research, insight from our blogs and other resources.

The post NIST Cybersecurity Framework: IoT and PKI Security appeared first on Data Security Blog | Thales e-Security.

This is a Security Bloggers Network syndicated blog post. Read the original at: Data Security Blog | Thales e-Security 2017-11-07.