The Commerce Department will soon be releasing a draft “road map” on Internet of Things (IoT) security issues, an official with the National Institute of Standards and Technology (NIST)–which is part of the Commerce Department–indicated Tuesday during a panel discussion at the 2018 Symantec Government Symposium.

Katerina Megas, program manager for IoT cybersecurity at NIST, said the draft road map on IoT security may be released in the “next couple weeks.” She did not fully detail the draft, but said it may suggest actions to be taken by Commerce, NIST, the Federal Trade Commission, and the private sector. The road map document will be put out for public comment, she said.

The expected IoT security road map follows Commerce’s delivery to the White House earlier this year of a report on botnets that calls for consideration of baselines for IoT device security and labeling of IoT devices.

Megas said that subsequent discussions have involved whether a labelling program might be appropriate for consumer IoT devices and that includes information about device security and how long devices will be supported by manufacturers. “We see this as more of an industry-led activity,” she said.

Speaking more generally, Megas said “there may be updates” involving regulation of connected devices “where human safety is an issue,” but did not elaborate.

And she said one “lever” for improving IoT security could be “government leading by example” and requiring improved security disclosures for IoT equipment that is offered for sale to the government.

Asked whether there was “confusion” in the IoT security market, John Mills, principal director and partner at Cyber Asymetrics Associates and formerly director of cybersecurity policy, strategy, and international affairs at the Defense Department, replied, “Oh yes, but I am starting to see a glide path to normalization.”

Both panelists discussed the need for a common taxonomy in order to classify IoT devices and systems. Medas said there are “lots of definitions out there,” and added, “it’s an ongoing work.”

Asked how standards can be fashioned to fit multiple taxonomies for IoT devices, Mills replied, “it’s constantly evolving.” But, he said his firm uses NIST-generated standards, and commented, “whoever drives standards drives the future.”

Mills said that with the exponential growth in IP-enabled devices, the trick is “how do we provide order and discipline to this phenomenon…We have to take this chaos and move to order” by getting a handle on all of the interactions between connected devices and systems. “We have to be able to quantify if we want to resolve chaos,” he said.

Mills said that in many instances the relative lack of IoT security lies in a lack of public key infrastructure–policies needed to create and manage digital certificates and manage public-key encryption–and two-factor authentication, and said it was important that consumer IoT devices be authenticated to vendors’ networks. He said his current work at Cyber Asymetrics involves a three-tier level of authentication for IoT devices, but declined to elaborate.

He also suggested that IoT devices be “scored” for security using a green-yellow-red color-coded system, saying that such a scorecard has “amazing power” to get people to notice security.

As to IoT security in general, Mills cautioned, “It’s messy, and it’s going to get messier here before things normalize.”

Speaking of IoT development and deployment generally, he concluded, “We are on the border of this huge transformation of society.”

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.