The U.S. National Institute of Standards and Technology (NIST) has observed in a discussion essay a growing convergence between OT (operational technology (OT) and IT, driven by the rise of the Internet of Things (IoT) and internet-connected equipment that were once isolated. OT infrastructure covers programmable systems and devices that directly interact with or control the physical environment. Covering industrial control systems (ICS), building automation, transportation networks, access control, and systems for monitoring or measuring physical conditions, these systems have longer life cycles, are sometimes difficult to access, and increasingly connect to broader networks rather than operating in isolation.
NIST recognized that for organizations, merging IT and OT functionality introduces the possibility of new features and functions. IoT products or systems can offer the same or similar OT functionality with additional IT and IoT functions. IT functions include those related to the storage and transmission of data. These functions, specifically the connectivity afforded by linking to the internet, enable IoT functions to be added to OT systems such as remote management of equipment and more precise control via continuous monitoring.
Connectivity can introduce significant challenges for organizations attempting to apply cybersecurity controls to OT and certain IoT products. OT equipment may use modern networking technologies like Ethernet or Wi-Fi, but is often not designed to connect to the internet.
In many cases, OT and IoT systems prioritize trustworthiness aspects such as safety, resiliency, availability, and cybersecurity differently than traditional IT equipment, which can complicate control implementation. While IoT devices can sometimes replace OT equipment, they often introduce different or significantly expanded functionality that organizations must carefully evaluate before moving forward with replacement.
Organizations should consider how other aspects of trustworthiness, such as safety, privacy, and resiliency, factor into their approach to cybersecurity. It is also important to address how they will manage the differences in expected service life between IT, OT, and IoT systems and their components.
The agency identified that federal agencies are actively deploying IoT technologies to enhance connectivity, security, environmental monitoring, transportation, healthcare, and industrial automation. Government facilities are integrating IoT-enabled security systems, including AI-powered cameras, sensor networks, and automated alerts, to improve safety, disaster preparedness, and energy efficiency, while IoT solutions are enhancing data center monitoring, helping track power stability, humidity levels, and flooding risks.
Furthermore, specific agencies are also deploying scores of environmental IoT sensors to monitor air and water quality, generating critical data for scientific research, conservation, and potentially regulatory policies, while other agencies are developing earthquake early warning systems using real-time telemetry sensors to detect seismic activity, process alerts, and distribute public notifications.
With these and other IoT use cases in mind as well as requirements from the 2020 Cybersecurity Improvement Act to revise as appropriate IoT cybersecurity guidelines for the federal government at least every five years, NIST is revisiting ‘IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, SP 800-213,’ which was published in November 2021. With the expectation to revisit and, if necessary, revise this work every five years, the Cybersecurity for IoT team is considering areas of potential revision for SP 800- 213.
NIST has asked federal agencies to consider several key points regarding IoT security and guidance. First, agencies should assess how NIST should approach IoT devices that depend on other components to function effectively. Second, there is a need to explore how the risk consideration guidelines in SP 800-213 can be revised to reflect the complexities of IoT products with diverse and multi-component architectures.
Third, agencies should evaluate whether NIST should develop additional catalogs beyond the existing IoT Device Cybersecurity Guidance for the Federal Government and SP 800- 213A’s catalog of device cybersecurity capabilities. These new catalogs could describe technical capabilities for other IoT product components, and agencies should consider whether such resources would be valuable to the broader community. Finally, input is needed on what types of guidelines would be most useful for specific IoT product components, such as software and remote services.
Earlier this month, NIST published Special Publication 800-18r2 focusing on the development of system plans that address system-level security, privacy, and Cybersecurity Supply Chain Risk Management Plans (CSCRM) requirements that may derive from enterprise, organization, and mission/business process requirements. The agency is seeking feedback on the draft’s technical accuracy, clarity, usability, and the impact of changes made to the content.
