Close this search box.

We are creating some awesome events for you. Kindly bear with us.

NIST report presents overview of international cybersecurity standardisation for IoT

NIST report presents overview of international cybersecurity standardisation for IoT

The National Institute of Standards and Technology in the US
recently released
an interagency report on cybersecurity for the Internet-of-Things (IoT).

The Interagency International Cybersecurity Standardization
Working Group (IICS WG) was established in December 2015 by the National
Security Council's Cyber Interagency Policy Committee. The purpose of the IICS
WG is to coordinate on major issues in international cybersecurity standardisation
and thereby enhance U.S. federal agency participation in international
cybersecurity standardization.  

The Interagency
Report on Status of International Cybersecurity Standardization for the
Internet of Things (IoT)
examines the current state of international
cybersecurity standards development by voluntary consensus standards bodies for

The Report is meant to inform and enable policymakers,
managers, and standards participants as they seek timely development of and use
of cybersecurity standards in IoT components, systems, and services.

The Report notes that trustworthiness of IoT systems will
require active management of risks for privacy, safety, security, etc. Traditional
IT security focuses on CIA (confidentiality, integrity, and availably). As many
IoT components interact the physical world through sensors and actuators, IoT
security is also connected to physical security involving threats to people,
their objects, and their environment.

IoT also connects traditional Internet and mobile
capabilities and industrial control systems, leading to risks for critical
information infrastructure.

Traditional information systems generally prioritise
Confidentiality, then Integrity, and lastly Availability, while control systems
and IoT systems usually prioritise Availability first, then Integrity and
lastly Confidentiality.

Risks and threats

Connected vehicles

Connected Vehicle (CV) technology is expected to enable
vehicles, roads, and other infrastructure to communicate and share vital
transportation information. CVs would be subject to physical safety, as well as
privacy concerns.

V2V (vehicle-to-vehicle), V2I (vehicle-to-infrastructure),
and V2X (combination of V2V and V2X) communications lead to an increased attack
surface for connected cars.

In addition, users may connect and have access to their
vehicles through their smartphones, and personal information on these
components need to be protected from unauthorised access through the vehicle.
Similarly, the vehicle must be protected from threats that may come through the
mobile device.

Potential safety-critical risks include driver distractions
(volume, wipers, etc.) and engine shutoff or degradation. Internet connectivity
in infotainment consoles has introduced threats to passenger safety as a result
of intercommunications between vehicle controls and entertainment. spoofed,
manipulated, damaged, and missing sensors and actuators, could cause vehicles
to behave unpredictably.

Consumer IoT

Here, ensuring the confidentiality, integrity, availability
of consumer data and services is the primary challenge. Hackers compromise the
data integrity and operation of other electronic components on the same network,
using the Consumer IoT device as a conduit. As connected IoT technologies
extend their reach to consumer components critical to basic home functions (e.g.,
thermostat), cyber criminals could target them in ransomware attacks or other
traditional cyberattacks directed to collecting highly-sensitive personal

Moreover, the rising popularity of connected consumer
components also makes them ripe targets for criminals who seek to execute
coordinated, widespread cyberattacks causing systemic harm across the Internet.
A prominent example is the disruption of Domain Name System (DNS) provider Dyn
and associated Internet services in October 2016.

The Report recommends that consumer components should use
strong and readily updatable firmware and robust authentication practices, such
as strong password requirements. Using encryption or a virtual private network
(VPN) connection to the local network may provide protection against unauthorised
eavesdropping and protect the login credentials of the IoT consumer components.

Health IoT

In addition to data security and privacy impacts, attacks on
medical devices and the IT networks they connect may physically affect patients,
causing illness, injury, or even death. This harm may stem from the performance
of the device itself, impeded hospital operations, or the inability to deliver

Major security objectives in this area include: Protect
patient safety from network originated inauthentic commands to actuators; Protect
patient sensor data from tampering to allow correct algorithmic response;
Protect medical device processing capability; Protect patient data where the
data forms part of a treatment and monitoring regime; Protect patient
information from unauthorized disclosure or modification; Ensure patient
information is available to authorized entities when it is needed; Ensure
prompt and secure patch delivery to medical devices; Ensure continuous security
risk management throughout the device lifecycle.

Smart Buildings

Smart buildings may contain several sets of IoT components
that each have their own security objectives, risks, and threats. Here the
primary objective is preventing unauthorised access to any building control
system and preventing a domino effect caused by the compromise of one system
leading to the compromise of another. Robust modelling and testing are required
to handle foreseeable situations.

There are several challenges with securing smart buildings. Interoperability
between systems and components from different vendors could introduce
weaknesses for an attacker to exploit. Once one system becomes compromised, it may
serve as an avenue for an attacker to traverse laterally into another. Moreover,
employees and visitors moving around inside and around the building, and
carrying components connected to various networks introduces further

Smart Manufacturing

Industry 4.0 comprises a system built on automation,
cyber-physical systems, cloud computing, and the Industrial Internet of Things

Challenges in this area arise from fundamental differences
between IT and OT (operational technology). Organisational structure separate
engineering, management and decision-making processes for enterprise business
operations and the production environment. In recent decades, advanced
technologies involving computer-based systems have been progressively
integrated into manufacturing

Successful malicious actors could extort ransom from a
company to release the system from their control, copy sensitive proprietary
information that can be sold to other companies or other governments, or
install software that can affect a product’s performance.

There have been state-sponsored efforts to infiltrate and
steal information from companies involved in defence manufacturing.

Attackers who successfully penetrate the security systems in
processes used to produce arms and equipment for the military may have the
capability to alter or halt production processes to affect these items’
reliability, safety, or security, putting the lives of service personnel at risk.

Current standards

The Report identifies several challenges in the development
of standards for IoT cybersecurity.

Some IoT systems have direct connections to owner networks,
while others directly connect to non-owner networks and some have direct
connections to both.

IoT systems could comprise highly distributed IoT components
that have a variety of owners or may effectively have no defined owner. Some
IoT systems are intended for use by or association with a particular person or
group of people, while others are autonomous.

IoT components sometimes are largely static. Their software
cannot be updated and configuration cannot be changed as needed.

Some IoT components process data locally, while others have
their data processed remotely, and some do both.

IoT components are also highly heterogeneous in terms of operating
systems, network interfaces/protocols, functions, etc. Many IoT systems rely on
proprietary protocols for data communication.

IoT systems are often deployed as part of highly dynamic
systems and system environments. Many IoT systems do not provide centralised
management capabilities for the owner, while many others can be remotely
controlled by first parties (e.g., manufacturers).

Some IoT components are deployed in physically unrestricted
locations. This could imply inability to provide physical security.

Annex D of the Report (page 63) presents a listing of
international cybersecurity standards that the IoT
Task Group
has identified to be IoT relevant. The authors caution that it
is not a complete list and it is also a one-time, static listing.  

The standards have been organised by the eleven core areas
of cybersecurity described in the Report: Cryptographic Techniques, Cyber
Incident Management, Hardware Assurance, Identity and Access Management, Information
Security Management Systems, IT System Security Evaluation, Network Security, Security
Automation and Continuous Monitoring, Software Assurance, Supply Chain Risk
Management and System Security Engineering.

In some areas standards are available, while in others
standard have not been developed yet. Further development is required in
certain areas. For instance, there are many cryptographic standards being used
to protect data in transit and at rest and to provide for strong
authentication. Many of these standards can support IoT systems. There are also
standards developed specifically to support IoT systems. However, cryptographic
techniques will need adjustments and innovations to accommodate the IoT. Scalability,
performance, memory- and power-limited devices, and constrained communication channels
pose cryptographic challenges in the context of IoT.

The Report also identifies possible gaps in standards; for
example, the application of blockchain in cryptographic techniques, the
inability to use software patches to fix flaws in cyber incident management and
the requirement of new standards to address IoT networks that have the
potential for spontaneous connections in the realm of network security.

The uptake of available standards, even when available, has
been slow. The Report notes that in view of the continuing, rapid innovation of
IT, the inventory of IoT relevant cybersecurity standards will remain dynamic.

The Report recommends that agencies should further review possible
standards gaps and work with industry to initiate new standards projects in
SDOs to close gaps. The Report also says that agencies should support the
development of appropriate conformity assessment schemes to the requirements in
such standards. The type, independence and technical rigor of conformity
assessment should be risk-based, taking into consideration the cost to the
public and private sectors, including their international operations and legal

Read the Report here.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and consulting services provider, helping clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,800 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity, and service. For more information, visit