New class of defence needed against cyberattacks, says US standards body.
The US National Institute of Standards and Technology (NIST) has called on the IoT industry to bolster the defences of IoT devices through the use of cryptography.
NIST’s efforts to protect the data created by IoT devices – and the wider security of IoT networks – form part of its new “lightweight cryptography” initiative. This demands the creation of new algorithms and techniques that can work on simple, low-power circuits.
The challenge is that many IoT devices in particular use negligible electrical power, and circuitry that is far more limited than even the chips found in simple phones, but common encryption methods typically demand more resources than that.
NIST said it would initially seek assistance from the industry in developing the new requirements and guidelines. The Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardisation Process is the first stage of that process.
The aim is to get the software development community on board now so that when the formal request is made later in the Spring, new encryption algorithms will already be in development. The draft document is available now on the NIST website.
Ultimately, NIST said that the goal is to develop lightweight encryption standards that benefit the entire marketplace. According to NIST computer scientist Kerry McKay, effective standards must bring a well-defined solution that applies to a wide class of situations – and this made the wording of the request tricky, he said.
“The IoT is exploding, but there are tons of devices that have nothing for security. There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason,” he said.
Time for new cryptography standards
Many of the manufacturers who create small, low-cost IoT devices agree that the time is right for establishing effective standards.
For example, Matt Robshaw, a technical fellow at Impinj, which develops RAIN RFID technologies that are used to keep track of connected things, said: “It’s a good time to begin to establish guidance about which of these techniques will be most appropriate.
“As industries adopt authentication apps for things like flu-shot syringes and baby formula, it’s important that there is agreement on security practices.”
After the Federal Register notice appears, NIST will be accepting comments on the draft for 45 days, and will consider these before releasing the formal submissions guidelines document. Following its release, NIST anticipates a six-month submission window for lightweight cryptographic algorithms.
Internet of Business says
Poor device-level, operational, and strategic security have been dominant themes in IoT news this year, with a raft of reports slamming lax security at hardware level, a lack of basic security procedures – such as changing default passwords – and poor strategic management within organisations, despite a general awareness of the IoT’s broadening attack surface.
Revelations abound of how hackers have gained access to sensitive data, such as patient records, via insecure medical devices, and even to a casino’s client data via an aquarium in the foyer.
Multiple reports have revealed the poor device-level security of a range of connected-home and -office devices, while many security cameras – ironically – are so insecure themselves that entire Web platforms have sprung up which allow users to surf the world of unprotected cameras in offices, public spaces, and homes.
However, the risk is not just that hackers might use an insecure device to gain access to privileged data, but also that they might attack device types across the Internet of Things. In some cases, hostile actors have been using connected devices’ processing power to mine for cryptocurrencies, although that is far less of a risk with low-power, low-processing devices.
Securing the IoT at simple device level is an imperative, therefore; failure to do so would create a massive attack surface that would be almost impossible to patch after the fact – although new techniques that use AI to address security at behaviour level will be invaluable.