This story is over 5 years old.


According to a NIST Analyst, the Internet of Things Is Indefensible

It's a fundamental issue of complexity.
​Image: Embecosm Limited

​The Internet of Things is the accepted future of the connected world—networks casting off the shackles of conventional computing devices. These connections will newly integrate themselves into pretty much anything and everything that might carry an electrical current, from contemporary realizations in watches and cars to shopping carts, thermostats, and even the natural world (see: electric clams).


All is internet, internet is all. And so forth.

There's a problem, however, according to Ron Ross, a fellow in NIST's Computer Security Division: the IoT is fundamentally insecure. That is, there is no possibility, even theoretically, of properly defending the whole mess.

Ross offered this assessment last Thursday in a panel discussion hosted by the Bethesda, Maryland branch of the Armed Forces Communications and Electronics Association. No matter what, hackers will still "have a slice of that pie that will always be accessible because there are things that are off our radar due to their complexity," Ross said, according to Federal Computer Week.

"You can comply perfectly with all of that stuff and you can still have a very vulnerable infrastructure because of the complexity," Ross continued. "There are things that those standards and guidance … don't touch."

Part of that has to do with the IoT being something of a wild west at the moment. As Ross notes, while a whole lot of guidance (read: the best way to do a thing according to the organization tasked with finding best ways to do things) exists—much of it courtesy of the National Institute of Standards and Technology, or NSIT—but nothing as sweeping and comprehensive as what's needed. He likens the effort and coordination required in protecting the IoT to that put forth during the Cold War space race.

To that end, Ross and colleagues have published NIST Special Publication 800-160, a draft document dedicated to outlining and developing best practices in systems security engineering. The point, he told FCW, is to, "do a better job of engaging the right people in the organization, the decision makers who are taking those risk-based decisions, and get them involved early in the process." It's just a start, but the hope is that with public comment, a final version can be released by the end of the year.