NIST White Paper on IoT Trust Concerns

After being withdrawn shortly after publication, NIST’s white paper draft on IoT trust concerns is now available for public comment until November 16th. The 50-page document introduces the concept as follows:

Trust is viewed as a level of confidence. In this publication, trust is considered at two levels: (1) whether a “thing” or device trusts the data it receives, and (2) whether a human trusts the “things,” services, data, or complete IoT offerings that it uses. In this document, we are more focused on [human trust].

The paper identifies 17 somewhat overlapping technical concerns “that can negatively affect one’s ability to trust IoT products and services”:

Overwhelming Scalability – Mass proliferation of inexpensively-produced IoT functionality results in feature bloat and spiralling complexity

Heterogeneity – Diversity of interoperating devices creates unforeseen security and reliability issues

Loss of Ownership and Control – IoT functionality provided by third-party vendors can lead to security, reliability issues

Composability, Interoperability, Integration, and Compatibility – Hardware and software components are inherently liable to malfunction

Abundance of “Ilities” – The challenge of achieving quality standards when many are inherently in conflict, or difficult to measure

Synchronization – Abundant IoT activity occurring in parallel produces synchronization anomalies, affecting performance and security

Lack of Measurement – Trust-related metrics and measurements are still lacking in the IoT sector

Predictability – Components in IoT devices can interact unpredictably, confounding design efforts

Testing and Assurance – The IoT creates additional testing challenges, due to their degree of interdependency and lack of transparency

Lack of Certification Criteria – The processes of certification often clash with business priorities and interests

Security – Stringent security considerations in IoT design, operations and maintenance, usually clash with business priorities and interests

Reliability – It is almost impossible to guarantee that an IoT device will optimally handle any event thrown at it

Data Integrity – Data’s accuracy, fidelity, availability and security

Excessive Data – Excessive amounts of diverse data can rarely be perfectly managed

Speed and Performance – Top computational performance inhibits ability to log and audit transactions, and affects responses to failure

Usability – User experience is often constrained by small displays or remote-only operation

Visibility and Discovery – IoT devices are notorious for operating discreetly and opaquely

Further:

Appendix A reviews the impact that many of the 17 technical concerns have on insurability and risk measurement. Appendix B discusses how a lack of IoT regulatory oversight and governance affects users of IoT technologies by creating a vacuum of trust in the products and services that they can access.

To submit a comment on this white paper, email [email protected]

The security shelf-life of IoT devices

February 10, 2015

Presentation: Attacking IoT Devices via their Sensors

December 4, 2017

Assume that, given infinite time, every IoT manufacturer will eventually have as many products as necessary to trac… https://t.co/b1HzKpoZ6F

@iotprivacyforum

- 56 minutes ago

A letter and six questions from @SenJeffMerkley to car manufacturers: "Given that a modern car is reportedly capabl… https://t.co/wM9GGI56ao

@iotprivacyforum

- 22 hours ago

“Amazon's Alexa routinely records and voiceprints millions of children without their consent or the consent of thei… https://t.co/fSC2DcWDJG

@iotprivacyforum

- 1 day ago