NIST White Paper on IoT Trust Concerns

After being withdrawn shortly after publication, NIST’s white paper draft on IoT trust concerns is now available for public comment until November 16th. The 50-page document introduces the concept as follows:

Trust is viewed as a level of confidence. In this publication, trust is considered at two levels: (1) whether a “thing” or device trusts the data it receives, and (2) whether a human trusts the “things,” services, data, or complete IoT offerings that it uses. In this document, we are more focused on [human trust].

The paper identifies 17 somewhat overlapping technical concerns “that can negatively affect one’s ability to trust IoT products and services”:

Overwhelming Scalability – Mass proliferation of inexpensively-produced IoT functionality results in feature bloat and spiralling complexity

Heterogeneity – Diversity of interoperating devices creates unforeseen security and reliability issues

Loss of Ownership and Control – IoT functionality provided by third-party vendors can lead to security, reliability issues

Composability, Interoperability, Integration, and Compatibility – Hardware and software components are inherently liable to malfunction

Abundance of “Ilities” – The challenge of achieving quality standards when many are inherently in conflict, or difficult to measure

Synchronization – Abundant IoT activity occurring in parallel produces synchronization anomalies, affecting performance and security

Lack of Measurement – Trust-related metrics and measurements are still lacking in the IoT sector

Predictability – Components in IoT devices can interact unpredictably, confounding design efforts

Testing and Assurance – The IoT creates additional testing challenges, due to their degree of interdependency and lack of transparency

Lack of Certification Criteria – The processes of certification often clash with business priorities and interests

Security – Stringent security considerations in IoT design, operations and maintenance, usually clash with business priorities and interests

Reliability – It is almost impossible to guarantee that an IoT device will optimally handle any event thrown at it

Data Integrity – Data’s accuracy, fidelity, availability and security

Excessive Data – Excessive amounts of diverse data can rarely be perfectly managed

Speed and Performance – Top computational performance inhibits ability to log and audit transactions, and affects responses to failure

Usability – User experience is often constrained by small displays or remote-only operation

Visibility and Discovery – IoT devices are notorious for operating discreetly and opaquely

Further:

Appendix A reviews the impact that many of the 17 technical concerns have on insurability and risk measurement. Appendix B discusses how a lack of IoT regulatory oversight and governance affects users of IoT technologies by creating a vacuum of trust in the products and services that they can access.

To submit a comment on this white paper, email [email protected]

The security shelf-life of IoT devices

February 10, 2015

Security bug found in IoT hospital dishwasher

March 31, 2017

This payment option will allow Amazon to "collect data on where customers shop, but not what they purchase or how much they spend inside third-party retail stores." #AmazonOne is also set to replace entry ID cards and event tickets. #IoTprivacy https://t.co/Qx86idP9c8

@iotprivacyforum

- 16 hours ago

A great way to sell surveillance: "We know the dangers of surveillance, but people are dying." Saving some lives on the roads might be the silver lining of removing driver controls so they can do other things which generate more valuable data. #IoTprivacy https://t.co/YXbggrPB5Z

@iotprivacyforum

- 1 day ago

"Imagine you are in a job interview. As you answer the questions, an AI system scans your face, scoring you for nervousness, empathy and dependability. It may sound like science fiction, but such systems are increasingly used, often without consent." https://t.co/tQLXzu4bOK

@iotprivacyforum

- 3 days ago