Internet of Things
   Standards
Drafting best practices for
patching IoT
Four working groups formed by the National Telecommu- nications and Information Administration are just months away from finishing their guidance on upgrading and patching internet-of-things devices.
The Existing Standards, Tools and Initiatives Working Group was tasked with compiling a review of IoT security standards and initiatives but found that there are few best practices for patching IoT devices.
Only a handful of documents went into any detail on such practices, said Deral Heiland, co-leader of the group and research lead at Rapid7, after a meeting in September. Most of the literature on patching IoT devices doesn’t go beyond simply saying, “You should patch.”
That’s why he said he is excited about the voluntary patching framework that the Technical Capabilities and Patching Expectations Working Group has been crafting.
Allan Friedman, director of cybersecurity initiatives at NTIA, said the goal is to reach a common understanding of what it means to have a device that can be updated. The publication breaks down over-the-air updates into 13 steps and details what happens in each one.
“I can’t wait until this is published because I can use this now,” Heiland said. “It’s not a standard because this isn’t a
standards organization, but it’s a direction and something to consider.”
In addition, draft guidance from the Incentives, Barri- ers and Adoption Working Group presents a taxonomy for understanding the incentives and challenges of updating IoT devices. The information will be incorporated into a document being developed by the Communicating Up- gradability and Improving Transparency Working Group by early 2018.
When the final versions of those publications are released, the working group members will move on to new challenges related to IoT, such as authentication requirements, privacy and acceptable lifespans for the technologies.
— Matt Leonard
      IoT proposals slowed by NTIA’s leadership vacancy
The NationalTelecommunications and Information Administration finally has an administrator and can now begin implementing its proposals for the internet of things.
NTIA issued a paper in January, before President Don- aldTrump took office, on how to support the expanding universe of internet-connected devices, followed by a request for public and stakeholder comment.
At an October IoT event, Evelyn Remaley, deputy associate administrator of NTIA’s Office of Policy Analysis and Development, said the agency is focus- ing on four major areas: making sure infrastructure is available to support the IoT ecosystem, crafting poli- cies that help users without interfering with innova- tion, creating voluntary standards to ensure interoper- ability, and encouraging the marketplace.
NTIA officials were waiting for political leadership posi- tions to be filled before putting the paper’s proposals and public comments into action. Remaley said NTIA needed
theTrump administration’s “vision for what’s next.”
David Redl, who most recently served as chief counsel
to the House Energy and Commerce Committee, was confirmed as NTIA administrator on Nov. 7.
In the interim, NTIA has not been standing still, however. As directed by the White House’s cyberse- curity executive order, the departments of Commerce and Homeland Security are continuing to develop ways to protect against botnets and distributed denial-of-service attacks. The two departments
are preparing to submit their draft reports in
January 2018, Remaley said, adding that “IoT security is also integral to the executive order on strengthening cybersecurity.”
She added that by being an early adopter, the fed- eral government can “jump-start the market and set a strong example of how to deploy IoT” rather than writing strict regulations.
— Chase Gunter
12 November/December 2017 FCW.COM