The National Telecommunications and Information Administration (NTIA) announced Monday that it is convening meetings of a multistakeholder process concerning Internet of Things Security Upgradability and Patching.
The initial meeting will be held in Austin, Texas, on October 19, 2016, NTIA said.
In March of 2015 the National Telecommunications and Information Administration issued a Request for Comment to ‘‘identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers,’’ according to a Federal Register notice.
In a separate but related matter in April 2016, NTIA, the Department’s Internet Policy Task Force, and its Digital Economy Leadership Team sought comments on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things.
According to NTIA, more than 130 stakeholders responded with comments addressing many substantive issues and opportunities related to IoT Security was one of the most common topics raised.
Many commenters emphasized the need for a secure lifecycle approach to IoT devices that considers the development, maintenance, and end-of life phases and decisions for a device, said NTIA.
On August 2, 2016, after reviewing these comments, NTIA announced that the next multistakeholder process on cybersecurity would be on IoT security upgradability and patching.
The matter of patching vulnerable systems is now an accepted part of cybersecurity, noted NTIA. Unaddressed technical flaws in systems leave the users of software and systems at risk.
To help realize the full innovative potential of IoT, users need reasonable assurance that connected devices, embedded systems, and their applications will be secure, said NTIA. A key part of that security is the mitigation of potential security vulnerabilities in IoT devices or applications through patching and security upgrades.
The ultimate objective of the multistakeholder process is to foster a market offering more devices and systems that support security upgrades through increased consumer awareness and understanding. Enabling a thriving market for patchable IoT requires common definitions so that manufacturers and solution providers.
The immediate goal of this process will be to develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security features of IoT devices to consumers. One initial step will be to explore and map out the many dimensions of security upgradability and patching for the relevant systems and applications. A goal will be to design and explore definitions that are easily understandable, while being backed by technical specifications and organizational practices and processes.
A final step will be to develop a strategy to share these definitions throughout the broader development community, and ultimately with consumers.
This may include raising awareness in the consumer space to help consumers understand security options and drive market forces, NTIA said.