Internet of Things

IoT poses special cyber risks


Internet-connected devices pose special risks for federal agencies, and the National Institute of Standards and Technology is developing guidance to meet the need.

Connected sensors, smart-building technology, drones and autonomous vehicles can't be managed in the same way as traditional IT, according to a NIST draft publication, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. The document points out that basic cybersecurity capabilities often aren't available in IoT devices.

Federal agencies must “consider that IoT presents challenges in achieving those [cybersecurity] outcomes or there are challenges that IoT may present in achieving security controls -- and we wanted to highlight those,” Katerina Megas, program manager for NIST's Cybersecurity for Internet of Things program, told FCW at the Internet of Things Global Summit on Oct. 4.

"We felt putting out something initial on IoT was the most important -- to get something out as quickly as possible," she said. "There will be plans in the future to get more focused, more specialized."

One of NIST's next steps is to develop a potential baseline of cybersecurity standards for IoT devices, she said.

NIST is accepting comments on the draft through Oct. 24. Before a final version is published, Megas said, "we plan on starting to release iterative discussion documents to talk about if there were a baseline for IoT devices."

Robert S. Metzger, a government contracting attorney at Rogers Joseph O'Donnell, said that the federal government is exposed to the security and privacy risks of the IoT ecosystem through relationships with vendors.

"The IoT is all over us whether we know it or not,"  Metzger said. "Even if government is not buying it, so many surfaces upon which government depends are using it. Vendors are using it, and so the government becomes, if you will, not so much a hostage but among those exposed to the IoT deployment by commercial enterprises."

Although the IoT creates new and more attack surfaces for potential bad actors, and it opens up both networks and hardware to potential threats, that doesn’t mean it should be shunned, Metzger said at the conference.

One place the government can begin to ask for better security is in the procurement process for these technologies, according to Tom McDermott, the deputy assistant secretary of cyber policy at the Department of Homeland Security.

"We are always looking to think about how we can use federal procurement authority and federal procurement power to drive better cybersecurity outcomes," McDermott said.

A bill proposed by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) last year would impose basic cybersecurity standards on IoT devices procured by the federal government, including changeable passwords and a requirement that software and firmware be patchable. So far, the bill hasn't advanced, although a companion measure was introduced in the House of Representatives.

Separately, NIST put out a call in April for ideas on lightweight encryption, with an eye to developing security measures that could be deployed on resource-constrained IoT devices.

About the Author

Matt Leonard is a reporter/producer at GCN.

Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.

Leonard can be contacted at or follow him on Twitter @Matt_Lnrd.

Click here for previous articles by Leonard.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.