Chad Waters via plug on 16 Dec 2020 06:24:03 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] IoT Unravelled: parts 1 to 5




On Mon, Nov 30, 2020 at 11:27 AM Keith via plug <plug@lists.phillylinux.org> wrote:
On 11/28/20 10:21 PM, Walt Mankowski via plug wrote:
On Sat, Nov 28, 2020 at 05:26:13PM -0500, Rich Freeman via plug wrote:
On Sat, Nov 28, 2020 at 3:45 PM Chad Waters via plug
<plug@lists.phillylinux.org> wrote:
Related: This bill recently passed the house and senate and is awaiting a presidential signature. Compells NIST to formulate security standards for IoT devices.

https://www.govtrack.us/congress/bills/116/hr1668

Didn't read the gory details, but how likely do you think that NIST
comes up with standards like this:

* Encouraging open-source
* Mandatory security updates for 10 years
* Safeguards to only allow user-authorized firmware changes

vs:

* Can only run vendor-signed firmware
* Remote access by NSA in case they need to rapidly deploy a security hotfix
* Blocks access to hacking tools like ssh, linux, etc.

I'd love to see security for IoT stuff, but it just seems like this is
the sort of thing the government often gets wrong.
Who knows in this case, but NIST has a pretty good track record in
standards development in general. I just spent a few minutes poking
around on their website to see what this was all about.  If anyone is
interested in the gory details, they've got a video and lots of info
on cybersecurity and IoT at
https://www.nist.gov/video/what-internet-things-iot-and-how-can-we-secure-it

And remember, the great thing about standards is that there are so
many of them!

Walt

Not only is NIST good at standards, they are respected.  One of the things I've often done in the solutions I propose is mention which
NIST standards I'm compliant with- perfect example of this are the security encryption standards.  So, I can either throw a bunch of acronyms 
and word salad at people or I can end the conversation with, "this solution uses NIST standard <something here>".
Its sort of a field of dreams thing- if NIST builds it, companies will come.  A secondary point here is that you'll find that public sector work
usually is going to refer to NIST standards where appropriate.

(also by "build" I mean create the standard)

 As a follow up, NIST now has IoT security draft documents up for public comment:
https://www.nist.gov/blogs/cybersecurity-insights/rounding-your-iot-security-requirements-draft-nist-guidance-federal

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug