NTIA IoT Security Upgradability and Patching Effort—Progressing Despite New Admin

On January 31, the National Telecommunications and Information Administration (NTIA) held a meeting of its multistakeholder effort on “Internet of Things (IoT) Security Upgradability and Patching,” which it kicked off in Austin in October 2016. Its objective is to foster a thriving market that promotes security in IoT devices.  The effort involves four Working Groups (WGs) looking at aspects of IoT security. 

Leadership of NTIA made plain it is not slowing down – they intend for this effort to remain relevant in under President Trump.  NTIA is eager for stakeholder input, and because multistakeholder efforts can inform standards of care and regulatory expectations, more manufacturers and others in the IoT space should consider participating, particularly before drafts and ideas are much farther along.

Working Group 1: Existing Standards, Tools, and Initiatives is a research effort to identify what standards and best practices exist for security updates.   The group will publicly catalog existing standards and best practices.  The group is considering scope, including whether to limit the effort to consumer or industrial IoT.  They also are considering whether to do a gap analysis.

Working Group 2: Capabilities and Expectations is creating an idealized model of the patching process and is focused on a secure transmission path.   Already, the group has found that there are no one-size-fits-all solutions for patching.  As with the first group, WG 2 is considering whether to focus on the needs of consumers versus high-security deployments.

Working Group 3: Communicating IoT Upgradability  is identifying information consumers may want, before purchase, about IoT upgradability—with an eye toward what sellers or manufacturers might voluntarily communicate to consumers.   There are complexities in developing concepts for a diverse, nascent ecosystem, but so far, the group has identified as important a description of:

1. Whether a device can receive security updates.
2. How a device receives security updates.
3. If known, the expected time after which a device many no longer receive updates.

Some members are considering the benefits of consumer labels or other point-of-sale disclosures.

Working Group 4: Incentives, Barriers, Adoption Working Group is looking at barriers to updating.  The group has identified barriers, including environmental (ecosystem complexity, diversity, and challenges in ability to track consumer devices), interactive (consumer behavior), scale (amount of code and devices in play), production (service provider challenges), and regulatory issues.

***

The WGs will continue their individual efforts, which draw from think tanks, technology experts and the private sector, as well as some federal agencies.  Over 100 people participated in the January 31 virtual meeting.  We expect another meeting in April, when some of the Working Groups expect to share drafts.