Participants in the multistakeholder group convened by the National Telecommunications and Information Administration to consider security upgradability and patching for IoT (Internet of things) devices are in the finishing stages of the three remaining work group products, and are looking ahead to where those outputs might be housed and updated going forward, as well as what IoT security issues the NTIA multistakeholder process might tackle next.
Evelyn Remaley, deputy associate administrator of NTIA’s Office of Policy Analysis and Development, said, “At NTIA right now it’s very difficult for us to host more than one multistakeholder meeting at a time.” However, the agency is hearing “about challenges in this area” and “would like to be able to continue,” she said, adding, “We get questions about it daily from our government colleagues.” Among the possible issues for such an endeavor mentioned by participants were user authentication by devices and the length of time security support should reasonably be provided.
The remaining groups are working on technical capabilities and patching expectations; existing standards, tools, and initiatives; and incentives, barriers, and adoption. Guidance on how manufacturers of Internet of things (IoT) devices should communicate with consumers about security upgrades for those devices was adopted at the group’s last meeting (TR Daily, July 18).
Since the last meeting, the working group on technical capabilities and patching expectations has “refined the motivation and audience” to “make clear it’s not about consumers explicitly,” according to a presentation today.
One member of the larger group said that the document was “something I can put to use today. I’m looking forward to when I can do that.”
The standards group “has pulled together a lot of data” on existing standards work on IoT security upgrades and patches, Allan Friedman, director–cybersecurity initiatives in NTIA’s Office of Policy Analysis and Development, noted, and is now concerned about making that work “sustainable” so it does not become outdated.
Participants called for the work group’s product to be “a living breathing document,” under the care of an entity with “credibility and international reach,” as well as resources to devote to it.
The incentives and barriers working group appealed for participation by IoT developers and producers, so that their document could reflect knowledge, expertise, cost data, and specific examples it currently lacks. The working group also discussed developed introductory language to tie all four working group documents together.
NTIA plans to convene a “virtual meeting” of stakeholders in early November, although no specific date has yet been designated. —Lynn Stanton, email@example.com