You are here

Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching

Date: 
November 07, 2017

IoT Security Update Resources drafted and approved by stakeholders in the multistakeholder process detailed below are available at: https://www.ntia.doc.gov/IoTSecurity

Past Meetings

November 8, 2017

Documents for the meeting:

September 12, 2017

July 18, 2017

April 26, 2017

January 31, 2017 

10/19/2016 Austin, Texas

  • Notice of Open Meeting
  • Draft Agenda
  • Webcast Archive
  • Notes from the stakeholder discussion
  • Presentations from Sharing Perspectives on IoT Security Upgradability and Patching
  • During the meeting, stakeholders discussed five different areas for further focus:
    • Review of existing standards and Initiatives: What are existing standards and tools for IoT security upgradability that can inform or should be part of this initiative?
    • Maximum capability and minimum expectations: For each defined class of device, what is the least we might expect and the most we might expect for upgradability?
    • Communicating IoT upgradability: This working group will examine ways for IoT product makers to describe the why/how/what/who of updatability to buyers.
    • Incentives and Barriers: How do we foster greater adoption of good patching and updating practices?
    • Shared open upgrade framework: What are the benefits, requirements, barriers, and existing components of a shared open upgrade framework to support smaller producers or end-of-life products?

 Background: 
 
In response to Requests for Comment on both the Internet of Things and cybersecurity, stakeholders urged the Department of Commerce and NTIA to address the security of IoT through voluntary, multistakeholder processes. After reviewing these comments and consulting with key experts, NTIA announced that the next multistakeholder process on cybersecurity would be on IoT security upgradability and patching.  
 
This multistakeholder process will help with the recognized  need for a secure lifecycle approach to IoT devices.  
The ultimate objective is to foster a market offering more devices and systems that support security upgrades through increased consumer awareness and understanding. Enabling a thriving market for patchable IoT requires common definitions so that manufacturers and solution providers have shared visions for security, and consumers know what they are purchasing. Currently, no such common, widely accepted definitions exist, so many manufacturers struggle to effectively communicate to consumers the security features of their devices. 
 
The goal of this process will be to develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security features of IoT devices to consumers. One initial step will be to explore and map out the many dimensions of security upgradability and patching for the relevant systems and applications. A goal will be to design and explore definitions that are easily understandable, while being backed by technical specifications and organizational practices and processes. A final step will be to develop a strategy to share these definitions throughout the broader development community, and ultimately with consumers. 
  
Additional Information:

Completed Documents

The Federal Register Notice announcing the first meeting and providing further background and detail:
https://www.ntia.doc.gov/federal-register-notice/2016/10192016-meeting-notice-msp-iot-security-upgradability-patching
 
Deputy Assistant Secretary Angela Simpson's blog post on "Increasing the Potential of IoT through Security and Transparency,” announcing this initiative.
 
April 5, 2016 Request for Comments on Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things
 
Stakeholder Comments on the Benefits, Challenges, and Potential Roles for the Government in Fostering the Advancement of the Internet of Things

March 19, 2015 Request for Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem
 
Stakeholder Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem

The Federal Register Notice announcing the 01/31/2017 virtual meeting:
https://www.ntia.doc.gov/federal-register-notice/2017/notice-01312017-meeting-multistakeholder-process-internet-things