THE PRESIDENT’S

NATIONAL SECURITY TELECOMMUNICATIONS

ADVISORY COMMITTEE

NSTAC Report to the President on the Internet of Things

November 19, 2014

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things i

TABLE OF CONTENTS

EXECUTIVE SUMMARY ………………………………………………………………………………………. ES-1

1.0 INTRODUCTION………………………………………………………………………………………………. ES-1 1.1 Scoping and Charge …………………………………………………………………………………………… 2 1.2 Approach ………………………………………………………………………………………………………….. 2

2.0 DISCUSSION ………………………………………………………………………………………………………….. 3 2.1 Internet of Things (IoT) Overview ………………………………………………………………………. 3

2.2 Considerations of the IoT Impact on National Security and Emergency Preparedness .. 6 2.2.1 Unique Aspects of IoT Technology ……………………………………………………………….. 6 2.2.2 IoT Governance Considerations ………………………………………………………………….. 12

2.2.3 IoT Institutional Support & Structure …………………………………………………………… 17

3.0 FINDINGS …………………………………………………………………………………………………………….. 21

3.1 IoT Technology/Unprecedented Effects ……………………………………………………………… 21

3.2 Governance of IoT …………………………………………………………………………………………… 22

3.3 Institutional Support & Structure ……………………………………………………………………….. 22

4.0 CONCLUSION ……………………………………………………………………………………………………… 23

5.0 RECOMMENDATIONS ………………………………………………………………………………………… 24

APPENDIX A: MEMBERSHIP …………………………………………………………………………………. A-1

APPENDIX B: ACRONYMS …………………………………………………………………………………….. B-1

APPENDIX C: GLOSSARY ………………………………………………………………………………………. C-1

APPENDIX D: BIBLIOGRAPHY ……………………………………………………………………………… D-1

APPENDIX E: AREAS OF FOCUS …………………………………………………………………………… E-1

APPENDIX F: CASE STUDIES …………………………………………………………………………………. F-1

This NSTAC report contains typographical revisions that were made following submission of the report to the

President. No content was altered.

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things ES-1

EXECUTIVE SUMMARY

The rapid adoption of smart, adaptive, and connected

devices—the “Internet of Things” (IoT)—is occurring

across virtually all critical infrastructure sectors.

Moreover, this is happening at a speed that far outpaces

earlier technological developments. The IoT will bring

significant societal benefits, many of which are already

being realized through increased efficiencies, early

detection of faults, improved reliability and resilience,

and more. But the rapid and massive connection of these devices also brings with it risks,

including new attack vectors, new vulnerabilities, and perhaps most concerning of all, a vastly

increased ability to use remote access to cause physical destruction.

Recognizing this, the Executive Office of the President, specifically the National Security

Council, tasked the President’s National Security Telecommunications Advisory Committee

(NSTAC) to examine the cybersecurity implications of the IoT within the context of national

security and emergency preparedness (NS/EP). The NSTAC found that IoT adoption will

increase in both speed and scope, and that it will impact virtually all sectors of our society. The

Nation’s challenge is ensuring that the IoT’s adoption does not create undue risk. Additionally,

the NSTAC determined that there is a small—and rapidly closing—window to ensure that IoT is

adopted in a way that maximizes security and minimizes risk. If the country fails to do so, it will

be coping with the consequences for generations.

Scope of the Study

In February 2014, the NSTAC issued the Industrial Internet Scoping Report, which summarized

the work of the NSTAC’s Industrial Internet Scoping Subcommittee. The report revealed that in

addition to Industrial Internet, IoT is referred to by several terms, including machine-to-machine

communications, Internet of Everything, and cyber-physical systems. In its report, the NSTAC

described the IoT as an expansion of the global infrastructure through existing and evolving

interoperable information and communication technologies that incorporates the interconnection

of physical and virtual systems to enable new and automated capabilities. It also noted that the

potential benefits of the IoT include the development of innovative services and, in many cases,

more efficient use of infrastructure. However, it also found that the IoT has several security

factors that Government and industry should consider, including an exponential expansion in

attack surfaces, a changing threat landscape, privacy concerns, an increased potential for kinetic-

focused cyber attacks, and changes to the hardware lifecycle. The NSTAC concluded that these

benefits and risks were already being recognized in the early deployment of IoT, thus

necessitating a better understanding of the technology, the implications of existing and new

policy structures, and the impacts on critical infrastructure security and resilience. Following

this examination, the NSTAC established the IoT Research Subcommittee (IoTS) to study the

cybersecurity implications of the IoT, within the context of NS/EP. 1

1 IoT-enabled consumer products and services are out of scope for this report, except to the extent that they interact

with NS/EP systems.

There is a small—and rapidly

closing—window to ensure that IoT

is adopted in a way that maximizes

security and minimizes risk. If the

country fails to do so, it will be

coping with the consequences for

generations.

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things ES-2

Summary of the Report

In 2008, the U.S. National Intelligence Council warned that the IoT would be a disruptive

technology by 2025. 2 The Council said that individuals,

businesses, and governments were unprepared for a

possible future when network interfaces reside in everyday

things. Almost six years later, this warning remains valid,

though it now seems certain that the IoT will be disruptive

far sooner than 2025—if it is not so already. The number

of Internet-connected devices first outnumbered the human

population in 2008, and that number continues to increase.

By 2013, there were as many as 13 billion Internet-connected devices, and projections indicate

that this will grow to 50 billion or more by 2020, generating global revenues of more than $8

trillion by 2020. 3 The pace of deployment led the NSTAC to conclude that there are only three

years—and certainly no more than five—to influence how IoT is adopted. By 2020, there will

be tens of billions of devices in use. Now is the time to influence how those devices are

designed and what protocols govern their use; after they are deployed, new policy will only

affect change at the margins.

The IoT’s deployment will have a direct impact on the Nation’s NS/EP. Billions of IoT devices

(e.g., sensors, processors, actuators) that can communicate

with one another are being incorporated directly into the

Nation’s critical infrastructure systems. Many of these

devices will be controlled remotely, often across the

public Internet and from personal smartphones or tablets.

Consumer devices will undoubtedly connect to networks

that may have connectivity to critical systems, which will

create new attack venues for an adversary. These venues will be particularly hard to defend

because they may not be discovered until a malicious actor tries to exploit them. Finally, as the

IoT evolves, it is possible—if not likely—that hardware and software used in the consumer

market will later be used to develop devices that are integrated into critical systems.

Concerns regarding the IoT’s deployment may be analogous to the development of the Internet

and the cybersecurity problems the Nation currently faces. When the protocols that govern the

Internet were developed, security was not a significant consideration. At the time, the pervasive

use of the Internet—for everything from commerce to global communications to life-sustaining

functions—was not conceivable; had early designers envisioned this, there would have been a

higher priority on security. Today, the Nation stands on the edge of a similar revolution in how

it interacts with devices and how the devices will serve the country; however, if we do not

include security as a core consideration, there will be significant consequences to both national

and economic security.

2 National Intelligence Council, “Disruptive Civil Technologies: Six Technologies With Potential Impacts on U.S.

Interests Out to 2025,” April 2008. 3 ZDNet. “Is the Internet of Things strategic to the enterprise?” May 31, 2014. Available at

http://www.zdnet.com/is-the-internet-of-things-strategic-to-the-enterprise-7000030068/

In 2008 the National Intelligence

Council warned the IoT would be a

disruptive technology by 2025; six

years later, it is clear that this will

happen much sooner, if it has not

already.

The IoT will impact NS/EP as

billions of devices are deployed

with the potential to be connected

remotely with many of the Nation’s

critical infrastructure systems.

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things ES-3

This risk, coupled with the asymmetric nature of the cybersecurity threat, requires an immediate

and coordinated response from the public and private sector in order to ensure that the benefits of

IoT are realized and the dangers are minimized. In order to understand this risk and develop

recommendations to address it, the NSTAC engaged with key stakeholders from the Federal

Government and industry subject matter experts, including organizations helping to lead and

shape the future of the IoT. This allowed the NSTAC to garner insights and best practices

related to the rapidly evolving IoT technologies.

The NSTAC found that IoT technologies are creating unprecedented effects. It is expected to

boost the economy and improve life for citizens, particularly when combined with other related

technology concepts, such as cloud computing, autonomy, and big data. There are also factors

that could prevent IoT from reaching its maximum potential benefits, including failure to manage

the risk associated with rapid innovation and increased connectivity, the lack of an institutional

support structure for the IoT, and the inability of governance and policy processes to keep pace

with the rate of development and deployment of emerging IoT technology.

The NSTAC also found that the compromise or malfunction of IoT devices could have NS/EP

implications. Compromise of devices that run or are connected to different critical infrastructure

systems could have the potential for major economic disruption, kinetic damage impacting

public safety, or in extreme cases, catastrophic failure of national infrastructure or critical

systems. Yet, it remains an open question whether IoT is being adopted in a manner that

maximizes its utility and minimizes any associated risk.

Recommendations

In light of the rapid adoption of emerging technologies and the dynamic threat environment,

immediate action is needed to address the dynamic IoT environment. The NSTAC found that

existing governance, policy, and institutional support structures are not well-equipped to

facilitate the rapid changes needed; therefore, NSTAC suggests the first three recommendations

be acted upon within 90 days. Based on the authorities and responsibilities established by EO

13618, Assignment of National Security and Emergency Preparedness Communications

Functions, the NSTAC recommends that the President execute the following recommendations:

1. Direct the Department of Commerce, specifically NIST, to develop a definition of IoT for use by departments and agencies to be used during assessments related to the IoT.

2. Direct the Office of Management and Budget to require Federal departments and agencies to:

a. Conduct an internal assessment to document IoT capabilities that currently support and/or planned for support of NS/EP functions. These assessments must

consider interconnections and interdependencies that may be introduced and the

associated risks and benefits with respect to NS/EP.

b. Develop contingency plans to identify and manage security issues created by current and future IoT deployments within the Government. The plans should

recognize that IoT devices and their potential uses will continually evolve as well

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things ES-4

as anticipate an environment that cannot be fully secured because of the dynamic

nature of the IoT and the potential threat.

3. Create an IoT interagency task force that coordinates with existing organizational bodies to foster balanced perspectives between security, economic benefits, and potential risks.

At a minimum, participants should include the Department of Commerce, Department of

Homeland Security, and Department of Defense. The task force will set milestones for

completion of the following activities that are reflective of the urgency of need to address

the risks that ongoing deployments of IoT pose to NS/EP.

a. Identify the gaps between security practices and emerging technologies to address the unique risks posed by IoT on NS/EP and develop plans for how to incentivize

development of security innovations to address the gaps.

b. Direct the update of Federal strategic documents to consider the security aspects of the explosive growth of and reliance upon IoT devices. Examples include the

National Strategy to Secure Cyberspace, the Comprehensive National

Cybersecurity Initiative, and Trustworthy Cyberspace: Strategic Plan for the

Federal Cybersecurity Research and Development Program.

c. Direct the update of existing awareness and training programs. The focus of the awareness should be to inform the public, as well as leaders and decision makers

(private and public, including legislators), about both the benefits and risks of the

rapid adoption of IoT and, thereby, encourage a culture of security around IoT

device use and development. Role-specific programs should be considered for

those involved in the design, development, production, procurement, and

operation of NS/EP systems.

d. Encourage and incentivize academia to develop curricula focused on: (i) IoT and the associated security challenges; and (ii) the convergence of the IT and OT

disciplines, in order to educate future professionals engaged in the design,

administration, or security of NS/EP systems.

e. Encourage engagement in appropriate international forums for standards and policy development.

4. Convene and facilitate a Government and industry standing body to coordinate, collaborate and leverage the various industry IoT consortia to develop, update, and

maintain IoT deployment guidelines to manage cybersecurity implications and risks.

These guidelines should include the integration of IoT into systems that support NS/EP

functions and highlight the gaps between risks the market will address and national

security risks, which markets are not intended to address and are for use as part of the

acquisition, procurement, and operations procedures. The result should enable an

adaptive set of guidelines, focused on cybersecurity and resiliency of the ecosystem, that

changes with the risk in a timely manner based on a continuous collaborative process.

The executive agent of this standing body must have authority and oversight to enforce

agreed-to deployment guidelines across governmental agencies and departments.

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things ES-5

5. Direct the NS/EP Communications Executive Committee to: (1) review and recommend updates through the PPD-1 process on priority schema to account for and enable priority

on all forms of next generation networks communications (e.g., voice, video, data) for

NS/EP and public safety communications; (2) appropriately account for the impact the

growth of IoT and IoT-related data associated with NS/EP communications; and (3)

develop, in conjunction with the private sector, updates to NS/EP programs including

Government Emergency Telecommunications Service, Wireless Priority Service,

Telecommunications Service Priority, and Special Routing Access Services.

6. Direct the Office of Science and Technology Policy to review current research and development (R&D) investment and recommend future R&D funding for IoT security.

Funding will help to understand the potential risks to NS/EP functions associated with

IoT in an interconnected ecosystem, including IoT architectures, network management,

privacy, and device identification and authentication in a manner that allows for

productivity, growth, and innovation. Measure improvements in adoption and

implementation of new technologies from the research execution with linkages to

national priorities and interests and ensure that existing, similar recommendations are

appropriately executed.

As recommendations are considered and implemented, it will be important to: (1) establish

metrics to measure and monitor the effectiveness of the recommendations; (2) incorporate IoT

technology in a manner that minimizes risk; (3) incorporate IoT in current education and

awareness programs; and (4) ensure IoT-related R&D projects are addressing evolving

cybersecurity challenges. The NSTAC believes these actions will help maximize security and

resiliency within the IoT ecosystem.

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things 1

1.0 INTRODUCTION

In 2008, the U.S. National Intelligence Council warned that the Internet of Things (IoT) would

be a disruptive technology by 2025. 4 The Council said that individuals, businesses, and

governments were unprepared for a possible future when network interfaces reside in everyday

things. Almost six years later, this warning remains valid, though it now seems certain that the

IoT will be disruptive far sooner than 2025—if it is not so already. More recently in January

2014, the Director of National Intelligence (DNI) stated that “[t]he complexity and nature of

these systems means that security and safety assurance are not guaranteed and that threat actors

can easily cause security and/or safety problems in these systems.” 5 Several statistics validate

the Government’s concerns: the number of Internet-connected devices first outnumbered the

human population in 2008, and that number continues to grow faster than the human population.

By 2013, there were as many as 13 billion Internet-connected devices, and projections indicate

that this will grow to 50 billion or more by 2020, generating global revenues of greater than $8

trillion by 2020. Many of these systems are visible to any user, including malicious actors, as

search engines are already crawling the Internet indexing and identifying connected devices.

The IoT is the latest development in the decades-old revolution in communications, networking,

processing power, miniaturization, and application innovation and has radically altered

communications, networks, and sensors. The IoT is a decentralized network of objects,

applications, and services that can sense, log, interpret, communicate, process, and act on a

variety of information or control devices in the physical world. However, the IoT differs from

previous technological advances because it has surpassed the confines of computer networks and

is connecting directly to the physical world. Just as modern communications have fundamentally

altered national security and emergency preparedness (NS/EP), the IoT has had a similar

transformative impact.

Throughout the communications revolution, a plethora of existing and new technologies have led

to astonishing improvements in the efficiency and effectiveness of Government and private

sector operations and capabilities; yet the IoT differs in the pace, scale, and breadth of

deployment of interconnected devices, which has resulted in immense benefits to individuals and

organizations. Despite the benefits, the IoT is accompanied by risk associated with increased

dependencies, expanded number of devices, and associated interconnections that will create a

large attack surface with numerous potential threat vectors. The increased attack surface and our

Nation’s dependence on these new systems, either directly or through the critical infrastructure

systems in which they are embedded, has made the IoT and new systems natural targets for

criminals, terrorists, and nation states that wish to exploit them. These dependencies will

continue to increase as the IoT permeates all sectors of the economy and all aspects of people’s

lives. While all users have to cope with this expanded attack surface, IoT applications in the

NS/EP domain must be hardened against the potential risks. As IoT manufacturers and vendors

4 National Intelligence Council, Disruptive Civil Technologies, Six Technologies With Potential Impacts on US

Interests Out to 2025, April 2008. 5 Clapper, James R., Statement to the Senate Select Committee on Intelligence, Worldwide Threat Assessment of the

U.S. Intelligence Committee, January 29, 2014. Available:

http://www.dni.gov/files/documents/Intelligence%20Reports/2014%20WWTA%20%20SFR_SSCI_29_Jan.pdf

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things 2

work to meet their customers’ needs, including NS/EP demands, competition will ultimately

determine which products and services succeed or fail, thereby fueling further innovation.

1.1 Scoping and Charge

Recognizing the IoT’s pace of growth, breadth of usage, and depth of deployment, the Executive

Office of the President, specifically the National Security Council, requested that the President’s

National Security Telecommunications Advisory Committee (NSTAC) conduct a study of the

cybersecurity implications of the IoT within the context of NS/EP. In October 2013, the

NSTAC’s Designated Federal Officer established the Industrial Internet Scoping Subcommittee

to examine the issue and present it to the NSTAC for consideration. Following member

approval, a research subcommittee was established in March 2014. This report examines the

implications of the explosive growth of the IoT in the NS/EP realm and will focus on potential

changes to the security posture and associated strategies for NS/EP-sensitive infrastructures.

These considerations will include the enormous expansion and morphing of the potential

network-attack surface, the implications of the data explosion triggered by IoT, and the need to

develop new disciplines focused on IoT and the intersection of information technology (IT) and

operations technology (OT).

1.2 Approach

The NSTAC’s approach was guided by the extent to which emerging IoT technologies are being

deployed across a spectrum of users, from personal to national systems. In order to capture

critical concepts, best practices, and lessons learned related to IoT technology implementations,

the NSTAC engaged Federal Government organizations, as well as subject matter experts from

industry. The engagements with industry included several industry-leading organizations that

are working to help shape the future on how industry will best leverage IoT. Additionally, in the

NSTAC Industrial Internet Scoping Report, four areas of the IoT were identified to help shape

the NSTAC’s research effort: (1) security; (2) operations; (3) design; and (4) policy. Each focus

area of the IoT was used to inform the report’s findings and recommendations and is described in

detail in Appendix E.

The NSTAC also developed a strengths, weaknesses, opportunities, and threats (SWOT)

analysis, depicted in Table 1, IoT NS/EP SWOT Analysis, which highlighted the IoT’s benefits

and significant NS/EP risks. This analysis helped the NSTAC prioritize its recommendations.

Areas of Study in IoT

1) Security (Trustworthiness, resiliency, user behaviors, public/private partnership)

2) Operations (Interoperability of systems, reliability of operations, spectrum prioritization, IT/OT

process coordination)

3) Design (Best practices and standards, security-by-design, trust relationships, integration with

NS/EP programs)

4) Policy (Resiliency, privacy, public safety, international considerations)

President’s National Security Telecommunications Advisory Committee

NSTAC Report to the President on the Internet of Things 3

Table 1: IoT NS/EP SWOT Analysis 6

Helpful Harmful In

h e

re n

t to

Io T

STRENGTHS

• Ubiquitous sensing • Increased productivity • Speed and accuracy of information • Ability to immediately affect targeted

change in the physical world

WEAKNESSES

• Expanded attack surface (e.g., sensors, data) • Lack of clear technical public policy (i.e. identity

management for IoT devices and users.) • Potential introduction of uncertainty due to high

volumes of data • Data spread across multiple jurisdictions

Im p

li c a

ti o

n s f

o r

N S

/E P

OPPORTUNITIES

• Real-time NS/EP operational efficiency • Expanded situational awareness with

interoperable systems • Economic revenue growth • New functionality • Rethink end-to-end system security and

resiliency

THREATS

• Unanticipated attack modalities on NS/EP • Emergent, disruptive behavior • Immature knowledge base related to IoT security. • IoT traffic not currently included in NS/EP (Priority

Telecommunications Services)

2.0 DISCUSSION

2.1 IoT Overview

Systems underpin every facet of American society—from transportation to utilities to

communications—and are accessible and often controllable from around the world. More

devices are connected to networks, and those networks are connected to each other, a concept

known as the IoT; however, there is no universal definition of the IoT, just as there is no

agreement in the use of that name to describe this trend. Whether it is called IoT, the Industrial

Internet, or cyber-physical systems (CPS), the term describes a decentralized network of objects

(or devices), applications, and services that can sense, log, interpret, communicate, process, and

act on a variety of information or control devices in the physical environment. These devices

range from small sensors on consumer devices to sophisticated computers in industrial control

systems (ICS)