NIST — From IT to IoT Security

NIST (National Institution of Standards and Technology) primarily publishes its computer/cyber/information security guidelines, recommendations and reference materials through Special Publication (SP) 800 series [1]. Among these publications, NIST SP 800–53 [2] offers organizations a broad range of security controls to provide a more holistic approach to security of their information systems. SP 800–53 catalogs fundamental guidelines and countermeasures to safeguard information during transmission, while in process, and in storage. While the document specifies the required controls by providing the acceptance criteria for each, it does not specify or mandate a particular approach or implementation due to its technology-neutrality nature. Therefore, providing guidelines on the implementation of security controls in different environments using specific technologies is beyond the scope of this document since it has been designed to be technology-neutral.

Although SP 800–53 is a means to facilitate ameliorate security control selection activity of SP 800–37 (Risk Management Framework) compliance with applicable standards, policies, laws, etc., it does not mandate organizations to follow a static checklist of security guidelines. Rather, organizations have to practice due diligence in selecting and tailoring security controls based on organization-defined information security requirements and priorities. The following diagram (adapted from [2]) demonstrates where SP 800–53 stands in NIST’s security life cycle.


Figure 1 — Risk Management Framework

Step 2 is where the related security controls are chosen from the comprehensive catalog (SP 800–53) and tailored based on requirements and scope of the information system, and organization’s policies and objectives. After selecting the initial set of applicable security controls, the organization may go through a tailoring process to modify the set and more specifically address considerations in their own environments of operation. SP 800–53 introduces the concept of overlays to facilitate this tailoring process and provide organizations with greater agility and adaptability in defending their information system. NIST 800 series includes a number of publications containing overlays to be deployed in different environments.

Among these publications, NIST SP 800–82 [3], Guide to Industrial Control Systems (ICS) Security, provides an ICS overlay that customizes traditional IT security controls and baselines in SP 800–53 to accommodate ICS-specific conditions and requirements. ICS embrace any software and hardware that control devices and the mechanisms that gather (sense), process, store, transmit, and deliver data. SP 800–82 guidance can be further tailored to be implemented in particular sectors such as infrastructure systems, pipelines, electric utilities, energy, etc. Deep down, an organization may produce an overlay by adding specificity of a particular system, component, or product.

Today, Internet-enabled systems and devices (aka things) resemble nature of ICS in terms of handling sensors (means of data acquisition) and actuators. Besides, by the emergence of IP-connected devices in industrial control systems, they are no longer isolated from the external world. Due to the extent of the value Internet of Things (IoT) capabilities bring to either consumer or industry sector, integrating IoT offerings into such systems has become inevitable for business owners. Albeit, the extensive IoT benefits introduce the systems to new types of cybersecurity threats.

Latest revisions of SP 800–53 and SP 800–82 provide new state-of-the-practice security guidance to consider such risks. It is an effort to update traditional IT security controls in order to touch new areas such as Industrial IoT, applications security, mobile and cloud computing, etc. This holistic catalog of security controls and control enhancements can be effectively used for gap analysis in this domain. Due to unique characteristics of IoT devices and services, however, a customized technology-specific extension to NIST guidelines is required to secure IoT.


[1] NIST SPECIAL PUBLICATIONS (SP). (accessed 12 10, 2015).

[2] National Institute of Standards and Technology (NIST). NIST Special Publication 800–53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations. 1 22, 2015.

[3] National Institute of Standards and Technology (NIST). NIST Special Publication 800–82 Revision 2: Guide to Industrial Control Systems (ICS) Security. 5 2015.

Previous Article
Tips for Security Leaders on Communicating with the Business
Tips for Security Leaders on Communicating with the Business

It’s no secret that a communication gap exists between security leaders and the business — and it’s time se...

Next Article

Computer hackers have a long history of trying to expose and exploit vulnerabilities on networks and in sof...