The National Institute of Standards and Technology (“NIST”) recently posted a preliminary discussion draft of its forthcoming Framework for Cyber-Physical Systems (a term used interchangeably with the Internet of Things, or the “IoT,” but also broadly including smart grids and other large-scale systems). The framework’s purpose is to provide a foundation for companies and government entities to safely and securely build and interconnect smart systems involved in critical areas, such as personalized health care, emergency response, traffic flow management, manufacturing, defense, homeland security, and other domains. This is accomplished by creating a common lexicon and standards to encourage cybersecurity, privacy, and interoperability “by design.”
The framework conceives of the IoT as a system of systems, interconnected with each other potentially on both a digital and physical level. For example, systems to control the flow of energy (e.g., an electric grid) are physically connected to systems to control the conversion of energy (e.g., power generation). As these systems become “smarter” and connect with each other digitally as well, and share information between each other, common interoperability standards will be necessary, and cybersecurity and privacy controls should be built in by design. The IoT framework draws on the lessons learned from the creation and scaling of the traditional Internet, and is intended to provide the tools and concepts that the creators of smart systems can use to implement best practices.
In general, frameworks of this kind are published by industry groups, standards bodies, or government agencies to establish a common set of standards or best practices across an industry. NIST’s Cybersecurity Framework, published in February 2014, has become a prominent example, as it applies to nearly every industry. Implementing the Cybersecurity Framework is voluntary, and the IoT framework is likely to be voluntary as well. While some have speculated that compliance with such frameworks might help companies reduce legal exposure by serving as evidence of the company’s due care, the legal benefits of adopting such frameworks are not yet clear. Companies should take technical, legal, and financial considerations into account when determining the extent to which frameworks can or should be implemented.
The IoT framework is a product of NIST’s Cyber-Physical Systems Public Working Group, an open forum for industry, academia, government, and members of the public, and is guided by NIST. The framework is a work in progress, and commentators expect that it will only become effective after several more drafts. The working group’s next live workshop is April 7-8, 2015, in Gaithersburg, Maryland. The workshop is free and open to anyone who registers here.
Reporter, Tom Randall, New York, +1 212 556 2195, trandall@kslaw.com.
