Managing Cybersecurity and Privacy Risk for Smart Public Safety IoT Devices and Systems

From OpenCommons
Jump to navigation Jump to search

Managing Cybersecurity and Privacy Risk for Smart Public Safety IoT Devices and Systems
Considerations for managing IoT.png
Considerations for managing Internet of Things (IoT) cybersecurity and privacy risks
Team Organizations NIST
Team Leaders Lan Jenson
Participating Municipalities San Jose CA
Sectors Cybersecurity and Privacy
Status Concept only Stage
Last Updated December 10, 2023


This use case provides a notional approach to address cybersecurity and privacy risks related to incorporating IoT in smart public safety applications. This use case posits some of the major activities, key stakeholders, and potential resources for each step of the cybersecurity and privacy risk management process. A key element of Smart Cities is smart public safety. Smart public safety starts with traditional public safety agencies - namely fire, law enforcement, emergency medical services, and 911 call centers - that would like to add IoT devices as another means of communication between first responders and between the first responders and the 911 dispatch centers. Public safety agencies are already starting to use body-worn devices (e.g., cameras and biometric sensors). During the incident operations, IoT data from sensors and other real-time devices can increase situational awareness and aid in incident command and control.

Step 0: Prepare

In smart public safety, public safety agencies themselves could be responsible for cybersecurity and privacy; alternatively, they could be partnering with IT or information security organizations (e.g., Department of Information Technology). In most states in the U.S., the state legislature authorizes and appropriates funds based on an authorized scope. The IT organization will often have a cybersecurity and privacy strategy that includes using one or more of the risk management frameworks, or elements thereof.

For this use case we are assuming that we are using the NIST RMF, which has been detailed in this Guidebook. There are also existing statewide security policies; but they do not allow connected IoT devices until risk management security capabilities have been defined, and devices provide the necessary capabilities to support the requisite cybersecurity and privacy controls.

It is the intention of this support for implementation of IoT cybersecurity and privacy to be funded by further State legislature appropriating funds for extending the risk management program for Smart Cities and smart public safety which includes usage of body worn devices and supporting vendor upgrades.

Step 1: Categorize The information types collected, processed, and transmitted by the wearable IoT devices are real-time video and sensor data. The systems and system components are categorized as critical information data, and that mandates that the systems and networks be of a public safety grade mission critical mode of operation. Public Safety Grade cybersecurity and privacy policies and standards have been described for normal mobile devices, but corresponding policies and standards for IoT-based devices still need to be defined.

Step 2: Select NIST RMF-based cybersecurity and privacy controls have been selected for IT systems security controls. Additional cybersecurity and privacy controls for IoT would follow the NISTIR 8196 and NISTIR 8228 and the new, example (12) security controls and (4) privacy controls.

NISTIR 8196: Security Analysis of First Responder Mobile and Wearable Devices NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

No additional controls beyond those proposed in NISTIR 8196 and NISTIR 8228 have been identified. No tailoring of controls has been done as the IT Department wants to identify and implement a standardized and consistent (i.e., baseline) set of security control. This may change as the implementation of IoT devices is better defined.

Step 3: Implement

Cybersecurity and privacy requirements from NIST SP 800-37 Rev. 2, NIST SP 800-39, NIST SP 800-53 Rev. 4, NISTIR 8196, NISTIR 8228, and other documents were used to generate specific device security capabilities requirements that support and enable the selected cybersecurity and privacy controls.

The chosen vendor solution supports a shared operational model for the operational Security Operation Center (SOC) using security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities. Many of the RMF functions supported by IT Department are used in support of these new IoT devices, networks, and applications.

It is anticipated that the security operations center (SOC) will implement the tools and capabilities necessary to ensure that the IoT device security capabilities are leveraged to implement the selected security controls from NIST SP 800-53 and NISTIR 8228.

Step 4: Assess

The Security Operations Center mitigation and monitoring personnel have the responsibility for proper implementation and operation of the selected cybersecurity and privacy controls. The SOC is staffed by IT/IoT cybersecurity analysts and then vendor specialists. There is an agreement in place that clarifies the shared or dedicated tasks.

Step 5: Authorize


Step 6: Monitor

The Chief Risk Officer (CRO) and team are responsible to work with the SOC to understand how well the risk management program is working.