The U.S. National Institute of Standards and Technology (NIST) has noted a rising convergence between operational technology (OT) and information technology (IT). This trend is driven by the growth of the Internet of Things (IoT) and the increasing connection of previously isolated equipment to the internet.
OT includes programmable systems that interact with or control physical environments. Examples are industrial control systems (ICS), building automation, transportation networks, access control, and systems monitoring physical conditions. These systems often have long lifecycles, can be hard to access, and are now more frequently connected to wider networks instead of operating alone.
NIST points out that merging IT and OT creates opportunities for new features. IoT devices can offer traditional OT functions combined with IT capabilities such as data storage and transmission. Internet connectivity enables added IoT functions like remote equipment management and more precise control through continuous monitoring.
However, this connectivity brings cybersecurity challenges. While OT equipment may use modern networking such as Ethernet or Wi-Fi, it is usually not designed for internet connection. Additionally, OT and IoT systems prioritize trustworthiness differently than traditional IT equipment, focusing on safety, resiliency, availability, and cybersecurity in unique ways. This can complicate security control implementation.
Though IoT devices sometimes replace OT equipment, they often introduce broader or different functionalities. Organizations must carefully assess these changes before making replacements.
NIST advises organizations to consider how trustworthiness aspects like safety, privacy, and resiliency influence their cybersecurity strategies. They should also manage differences in expected lifespans between IT, OT, and IoT systems and their components.
Federal agencies are actively adopting IoT technologies to improve connectivity, security, environmental monitoring, transportation, healthcare, and industrial automation. IoT-enabled security systems—including AI-powered cameras, sensor networks, and automated alerts—are improving safety, disaster readiness, and energy efficiency in government facilities. IoT also enhances data center monitoring by tracking power stability, humidity, and flood risks.
Specific agencies deploy many environmental IoT sensors to monitor air and water quality. This data supports scientific research, conservation efforts, and regulatory policies. Other agencies are developing earthquake early warning systems that use real-time sensors to detect seismic activity and send public alerts.
In light of these developments and the 2020 Cybersecurity Improvement Act—which mandates regular updates to IoT cybersecurity guidelines for federal agencies—NIST is reviewing its 2021 publication, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements (SP 800-213). NIST plans to revisit and possibly revise this guidance every five years.
NIST has asked federal agencies to provide feedback on several key issues:
- How to address IoT devices that rely on other components to function effectively.
- Whether risk assessment guidelines in SP 800-213 should be updated to reflect the complex architectures of IoT products.
- The potential value of new catalogs describing technical capabilities for additional IoT components beyond those currently covered.
- What types of guidelines would best serve specific IoT product components, such as software and remote services.
Earlier this month, NIST released draft Special Publication 800-18r2, which focuses on developing system plans covering security, privacy, and Cybersecurity Supply Chain Risk Management (CSCRM) requirements based on enterprise and mission needs. The agency is inviting feedback on the draft’s technical accuracy, clarity, usability, and the impact of recent changes.
