National Institute of Standards & Technology
NIST Issues Guidelines for Ensuring RFID Security
Gaithersburg, MD - Retailers, manufacturers, hospitals,
federal agencies and other organizations planning to use
radio frequency identification (RFID) technology to improve
their operations should also systematically evaluate the
possible security and privacy risks and use best practices
to mitigate them, according to a new report* from the
Department of Commerce's National Institute of Standards and
Technology (NIST).
"RFID tags, commonly referred to as smart tags, have the
ability to improve logistics, profoundly change cost
structures for business, and improve the current levels of
safety and authenticity of the international pharmaceutical
supply chain and many other industries," said Under
Secretary of Commerce for Technology Robert C. Cresanti.
"This important report lays the foundation for addressing
potential RFID security risks so that a thoughtful
enterprise can launch a smart tag program with confidence."
RFID devices send and/or receive radio signals to transmit
identifying information such as product model or serial
numbers. They come in a wide variety of types and sizes,
from the size of a grain of rice or printed on paper to much
larger devices with built in batteries. Unlike bar coding
systems, RFID devices can communicate without requiring a
line of sight and over longer distances for faster batch
processing of inventory and can be outfitted with sensors to
collect data on temperature changes, sudden shocks, humidity
or other factors affecting products.
As RFID devices are deployed in more sophisticated
applications from matching hospital patients with laboratory
test results to tracking systems for dangerous materials,
concerns have been raised about protecting such systems
against eavesdropping and unauthorized uses.
"The goal of our report," according to lead author Tom
Karygiannis of NIST, "is to give organizations practical
ways in a structured format with checklists and specific
recommendations to address potential RFID security risks."
The new NIST publication focuses on RFID applications for
asset management, tracking, matching, and process and supply
chain control. Its list of recommended practices for
ensuring the security and privacy of RFID systems includes:
firewalls that separate RFID databases from an
organization's other databases and information technology
(IT) systems; encryption of radio signals when feasible;
authentication of approved users of RFID systems; shielding
RFID tags or tag reading areas with metal screens or films
to prevent unauthorized access; audit procedures, logging
and time stamping to help in detecting security breaches;
and tag disposal and recycling procedures that permanently
disable or destroy sensitive data.
NIST prepared the new report as part of its responsibilities
under the Federal Information and Security Management Act of
2002 to help federal agencies provide adequate security for
their information technology systems. However, its
recommendations for selecting appropriate security controls
for RFID systems are likely to be useful to other types of
organizations as well.
Two case studies-in health care and supply chain
settings-provide examples for identifying and minimizing
security risks throughout the various stages of an RFID
project.
The full report is available at:
http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf