DHS Releases Principles for Securing Internet of Things

Categories: IoT / Connected Products

The Department of Homeland Security issued guidance for securing the Internet of Things.

In-brief: a little more than a month after revealing that it was working on guidelines for securing The Internet of Things, the Department of Homeland Security (DHS) on Tuesday published a set of what it calls “strategic principles” for IoT security.

A little more than a month after revealing that it was working on guidelines for securing The Internet of Things, the Department of Homeland Security (DHS) on Tuesday published a set of what it calls “strategic principles” for IoT security.

Warning that “security is not keeping up with the pace of innovation” and warning about increasingly integrated network connections into the U.S.’s critical infrastructure, DHS said it is promoting “suggested practices to fortify the security of the IoT” including security as a design-time priority, risk based assessments to prioritize security measures and patching and “transparency” as a means of fending off attacks on Internet of Things systems.

“The growing dependency on network-connected technologies is outpacing the means to secure them,” said Secretary of Homeland Security Jeh Johnson, AP reported. “We increasingly rely on functional networks to advance life-sustaining activities, from self-driving cars to the control systems that deliver water and power to our homes. Securing the Internet of Things has become a matter of homeland security. The guidance we issued today is an important step in equipping companies with useful information so they can make informed security decisions.”

The guidelines are the latest from a federal government agency regarding Internet of Things security. They have been months in the making. In an interview with The Security Ledger in September, DHS Assistant Secretary of Cyber Policy Robert Silvers said the guidelines were recognition that “the Internet of Things is a full-blown phenomenon.”“We think everyone: government industries and consumers need to get serious about reasonable security being built into IoT devices. And we need to do it now before we’ve deployed an entire ecosystems,” he said.

Silvers presented an early version of the standards at The Security of Things Forum in Cambridge, Massachusetts on September 22.

In a statement, DHS said the purpose of the principles is to provide “stakeholders with tools to account for security as they develop, manufacture, implement, or use network-connected devices.”  The guidelines are intended to “motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems,” DHS said.

The DHS guidelines track closely to other private and public sector guidance. Developers are urged to incorporate security into the design of their product. Security “should be evaluated as an integral component of any network-connected device,” DHS said.

Connected products need advanced security update and vulnerability management features so that they can be patched after they are deployed. The lack of a secure and remote update capability has proven to be a major obstacle in many industries and in critical infrastructure sectors.

Connected device makers are urged to take a page from the work of others: embracing well established and proven methodoligies for designing secure products and prioritizing security according to risk and potential impact.”Focusing on the potential consequences of disruption, breach or malicious activity is … critical for determining where in the IoT ecosystem particular security efforts should be directed,” DHS said in its guidelines.

Finally, developers are urged to limit the connections that their devices make – connecting ‘carefully and deliberately.’ At the same time, product developers need to promote “transparency across the IoT,” delving into the source and quality of the software and hardware that make up their devices. “Increased awareness can help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies,” DHS said.

“Today is a first step,” said Assistant Secretary for Cyber Policy Robert Silvers. “We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon. These principles will initiate longer-term collaboration between government and industry. Together we will work to develop solutions to address the resilience of the Internet of Things so that we can continue to benefit from the remarkable innovation that is driving our increasingly-connected world.”

This post originally appeared on November 16, 2016 on The Security Ledger by Paul Roberts, Editor-in-Chief and founder.

Paul Roberts

Paul Roberts is the Publisher and Editor in Chief of The Security Ledger (securityledger.com), an independent security news website that explores the intersection of cyber security with the Internet of Things. He is also the Founder of The Security of Things Forum, an information security conference.

Paul is a seasoned reporter, editor and industry analyst with more than a decade of experience covering the information technology security space. His writing about cyber security has appeared in publications including The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s™ Marketplace Tech Report and The Oprah Show.

Prior to launching Security Ledger, Paul  worked as a Senior Analyst in The 451 Group’s™ Enterprise Security Practice.  He has held positions as a senior writer and editor at noted industry publications including Threatpost.com, Infoworld.com and Ziff Davis’s eWeek.com and The IDG News Service.

Paul lives outside Boston with his wife and three daughters. His hobbies include running, swimming, gardening and local politics.


Leave a Reply