DHS Releases Principles for Securing Internet of Things

The Department of Homeland Security issued guidance for securing the Internet of Things.
The Department of Homeland Security issued guidance for securing the Internet of Things.

In-brief: a little more than a month after revealing that it was working on guidelines for securing The Internet of Things, the Department of Homeland Security (DHS) on Tuesday published a set of what it calls “strategic principles” for IoT security.

A little more than a month after revealing that it was working on guidelines for securing The Internet of Things, the Department of Homeland Security (DHS) on Tuesday published a set of what it calls “strategic principles” for IoT security.

Warning that “security is not keeping up with the pace of innovation” and warning about increasingly integrated network connections into the U.S.’s critical infrastructure, DHS said it is promoting “suggested practices to fortify the security of the IoT” including security as a design-time priority, risk based assessments to prioritize security measures and patching and “transparency” as a means of fending off attacks on Internet of Things systems.

“The growing dependency on network-connected technologies is outpacing the means to secure them,” said Secretary of Homeland Security Jeh Johnson, AP reported. “We increasingly rely on functional networks to advance life-sustaining activities, from self-driving cars to the control systems that deliver water and power to our homes. Securing the Internet of Things has become a matter of homeland security. The guidance we issued today is an important step in equipping companies with useful information so they can make informed security decisions.”

The guidelines are the latest from a federal government agency regarding Internet of Things security. They have been months in the making. In an interview with The Security Ledger in September, DHS Assistant Secretary of Cyber Policy Robert Silvers said the guidelines were recognition that “the Internet of Things is a full-blown phenomenon.”“We think everyone: government industries and consumers need to get serious about reasonable security being built into IoT devices. And we need to do it now before we’ve deployed an entire ecosystems,” he said.

Silvers presented an early version of the standards at The Security of Things Forum in Cambridge, Massachusetts on September 22.

In a statement, DHS said the purpose of the principles is to provide “stakeholders with tools to account for security as they develop, manufacture, implement, or use network-connected devices.”  The guidelines are intended to “motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems,” DHS said.

The DHS guidelines track closely to other private and public sector guidance. Developers are urged to incorporate security into the design of their product. Security “should be evaluated as an integral component of any network-connected device,” DHS said.

Connected products need advanced security update and vulnerability management features so that they can be patched after they are deployed. The lack of a secure and remote update capability has proven to be a major obstacle in many industries and in critical infrastructure sectors.

Connected device makers are urged to take a page from the work of others: embracing well established and proven methodoligies for designing secure products and prioritizing security according to risk and potential impact.”Focusing on the potential consequences of disruption, breach or malicious activity is … critical for determining where in the IoT ecosystem particular security efforts should be directed,” DHS said in its guidelines.

Finally, developers are urged to limit the connections that their devices make – connecting ‘carefully and deliberately.’ At the same time, product developers need to promote “transparency across the IoT,” delving into the source and quality of the software and hardware that make up their devices. “Increased awareness can help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies,” DHS said.

“Today is a first step,” said Assistant Secretary for Cyber Policy Robert Silvers. “We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon. These principles will initiate longer-term collaboration between government and industry. Together we will work to develop solutions to address the resilience of the Internet of Things so that we can continue to benefit from the remarkable innovation that is driving our increasingly-connected world.”

Source: In world of internet-enabled things, US says security needed