On Tuesday Nov. 15, the U.S. Department of Homeland Security (DHS) published a set of guidelines for developers, manufacturers, service providers, and industrial consumers of IoT devices, called “Strategic Principles for Securing the Internet of Things.”
Noting, “the time to address IoT security is right now,” the document comes less than a month after a stunning reminder of the importance of IoT security: the Dyn attack, where hackers used thousands of internet-connected devices around the world to launch a distributed denial of service (DDoS) attack that caused Internet outages to major sites, including Twitter, Netflix and Paypal.
The DHS said their purpose in publishing a set of non-binding principles was to equip stakeholders with “suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.” Here are the key principles outlined in the 17-page document:
1) Incorporate Security at the Design Phase
2) Advance Security Updates and Vulnerability Management
3) Build on Proven Security Practices
4) Prioritize Security Measures According to Potential Impact
5) Promote Transparency across IoT
6) Connect Carefully and Deliberately
Some key points included:
Among the best practices DHS encouraged:
The DHS also supported end-of-life (EOL) strategies for devices and encouraged transparency as a means of fending off attacks on IoT systems.
In terms of an end-of-life (EOL) strategy for devices, the document noted: “Not all IoT devices will be indefinitely patchable and updateable. Developers should consider product sunset issues ahead of time and communicate to manufacturers and consumers expectations regarding the device and the risks of using a device beyond its usability date.”
On transparency, the DHS said, “Where possible, developers and manufacturers need to know their supply chain, namely, whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization.” As an IoT Platform provider, Arrayent knows it is critical for our partners to be able to identify and accurately assess the level of security built into component parts when developing and deploying connected devices.
We applaud this first DHS effort at creating design principles for one of the most important topics in the IoT industry. We also support and encourage adherence to this initial set of IoT security principles and agree we, as an industry, must put security first if we are all to be successful.