US Department of Homeland Security Issues Principles for Securing the Internet of Things

Arrayent’s Take On Parks Associates’ CONNECTIONS EUROPE Conference
November 16, 2016
Emerging Tech Products Including Smart Home On More Holiday Gift Lists Than Ever Before
November 27, 2016
Show all

US Department of Homeland SecurityOn Tuesday Nov. 15, the U.S. Department of Homeland Security (DHS) published a set of guidelines for developers, manufacturers, service providers, and industrial consumers of IoT devices, called “Strategic Principles for Securing the Internet of Things.”

Noting, “the time to address IoT security is right now,” the document comes less than a month after a stunning reminder of the importance of IoT security: the Dyn attack, where hackers used thousands of internet-connected devices around the world to launch a distributed denial of service (DDoS) attack that caused Internet outages to major sites, including Twitter, Netflix and Paypal.

The DHS said their purpose in publishing a set of non-binding principles was to equip stakeholders with “suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.” Here are the key principles outlined in the 17-page document:
Strategic Principles for Securing the Internet of Things
1) Incorporate Security at the Design Phase

2) Advance Security Updates and Vulnerability Management

3) Build on Proven Security Practices

4) Prioritize Security Measures According to Potential Impact

5) Promote Transparency across IoT

6) Connect Carefully and Deliberately

Some key points included:

  • Security should be evaluated as an integral component of any network-connected device
  • Deliberate consideration should be given as to whether continuous connectivity is needed given the use of the IoT device
  • An assessment of risks associated with potential disruption should guide prioritization of security measures

Among the best practices DHS encouraged:

  • Ensure security settings are turned on by default
  • Require unique passwords for each device
  • Build devices using the most recent operating system that is technically viable and economically feasible
  • Use hardware/chips that incorporate security
  • Allow patches to be sent over the air so manufacturers can fix vulnerabilities remotely and users don’t have to update their devices

The DHS also supported end-of-life (EOL) strategies for devices and encouraged transparency as a means of fending off attacks on IoT systems.

In terms of an end-of-life (EOL) strategy for devices, the document noted: “Not all IoT devices will be indefinitely patchable and updateable. Developers should consider product sunset issues ahead of time and communicate to manufacturers and consumers expectations regarding the device and the risks of using a device beyond its usability date.”

On transparency, the DHS said, “Where possible, developers and manufacturers need to know their supply chain, namely, whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization.” As an IoT Platform provider, Arrayent knows it is critical for our partners to be able to identify and accurately assess the level of security built into component parts when developing and deploying connected devices.

We applaud this first DHS effort at creating design principles for one of the most important topics in the IoT industry. We also support and encourage adherence to this initial set of IoT security principles and agree we, as an industry, must put security first if we are all to be successful.

For more about how Arrayent has helped the world’s most trusted brands launch connected products and get closer to their customers, contact us here,
or at