New IoT Security Guidelines Issued by DHS

New IoT Security Guidelines Issued by DHS

This post is also available in: heעברית (Hebrew)

A set of strategic principles was issued by the US Department of Homeland Security regarding Internet of Things (IoT) security. The guidelines promote transparency between IoT manufacturers, service providers and consumers through “coordinated disclosure of vulnerabilities.” “Securing the Iot has become a matter of homeland security”, said a DHS statement. Connected technologies encompass many aspects, from self-driving cars to control systems that deliver water and power.

The DHS stressed that manufacturers have their own role to play in IoT security by incorporating it into the design phase, advancing security updates and vulnerability management, and prioritizing security measures according to potential impact.

“Failing to design and implement adequate security measures could be damaging to the manufacturer in terms of financial costs, reputational costs or product recall costs,” the DHS said in its guidelines. “While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply.”

The DHS said that its principles were designed not only for IoT manufacturers, but also for IoT developers, industrial and business-level consumers, and service providers who implement services through devices.

The agency also noted that focusing on security as a feature of IoT gives manufacturers and service providers an opportunity for market differentiation.

The DHS also stressed the significance of maintaining transparency across the Internet of Things, stating that developers and manufacturers need to know their supply chain, including what their hardware and software components are and if there are any vulnerabilities.

On the consumer end, the DHS advised that customers connect their IoT devices carefully and deliberately: “IoT consumers, particularly in the industrial context, should deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.”

M.CRN.com cites Luis Alvarez, president and CEO of Alvarez Technology Group, a solution provider, saying that recognizing the security weaknesses in IoT devices is a good start but more needs to be done to ensure that manufacturers and developers keep security top of mind. “To be sure, it’s great that the government recognizes that there is a huge security weakness in the current development of IoT technologies and those vulnerabilities can and will present problems to our nation,” he said. “The challenge, of course, is that as it currently stands ‘security’ is optional and until that changes, IoT developers will take the path of least resistance to get a minimally viable product out to the market. The DHS guidelines don’t really offer any revolutionary insights and are more a set of best practices that will be familiar to any security professional.”

Assistant Secretary for Cyber Policy Robert Silvers said in the DHS statement: “Today is a first step. We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon. These principles will initiate longer-term collaboration between government and industry. Together we will work to develop solutions to address the resilience of the Internet of Things so that we can continue to benefit from the remarkable innovation that is driving our increasingly-connected world.”