U.S. Issues Guidelines For IoT Security

After recently announcing its plans to develop IoT security guidelines, the U.S. Department of Homeland Security (DHS) just released its Strategic Principles for Securing the Internet of Things.

The guidelines come after a series of IoT-related cyberattacks in the U.S. and other countries. These attacks came in the form of an attacker hacking and gaining control of more than a million network-connected devices to form the largest ‘Botnets’ in history, which were then controlled to target and disrupt servers.

“The growing dependency on network-connected technologies is outpacing the means to secure them,” said Jeh Johnson, secretary of Homeland Security.  

“Securing the Internet of Things has become a matter of homeland security. The guidance we issued today is an important step in equipping companies with useful information so they can make informed security decisions.”

What has been noted by many security professionals, as well as DHS, is that most of the compromised IoT devices were accessed by using the manufacturer’s default username and password, not complex hacking.

As a result, one of the suggested practices by DHS is to ‘enable security by default though unique, hard to crack default usernames and passwords.’

Pointing to this area of security vulnerability in the context of the recent Botnet attacks, DHS urges that strong security in IoT devices should not require additional action to turn on, but instead should require intentional additional action to be disabled.

Here are the principles set out by DHS for securing the Internet of Things:

  • Incorporate security at the design phase
  • Advance security updates and vulnerability management
  • Build on proven security practices
  • Prioritize measures according to potential impact
  • Promote transparency across the Internet of Things
  • Connect carefully and deliberately

These guidelines, however, are just that. They are not legally required, but are intended more to be used as suggested practices for IoT product developers and manufacturers, service providers and industrial and business-level consumers, according to DHS.

“We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon,” said Robert Silvers, assistant secretary for cyber policy.

“These principles will initiate longer-term collaboration between government and industry.”

2 comments about "U.S. Issues Guidelines For IoT Security".
Check to receive email when comments are posted.
  1. Jason Anderson from Lucky Rock Media, November 20, 2016 at 12:06 p.m.

    This is where strategic government regulation could be a very good thing.  But the FCC should likely join the fray by going beyond mere suggestions to actual requirements for IoT devices sold within the States, especially given the proliferation of cheap, unsecured connected media, home automation and other devices.

  2. Charlie Tupitza from Global Forum for Advanced Cyber Trsilience, November 27, 2016 at 8:39 p.m.

    I have lengthy comments at http://gfacr.org/2016/11/16/internet-things-dhs/
    this is a good start but it is not reasonable to start in the design phase. We must start in the strategy phase and include collaboration Whittington and externally. This was written by too small a group of people and needs to address business value. Please contact me if you are interested in colanoratingong aboutt this. 

Next story loading loading..