The Department of Homeland Security (DHS) on Nov. 15 released its initial version of suggestions for embedding cyber security into the proliferating mass of internet-connected products, devices and systems commonly called the Internet of Things (IoT).
The Strategic Principles for Securing the Internet of Things, Version 1.0, provides approaches, tools and best practices to better secure these myriad products so that stakeholders can make more informed and risk-based decisions as they design, manufacture and use systems connected to the Internet.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” Homeland Security Secretary Jeh Johnson said in a statement. “We increasingly rely on functional networks to advance life-sustaining activities, from self-driving cars to the control system that deliver water and power to our homes. Securing the Internet of Things has become a matter of homeland security.”
The 17-page document of strategic principles points to the growing importance of IoT devices in everyday life, adding that “The promise offered by IoT is almost without limit.”
The strategic principles are non-binding and essentially follow the path DHS and the Obama Administration have taken toward promoting greater cyber security awareness and practices within the federal government and privately-owned critical infrastructure by making common sense recommendations based on existing practices.
The strategic principles include incorporating security at the design phase of products and systems, provide security updates and vulnerability management throughout the life-cycle of a product, build on proven security practices, use risk models to prioritize security measures based on potential consequences, promote transparency across the IoT by enhancing awareness throughout the supply chain of potential vulnerabilities, and carefully and deliberately connect a device to the Internet.
“Today is a first step,” Robert Silvers, assistant secretary for Cyber Policy at DHS, said in a statement. “We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon. These principles will initiate longer-term collaboration between government and industry” resulting in a more resilient IoT.
This fall malware called Mirai was used to a large distributed denial of service attack against the cyber security blogger Brian Krebs, who hosts a popular blogging site www.krebsonsecurity.com. The Mirai botnet was found on IoT devices.