The Department of Homeland Security (DHS) has published non-binding principles and best practices to help businesses work through key Internet-of-Things (IoT) security issues. Entitled “Strategic Principles for Securing the Internet of Things (IoT), Version 1.0,” the principles seek to provide stakeholders with tools to account for security as they develop, manufacture, implement, or use network-connected devices. The guidance is in line with DHS’ mission to secure cyberspace, protect critical infrastructure, and ensure public safety. A summary of the principles follows.
- Incorporate security at the design phase: Security should be evaluated as an integral component of any network-connected device. Enable security by default; build the device using the most recent operating system and with hardware that incorporates security features. Design the product with system and operational disruption in mind.
- Promote security updates and vulnerability management: Mitigate security vulnerabilities after product deployment through patching, security updates, and vulnerability management strategies. Develop automated mechanisms for addressing vulnerabilities, and develop a policy regarding the coordinated disclosure of vulnerabilities.
- Build on recognized security practices: Start with basic software security and cybersecurity practices and apply them to the IoT ecosystem in flexible, adaptive, and innovative ways. Refer to relevant sector-specific guidance, practice defense in depth, and participate in information-sharing programs.
- Prioritize security measures according to potential impact: Recognize that risk models differ substantially across the IoT ecosystem and inform where security efforts should be directed. Identify and authenticate devices connected to the network, especially for industrial consumers and business networks. Perform a “red-teaming” exercise, where developers actively try to bypass the security measures needed at the application, network, data, or physical layers.
- Promote transparency across IoT: Determine whether vulnerabilities exist in the software and hardware components provided by vendors outside the organization. Conduct end-to-end risk assessments that account for both internal and third-party vendor risks. Consider developing a bug bounty program and a software bill of materials.
- Connect carefully and deliberately: Consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption. Advise IoT consumers on the intended purpose of any network connections. Build in controls to enable selective connectivity. Note that this principle departs from the FTC’s guide, “Start with Security: A Guide for Businesses”. DHS notes that while it may be convenient to have continuous network access, it may not be necessary for the purpose of the device and may invite vulnerability.
In the press release announcing the guidance, Secretary of Homeland Security Jeh Johnson emphasized the importance of data security in the IoT space: “The growing dependency on network-connected technologies is outpacing the means to secure them. Securing the Internet of Things has become a matter of homeland security. Th[is] guidance  is an important step in equipping companies with useful information so they can make informed security decisions.”