After recently announcing its plans to develop IoT security guidelines, the U.S. Department of Homeland Security (DHS) just released its Strategic Principles for Securing the Internet of Things.
The guidelines come after a series of IoT-related cyberattacks in the U.S. and other countries. These attacks came in the form of an attacker hacking and gaining control of more than a million network-connected devices to form the largest ‘Botnets’ in history, which were then controlled to target and disrupt servers.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” said Jeh Johnson, secretary of Homeland Security.
“Securing the Internet of Things has become a matter of homeland security. The guidance we issued today is an important step in equipping companies with useful information so they can make informed security decisions.”
What has been noted by many security professionals, as well as DHS, is that most of the compromised IoT devices were accessed by using the manufacturer’s default username and password, not complex hacking.
As a result, one of the suggested practices by DHS is to ‘enable security by default though unique, hard to crack default usernames and passwords.’
Pointing to this area of security vulnerability in the context of the recent Botnet attacks, DHS urges that strong security in IoT devices should not require additional action to turn on, but instead should require intentional additional action to be disabled.
Here are the principles set out by DHS for securing the Internet of Things:
These guidelines, however, are just that. They are not legally required, but are intended more to be used as suggested practices for IoT product developers and manufacturers, service providers and industrial and business-level consumers, according to DHS.
“We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon,” said Robert Silvers, assistant secretary for cyber policy.
“These principles will initiate longer-term collaboration between government and industry.”
This is where strategic government regulation could be a very good thing. But the FCC should likely join the fray by going beyond mere suggestions to actual requirements for IoT devices sold within the States, especially given the proliferation of cheap, unsecured connected media, home automation and other devices.
I have lengthy comments at http://gfacr.org/2016/11/16/internet-things-dhs/
this is a good start but it is not reasonable to start in the design phase. We must start in the strategy phase and include collaboration Whittington and externally. This was written by too small a group of people and needs to address business value. Please contact me if you are interested in colanoratingong aboutt this.