• by Chase Martin , December 6, 2016

One of the top government agencies has a program designed to secure the Internet of Things, but plans to hold off until next year before moving forward.

In addition to researching and establishing IoT security best practices like the guidelines outlined by other agencies, the FCC’s Cybersecurity Risk Reduction Program Plan also would put in place a certification process for IoT device manufacturers.

“The commission’s proposal for a device certification process, either by the agency or through industry self-certification, deserves strong consideration,” Mark Warner, senator of Virginia, said in a statement.

“Similarly, the FCC’s suggestion of consumer labeling requirements echoes the call by many security experts for metrics that will empower and educate consumers.”

The plan was outlined and attached alongside a letter from FCC chairman Tom Wheeler to Virginia senator Mark Warner this week in response to an inquiry about the recent IoT-driven cyberattacks.

“Commission staff have been actively examining cyber challenges presented by today’s end-to-end Internet environment,” Wheeler said.

“This environment is fundamentally different, and more challenging than the legacy telecommunications security environment that we’ve managed risks under for decades.”

On the regulatory side, the idea would be to build from the device certification process currently in place for smartphone manufacturers, according to Wheeler. The FCC would also generally explore and establish regulations to address security risks that otherwise would not be addressed through market-based solutions, such as general guidelines.

Another element of the plan is to work with the Broadband Technical Advisory Group, which recently released its own set of guidelines for securing IoT devices. Some of those recommendations include designing IoT devices to be able to remain functional when Internet and cloud service connection is interrupted.

The Department of Homeland Security also recently issued its own IoT security principles, which include device manufacturers enabling security measures by default and deliberately limiting some connectivity within devices.  

This plan is currently on hold until the administration changes early next year.

“While we have had to postpone some of the next steps in this combined approach in light of the impending change in Administrations, addressing IoT threats remains a National imperative and should not be stalled by the normal transition of a new president,” Wheeler said.