Department Of Homeland Security Issues IoT Guidelines, Seeks 'Coordinated Disclosure Of Vulnerabilities'
The Department of Homeland Security Tuesday released new guidelines surrounding Internet of Things security, promoting transparency between IoT manufacturers, service providers and consumers through "coordinated disclosure of vulnerabilities."
The DHS stressed that manufacturers have their own role to play in IoT security by incorporating it into the design phase, advancing security updates and vulnerability management, and prioritizing security measures according to potential impact.
"Failing to design and implement adequate security measures could be damaging to the manufacturer in terms of financial costs, reputational costs or product recall costs," the DHS said in its guidelines. "While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply."
The issue of Internet of Things security was thrust into the spotlight after a denial-of-service attack was launched in late October through IoT consumer devices, including webcams, routers and video recorders.
The attack overwhelmed servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites -- and later led to manufacturer Hangzhou Xiongmai saying it would recall the web cameras that use its circuit board and other components, which were one of the many devices used in the attack.
Luis Alvarez, president and CEO of Alvarez Technology Group, a Salinas, Calif.-based solution provider, said that recognizing the security weaknesses in IoT devices is a good start but more needs to be done to ensure that manufacturers and developers keep security top of mind.
"To be sure, it's great that the government recognizes that there is a huge security weakness in the current development of IoT technologies and those vulnerabilities can and will present problems to our nation," he said. "The challenge, of course, is that as it currently stands 'security' is optional and until that changes, IoT developers will take the path of least resistance to get a minimally viable product out to the market. The DHS guidelines don't really offer any revolutionary insights and are more a set of best practices that will be familiar to any security professional."
The DHS said that its principles were designed not only for IoT manufacturers, but also for IoT developers, industrial and business-level consumers, and service providers who implement services through devices.
The agency also noted that focusing on security as a feature of IoT gives manufacturers and service providers an opportunity for market differentiation. Solution providers, for their part, agreed, stressing that channel partners can play a large role in securing IoT devices for their customers.
"People are in denial. You'd think there'd be more receptivity to talking about this. We still need to evangelize that this is important," said Marc Harrison, president of Silicon East, a Manalapan, N.J.-based solution provider. "Whether it's in your home or a business, it's our job as the experts to surround IoT products with security and isolate the product so if it is compromised, the collateral damage to other networks is minimized."
The DHS also stressed the significance of maintaining transparency across the Internet of Things, stating that developers and manufacturers need to know their supply chain, including what their hardware and software components are and if there are any vulnerabilities.
On the consumer end, the DHS advised that customers connect their IoT devices carefully and deliberately: "IoT consumers, particularly in the industrial context, should deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption."