- The Department of Homeland Security (DHS) released a set of principles last month to help organizations as they work to ensure Internet of Things (IoT) security through the process of creating and then using connected devices.
Titled, “Strategic Principles for Securing the Internet of Things (IoT), Version 1.0,” the guidance is designed to assist stakeholders as they develop, manufacture, implement, or use network-connected devices, DHS explained in a statement.
“The growing dependency on network-connected technologies is outpacing the means to secure them,” Secretary of Homeland Security Jeh Johnson said. “We increasingly rely on functional networks to advance life-sustaining activities, from self-driving cars to the control systems that deliver water and power to our homes. Securing the Internet of Things has become a matter of homeland security.”
Johnson added that the guidance is an important step forward that will help companies “make informed security decisions.”
IoT risk mitigation is a constantly evolving and shared responsibility between the government and the private sector, DHS report authors wrote. Companies and consumers are typically responsible for making their own decisions in the security features of products they use and buy. The government’s role, typically, is to provide the necessary tools and resources so all stakeholders can make informed IoT security decisions.
DHS recommended a key focus on the following six areas to ensure comprehensive IoT security:
- Incorporate security at the design phase
- Advance security updates and vulnerability management
- Build on proven security practices
- Prioritize security measures according to potential impact
- Promote transparency across IoT
- Connect carefully and deliberately
Assistant Secretary for Cyber Policy Robert Silvers reiterated in a statement that the principles were an important first step.
“We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon,” Silvers said. “These principles will initiate longer-term collaboration between government and industry. Together we will work to develop solutions to address the resilience of the Internet of Things so that we can continue to benefit from the remarkable innovation that is driving our increasingly-connected world.”
DHS noted in the guidance that there is not a one-size-fits-all approach to IoT security and mitigating the associated risks. The principles should be adapted and applied through a risk-based approach, taking relevant business contexts into account. Furthermore, particular threats and consequences that may occur from incidents involving connected devices or services should also be considered.
“Our nation cannot afford a generation of IoT devices deployed with little consideration for security,” DHS concluded in the guidance. “The consequences are too high given the potential for harm to our critical infrastructure, our personal privacy, and our economy.”
These principles could also be applied to healthcare organizations that are utilizing IoT and other connected devices. The continued push for nationwide interoperability has helped fuel the growth of IoT, but it has also created more potential outlets for cyberattacks.
In November 2016, the Subcommittee on Commerce, Manufacturing, and Trade met to discuss recent cybersecurity attacks, and how the scope of the threats and vulnerabilities presented by connected devices need to be examined.
“We have learned about a number of best practices, and standards-setting projects are on-going with various groups,” CMT Subcommittee Chairman Michael C. Burgess, M.D. said in his opening statement. “We are facing exciting growth in the connected device industry, but we also need to see meaningful leadership from industry about how to address these challenges.”
The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) also submitted a letter to the subcommittee, warning members of Congress about the health data security and privacy threats stemming from networked medical devices.
“A more proactive policy management process is vital for healthcare organizations,” the joint letter stated. “Viewing security as a component of safety and efficacy of device functions is necessary to keep pace with these variable threats.”