DHS Releases Strategic Principles for Security of the Internet of Things

Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

On November 15, 2016 the U.S. Department of Homeland Security released its Strategic Principles for Security of the Internet of Things (IoT) (the “Strategic Principles”). DHS recognizes that rapid innovation in the IoT may provide tremendous benefits, but that “IoT security, . . . has not kept up with the rapid pace of innovation and deployment, creating substantial safety and economic risks.” The Strategic Principles are designed to explain risks and suggest best practices “to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.”

The Strategic Principles speak to an audience of IoT stakeholders, comprised of IoT developers, IoT manufacturers, service providers dependent on IoT and industrial and business-level consumers. According to DHS, IoT stakeholders should, as applicable:

  • incorporate security at the design phase and enable security-by-default, to allow for increased security and avoid unnecessary costs of fixing problems later;
  • promote security updates and vulnerability management, including use of automation to provide updates and patches seamlessly;
  • building on recognized security practices, including security for software design as well as sector-specific guidance;
  • prioritize security controls and other measures according to potential impact, taking into account:
    • practical considerations, such as the intended environment for an IoT device’s use; and
    • “red teaming” to assess the threat level posed by more serious risks;
  • promote transparency across IoT design and implementation, including full life cycle and evaluation of third-party practices; and
  • connect carefully and deliberately, considering whether and how:
    • users should be advised of the purpose of IoT connections; and
    • additional controls should be included to address the existing and foreseen connection possibilities.

Consistent with the objectives of the Strategic Principles, DHS indicates that policymakers need to continue to evaluate and understand risks and to work on incentives for appropriately securing the IoT. Like the NIST Cybersecurity Framework, the Strategic Principles are not intended to provide strict requirements, but  instead to provide “a risk-based approach that takes into account relevant business contexts.” Although standard-setting and regulatory efforts for the IoT are still in their infancy, the Strategic Principles provide helpful insights and framework for IoT stakeholders.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide