On November 15, 2016 the U.S. Department of Homeland Security released its Strategic Principles for Security of the Internet of Things (IoT) (the “Strategic Principles”). DHS recognizes that rapid innovation in the IoT may provide tremendous benefits, but that “IoT security, . . . has not kept up with the rapid pace of innovation and deployment, creating substantial safety and economic risks.” The Strategic Principles are designed to explain risks and suggest best practices “to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.”
The Strategic Principles speak to an audience of IoT stakeholders, comprised of IoT developers, IoT manufacturers, service providers dependent on IoT and industrial and business-level consumers. According to DHS, IoT stakeholders should, as applicable:
-
incorporate security at the design phase and enable security-by-default, to allow for increased security and avoid unnecessary costs of fixing problems later;
-
promote security updates and vulnerability management, including use of automation to provide updates and patches seamlessly;
-
building on recognized security practices, including security for software design as well as sector-specific guidance;
-
prioritize security controls and other measures according to potential impact, taking into account:
-
practical considerations, such as the intended environment for an IoT device’s use; and
-
“red teaming” to assess the threat level posed by more serious risks;
-
promote transparency across IoT design and implementation, including full life cycle and evaluation of third-party practices; and
-
connect carefully and deliberately, considering whether and how:
-
users should be advised of the purpose of IoT connections; and
-
additional controls should be included to address the existing and foreseen connection possibilities.
Consistent with the objectives of the Strategic Principles, DHS indicates that policymakers need to continue to evaluate and understand risks and to work on incentives for appropriately securing the IoT. Like the NIST Cybersecurity Framework, the Strategic Principles are not intended to provide strict requirements, but instead to provide “a risk-based approach that takes into account relevant business contexts.” Although standard-setting and regulatory efforts for the IoT are still in their infancy, the Strategic Principles provide helpful insights and framework for IoT stakeholders.