On May 15, the Department of Homeland Security released its cybersecurity strategy. The strategy puts forward a sensible, risk-based approach to resilient security, including strong, consistent themes around the use of security best practices, effective response, and information sharing and collaboration. However, the actual effectiveness of the strategy will be determined when the objectives turn into actions and there is more “meat on the bone.”
There are, however, a few areas of the recently announced DHS strategy in which the additional level of detail will be the difference maker when it comes to the internet of things.
Enhancing cybersecurity of IoT products
Improving the security of IoT products is crucial. Countless devices, particularly in the consumer space, lack basic security, simply because neither sellers nor buyers are motivated to prioritize it. However, there are organizations serving industrial and enterprise markets that are already motivated to build security into their connected devices. These organizations are seeking clear and actionable guidance, as well as accessible tools and resources to shorten the development curve and facilitate implementation of best practices. That is where the DHS can have an impact. Some of today’s most critical infrastructure was not built for the current risk environment, and teams responsible for that infrastructure are actively looking to chart the path from point A to point B. Particularly on the consumer side, waiting for the market dynamics to shift in favor of security will take too long — something stronger and more proactive is needed.
Minimum standards for connected products
Every connected product should meet minimum standards that mitigate common threats with high potential impact. An example is a measure requiring administrative passwords to be changed upon installation, and ensuring that devices have a secure means by which updates and patches can be installed. Such a measure would address discovered vulnerabilities throughout the device’s lifetime.
It is also important that the integrity of devices is maintained — using proven methods for strong authentication and for protection of the data they collect and transmit. The DHS strategy identifies encryption as a challenge to law enforcement, but fails to acknowledge the critical role it plays in protecting the sensitive personal information of citizens or intellectual property and financial data of enterprises. With minimum standards in place and properly understood, users can know to treat devices that don’t meet them as hostile by default.
When it comes to IoT security, the DHS is in a position to encourage and facilitate an increase in information sharing throughout the industry. Organizations can work together, without compromising competitiveness, to collectively increase incident preparedness and incident response. We have seen initiative in the financial services and automotive industries, such as FS-ISAC and Auto-ISAC, encourage such collaboration. The DHS outlines noble aspirations in its strategy around information sharing and collaboration, but it will require everyone involved to play ball. As Secretary Kirstjen Nielsen said in her presentation at RSA Conference, “the bad guys are crowdsourcing their attacks, so we need to crowdsource our response.”
All in all, the DHS cybersecurity strategy addresses a number of important areas including the improvement of cybersecurity for IoT products and minimum standards that all products should meet. It will be interesting to see how the goals and objectives outlined in this strategy are actually played out.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.