The Department of Homeland Security (DHS) published its recent IoT security guidelines after many months of deliberation. The document codifies many of the recommendations we've been prescribing at GrammaTech in the past year or so. In this post, I review the guidance briefly and relate how this guidance fits into our security-first methodologies.
- Strategic Principles for Securing the Internet of Things (IoT)
- A Four-Step Guide to Security Assurance for IoT Devices
- An Ounce of Prevention: Software Hardening for Securing IoT devices
Recognition of a Problem
Not surprisingly, the report, Strategic Principles for Securing the Internet of Things, starts out with the recognition that IoT is a huge phenomenn and security has not kept pace with innovation. As we discussed in a previous post, VDC research shows that almost a quarter of teams aren't doing anything to mitigate security risks in their embedded devices. The recognition that "the time to address IoT security is right now" is refreshing and I hope manufacturers take this seriously; however, I suspect without concrete certification guidelines to enforce, it's difficult to get the industry to take notice.
Equally satisfying is seeing the recommendations that GrammaTech has been making for the last year be equally emphasized by the DHS. Although these recommendations are not earth-shattering, they do reinforce what many developers may know but not practice:
- Incorporate Security at the Design Phase: This is our number one recommendation to our customers and it's good that this is their top guideline. Security can't be an afterthought -- it must be built-in.
- Advance Security Updates and Vulnerability Management: Developers know how to deal with defects well enough, but overlook vulnerability management. Creating devices that can be updated easily and cheaply is critical in order to disseminate security patches.
- Build on Proven Security Practices: Secure design is well understood, but not by most developers. It is critical for developers to become more security-conscious, learning about secure practices and how to enforce them.
- Prioritize Security Measures According to Potential Impact: Performing risk-management for security uses the same principles as it does for safety. Not understanding the impact makes it difficult to allocate resources. Again, the methods are known but not necessarily implemented in embedded device development.
- Promote Transparency Across IoT: One of our key recommendations is a full end-to-end threat analysis for systems. This goes well beyond the boundaries of the device under development and into the infrastructure it is part of. Without transparency within companies and among vendors and customers, full end-to-end assessment is difficult. Transparency carries over into fully disclosing vulnerabilities and plans for mitigation. The days of "security by obscurity" are gone.
- Connect Carefully and Deliberately: Not every device in the IoT universe needs to be connected directly to the Internet. Manufacturers must communicate to customers the intended purposes of device connections and how to use them securely. Although security issues can be traced to user error, and they often are, it's a responsibility of the manufacturer to mitigate these errors as much as possible.
I recommend reading the DHS guidelines. They are concise and readable (which might be unexpected), the advice is sound, and it puts an official stamp on recommended IoT security best-practices.