Two U.S. government agencies have released security guidance documents focusing heavily on IoT security following...
a series of massive distributed denial-of-service attacks that leveraged IoT devices using default security settings.
Both the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released recommendations for how to approach security for the internet of things (IoT). Experts said the IoT security guidance from DHS focuses on the basics, while NIST offers more of a how-to for businesses.
The DHS IoT security guidance put forth six strategic principles intended to equip IoT developers, manufacturers, service providers and consumers "with tools to comprehensively account for security as they develop, manufacture, implement or use network-connected devices." The DHS recommended incorporating IoT security in the design phase, pushing security updates, building upon proven security practices, prioritizing higher-risk issues, promoting transparency and being deliberate in the use of IoT devices.
Derek Manky, global security strategist at Fortinet Inc., based in Sunnyvale, Calif., told SearchSecurity the focus on the basics from DHS was the best strategy for IoT security guidance.
"There's a lot of groups that should have focused on [the basics], but, unfortunately, nobody saw the problem until there were millions of devices deployed across the world," Manky said via email. "I think the best option is to focus on the basics right now. There aren't any best practices out there from an IoT perspective -- for security and development alike. The first step is to develop the right framework, and then start changing the mindset of the IoT developers."
Art Swift, president of prpl Foundation, based in Santa Clara, Calif., said the DHS offered "a good baseline for IoT security practices."
"While it may seem basic, these are exactly the things manufacturers and developers need to be doing to improve security in the internet of things," Swift said. "The part that is not addressed by the DHS is to provide any practical guidelines on how to implement its recommendations."
Jamison Utter, vice president at IoT cybersecurity firm Senrio, said "it's important at this phase for any governing body to set for things that are high-impact, but very achievable."
"For example, in the 'Incorporate Security at the Design Phase' section is to enable security by default," Utter told SearchSecurity via email. "This single recommendation of changing default passwords would have a profound impact on simple compromises -- and 90% are simple. Mirai, for example, uses default passwords."
Manky agreed the Mirai botnet attack was proof that security from the start is one of the most important issues in IoT security.
"Mirai was shown to have accumulated its great power through something incredibly simple -- trying to log into devices using their default usernames and passwords. If developers just eliminated default usernames and passwords, it would have completely dismantled this botnet before it got off the ground," Manky said. "Security from the start means incorporating things like the Common Weakness Enumeration to evaluate the security posture of your product, where things like hardcoded and default passwords would be fleshed out before they ever make it out the door."
However, Utter said the DHS IoT security guidance left out more technical details.
"The document seems to have some overtones -- OK, strong ones -- of recycled ideology. Things like patch management [are] really not something the IoT has the ability to scale right now," Utter said. "It also has some traditional thinking and assumptions -- like that the IoT is still an 'on network' issue, where we rather think of the IoT as an always-connected and always-on issue. So, the guidance is good; the vision of how to apply this framework to the reality of IoT falls a bit short."
Manky said "the DHS release explains the what and why. And if you want to [take] security seriously, the NIST Special Publication gives you a how-to."
According to the new NIST Special Publication 800-160, "Engineering-based solutions are essential to managing the growing complexity, dynamicity and interconnectedness of today's systems, as exemplified by cyber-physical systems and systems-of-systems, including the internet of things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical and human components that compose the systems and the capabilities and services delivered by those systems."
Swift said, "It's time to get the industry at large involved and effecting the change needed to make IoT safer and more secure."
"Securing devices at the hardware layer is one of the most important ways the IoT is going to become more secure, but using open source software is also a key area. Manufacturers and developers should no longer rely on proprietary code that can be reverse-engineered, as it has been proven time and time again that this 'security by obscurity' approach is broken," Swift said. "By using open source implementations, which are open to review and hence inherently more secure, developers can agree to get basics right on security first, and then compete on value-add market differentiators."
Manky praised the two new IoT security guidelines for promoting the need for more discussion on the topic.
"This needs to be collaborative, and it's not just Silicon Valley they need onboard. They need manufacturers of practically every vertical to adopt this mindset, and a surefire way to lose your voice is to demand too much too soon," Manky said. "These are things we've been saying within the tech world for years, but the IoT reaches so many new people. So many things that weren't done over IP are quickly moving [in] that direction. It's the next wave of digitalization, and continual outreach is important."
Learn more about the risks to consider with IoT systems.
Find out if passwords are destined for obscurity.
Get info on why the IoT security window is closing.