The US Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST) both this week released new guidance documents designed to improve IoT security.
The moves were made partly in response to recent major DDoS attacks leveraging botnets of compromised smart devices, which in one case took out some of the biggest names on the internet.
The DHS release is aimed at manufacturers, services providers, developers and business-level consumers while NIST’s much more detailed document targets manufacturers/developers with guidance on how to engineer safer products.
The DHS offers six “strategic principles” including building security into products at the design phase; promoting transparency; building on recognized security practice; and being mindful of whether continuous connectivity is needed or not.
It says of the principles:
“It is a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services and systems.”
Meanwhile, the NIST Special Publication 800-160 covers a massive 242 pages of in-depth technical detail on how to build connected systems which are as resilient and trustworthy as possible.
Its opening abstract has the following:
“Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems.”
Government and industry is finally taking notice of IoT security after botnets built from devices compromised by Mirai malware struck DNS provider Dyn, taking down sites including Spotify, Reddit and Twitter, security site Krebs On Security, and even the entire African nation of Liberia.
In many cases the products themselves are rushed out to market without proper time taken to fortify them against attacks.
However, recent research from the non-profit prpl Foundation actually found that consumers are willing to pay more for more secure smart devices, and are holding off on purchases because they’re worried about vulnerabilities.
That same group has released guidance for IoT stakeholders on how to product more secure kit, based around several key principles: open source software; interoperable standards; a Root of Trust anchored in the chip itself to prevent firmware attacks; and silicon-level virtualization to halt lateral movement.
President of prpl, Art Swift, argued that the DHS guidelines will provide a “good baseline” for manufacturers and developers.
“It often takes governments a little while to catch up with what experts have been saying for years, so it is encouraging that it seems to be sinking in now,” he added.