The Obama administration on Tuesday issued sweeping guidelines on cybersecurity for internet-connected devices, stressing an engineering-based approach that builds security systems directly into Internet of Things technology.
The Department of Homeland Security separately released its own cybersecurity policy for IoT devices on Tuesday, delineating six strategic principles that it believes will help stakeholders stop hackers from tampering with connected devices.
Ron Ross, the first document’s point man and a fellow at the National Institute of Standards and Technology, said the goal is to build public trust in the IoT devices that connect home appliances and medical monitors to the internet.
“Really what we’re trying to do is get the same trustworthiness that you have when you cross a bridge or fly on an airplane,” he said Tuesday at a cybersecurity firm Splunk Inc.’s annual summit in Washington. “That trustworthiness doesn’t happen by accident. You have to engineer it into the system.”
The voluntary guidance was developed by NIST over a four-year period. It was released one month ahead of schedule because of a sense of urgency prompted by last month’s large-scale distributed denial of service attack on the U.S.’s internet infrastructure.
U.S. Chief Information Officer Tony Scott and U.S. Chief Information Security Officer Greg Touhill were both present to present the guidelines.
“This is an inflection point for all of us,” Touhill said. The publication “helps set the flight plan” for public, private and academic interests to coordinate on how to best integrate cybersecurity directly into the design and manufacturing process of IoT devices.
Ross said the document is a departure from previous federal analyses on IoT security because it provides guidance for each step of the engineering process — from initial business analysis to stakeholder requirements to the design and architecture of the device.
The guidelines are meant for engineers as well as cybersecurity analysts. Ross said a possible function built into an IoT device could force the consumer to change the default password before use.
But, he added, those kinds of design questions “get into the costs of how much the developer will want to invest in putting that new capability in those products. …That’s another discussion.”
NIST has the authority to issue standards that would be immediately applicable to government agencies and contractors. “You have to make the case, to our customers, why this is important, and let them work through the process,” Ross said.
The increasing prevalence of IoT devices in critical industries — power production, transportation infrastructure and medical technology — means federal security mandates could soon be on their way, Ross added.
Commissioners and other officials at the Federal Communications Commission have said it’s unlikely that the FCC will enact mandatory IoT security standards, at least for now. Ross said federal regulations on the topic could ultimately emanate from the Office of Management and Budget, and that NIST will not play a direct role in those discussions.
The House Energy and Commerce Committee is scheduled to hold a hearing Wednesday on IoT cybersecurity.
Like NIST, the Department of Homeland Security stresses incorporating security during the engineering and design stage of IoT device deployment. DHS also asks stakeholders to consider whether devices need to be constantly connected, to prioritize security measures according to the potential impact of a breach, to promote and coordinate regular device security updates, and to push for greater transparency in the IoT marketplace.
“We have a rapidly closing window to ensure security is accounted for at the front end of the Internet of Things phenomenon,” DHS’s Assistant Secretary for Cyber Policy Robert Silvers said in a press statement. “These principles will initiate longer-term collaboration between government and industry.”
Update 4:37 p.m. This story has been updated to include DHS’s IoT guidelines.