Applying IoT security guidelines to device development and deployment

IoT security guidelines from DHS and NIST aim to help IoT organizations and users create a framework for secure IoT development.

Information security has not kept pace with the world's increasing dependence on network-connected technologies. In the rush to be first to market, most developers and manufacturers of IoT devices fail to evaluate the security posture of their product. This has created a situation where there are now millions of vulnerable devices deployed around the world -- in homes, businesses and across cities.

To encourage better practices and create a framework for secure IoT development, both the U.S. Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released internet of things security guidelines.

Those responsible in any way for IoT within their organization, whether developing IoT devices or deploying them, should read both DHS publications -- the Internet of Things Fact Sheet and "Strategic Principles for Securing the Internet of Things," -- as they quickly bring the reader up to speed on the issues that need addressing. The documents outline six strategic principles for securing IoT, which are to:

  1. Incorporate security at the design phase
  2. Promote security updates and vulnerability management
  3. Build on recognized security practices
  4. Prioritize security measures according to potential impact
  5. Promote transparency across IoT
  6. Connect carefully and deliberately

The first four IoT security guidelines have been promoted heavily for several years by the software industry, through Microsoft's software development process Security Development Lifecycle and the Open Web Application Security Project. However, IoT devices are often made by companies with little or no experience with how to secure a product that is accessible by the rest of the connected world. So even if the advice may appear basic to some, it creates a good starting point for those enterprises unfamiliar with developing or deploying trustworthy, secure and survivable systems. While the DHS articles are an easy read and will get senior management up to speed, many of the suggested practices refer the reader to other documents, such as NIST's Cybersecurity Framework and the DHS Industrial Control Systems Cyber Emergency Response Team's "Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies." These referenced documents provide more hands-on IoT security guidelines and are essential reading for companies with the responsibility to implement a secure development lifecycle.

NIST's Special Publication 800-160 "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems" is an in-depth and detailed description of the activities and tasks behind building secure IoT devices. Based on ISO/IEC/IEEE 15288:2015, a framework describing the lifecycle of man-made systems, SP 800-160 covers over 30 processes and the security activities that support building secure IoT devices.  However, it doesn't actually define or prescribe specific processes, only what tasks and actions should be considered. In fact, a lot of the technical detail only appears in a set of appendices, in an effort to increase the document's accessibility for the engineering community. NIST intends to cover issues such as IoT hardware assurance and resiliency in further special publications -- hopefully sooner rather than later.

DHS and NIST released these IoT security guidelines in an effort to kick start a much-needed shift in the way IoT is developed and used, but they leave it up to each organization as to how they interpret and enact the advice provided. As project managers go through these documents, they should note the areas where their products or deployments fall short and the skill sets they're missing, then discuss with senior management the best methods of bringing their processes up to date and aligned with the recommendations. For organizations adopting IoT devices, network administrators and security teams will most likely have to use third-party specialists to help with device evaluation and deployment, as they're unlikely to have the necessary skills in-house to carry out the suggested checks.

It has taken many years for major software vendors to understand the importance of baking security into their products, and it would be irresponsible for the IoT industry to make the same mistakes. No professional can get away with building a plane, building or bridge that doesn't meet recognized standards, and the same measures have to apply to IoT, as many devices interact with and control critical, life-supporting systems. These IoT security guidelines point us in the right direction, but there is still a long way to go. While enterprise purchasing power can force manufacturers to adopt best practices, regulations may be the only way to force security into consumer devices.

Next Steps

Learn from the Cloud Security Alliance's guidelines for secure IoT development

Find out what the main IoT security threats are and how to mitigate them

Discover what the best IoT certifications are for security

Dig Deeper on Internet of Things (IoT) Security Strategy