Companies that make products for the Internet of Things must build security in at the design stage or face the possibility of getting sued, the Department of Homeland Security said in guidelines released Tuesday.
Failing to bake security in at the earliest design phases and implement basic security measures “could be damaging to the manufacturer in terms of financial costs, reputational costs, or product recall costs,” states the department in a new publication, Strategic Principles for Securing the Internet of Things. “While there is not yet an established body of case law addressing IoT context, traditional tort principles of product liability can be expected to apply,” the document warns.
The publication comes in the wake of the massive distributed denial of service attacks launched by the Mirai botnet — powered by hacked IoT devices like DVRs and webcams. Many of the devices were easy to compromise because they had hard-coded default passwords; did not employ basic authentication procedures; and cannot be updated remotely — or at all.
“Securing the IoT has become a matter of homeland security,” said DHS Secretary Jeh Johnson in a release.
With billions of new devices expected to come online in the next five years, “We have a rapidly closing window to ensure security is accounted for at the front end of the IoT phenomenon,” added DHS Assistant Secretary for Cyber Policy Robert Silvers.
Speaking Tuesday at a San Fransisco symposium on cybersecurity under the next president held by the Coalition for Cybersecurity Policy and Law, Silvers suggested that front-end security might have stymied the Mirai botnet by, for instance, making default passwords individualized, longer and harder to crack.
“We need to include security at the design base. Security shouldn’t be an afterthought. For instance, we need built-in, hard to crack passwords, responsibly updated operating systems and to promote security updates and vulnerability management,” he said.
Baking in, rather than bolting on, security has always been a mantra for cybersecurity mavens, and it is one of the five high-level principles DHS briefly outlines in its 17-page publication. They are:
- Incorporate Security at the Design Phase: “Economic drivers motivate businesses to push devices to market with little regard for security,” the authors warn in a factsheet accompanying the document. This creates “multiple opportunities for malicious actors to manipulate the flow of information to and from network connected devices.”
- Enable Security Updates and Vulnerability Management: Even when security is baked in, “it is common for vulnerabilities to be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates and vulnerability management strategies.”
- Build on Proven Security Best Practices: There are “many tested practices used in traditional [cyber]security [that] can be used as a starting point for enhancing security of IoT.”
- Prioritize Security Measures According to Impact: The risks and consequences of a security breach vary “substantially” depending on what kinds of things are being connected to the internet. “Focusing on the potential consequences of disruption, breach or malicious activity is therefore critical for determining where in the IoT ecosystem particular security efforts should be directed.”
- Promote Transparency: “Where possible, developers and manufacturers need to know their supply chain,” so they can identify software and hardware components and educate themselves about “any associated vulnerabilities. Increased awareness can help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies.”
- Connect Carefully and Deliberately: IoT consumers, especially industrial enterprises, should carefully and “deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.”
“Today is a first step,” said Silvers, acknowledging that there were multiple efforts ongoing by federal agencies, industry groups and others. “Many of the vulnerabilities in IoT could be mitigated through recognized security best practices, but too many products today do not incorporate even basic security measures,” the document states.
In the document, DHS defines four lines of IoT security effort across the federal government:
- Coordinate with other federal departments and agencies to work with IoT manufacturers, network connectivity providers and other industry stakeholders. “Future efforts will also focus on updating and applying these principles, as best practices and approaches are further refined and understood.”
- Build awareness of risks associated with IoT among all those stakeholders. “DHS will accelerate public awareness, education, and training initiatives, in partnership with other agencies, the private sector, and international partners.”
- Identify and advance incentives for securing IoT devices and networks. Right now “it is too often unclear who bears responsibility for the security of a given product or system.” Moreover, “the costs of poor security are often not borne by those best positioned to increase security.” Among the list of factors to consider are “tort liability, cyber insurance, legislation, regulation, voluntary certification management, standards-settings initiatives, [and] voluntary industry-level initiatives … Going forward, DHS will convene with partners to discuss these critical matters and solicit ideas and feedback.”
- Contribute to international standards development processes for IoT. IoT devices in the U.S. are part of a global ecosystem, and other nations, not to mention international organizations are wrestling with the same security issues. beginning to evaluate many of these same security considerations. “We must engage with our international partners and the private sector to support the development of international standards,” the document states. “It is important that IoT-related activities not splinter into inconsistent sets of standards or rules.”
“Our nation cannot afford a generation of IoT devices deployed with little consideration for security,” concludes the document. “The consequences are too high given the potential for harm to our critical infrastructure, our personal privacy, and our economy.”