DHS Announces Intent to Draft IoT Security Framework – Threatpost


September 23, 2016 Facebook Twitter LinkedIn Google+ Uncategorized


CAMBRIDGE, Ma.—The Department of Homeland Security today formally announced its plan to develop a set of strategic principles for the Internet of Things, saying such a framework is necessary to protect the nation’s critical infrastructure from cyber threats.

In a brief talk at the Internet of Things Forum, Robert Silvers, the Assistant Secretary for Cyber Policy at the U.S. Department of Homeland Security, confirmed that the agency is developing a set of unifying principles to identify challenges and highlight practices for managing risk when it comes to IoT. Silvers said that problems around IoT security have evolved into a public safety issue and that the industry demands attention “from a DHS perspective.”

As Americans become more dependent on life sustaining technologies–from medical devices to control systems that drive the energy grid and water supply–there should be best practices for the industry that follow suit, Silvers said.

“This is complex stuff, but it’s not going to be regulatory or over prescriptive, it’s not even going to be highly technical,” Silvers said of the principles. “What we’re going to be doing is drawing on the best approaches, pulling them together and elevating them to get the public’s attention.”

Silvers lauded plans previously outlined by government agencies such as the National Institute of Standards and Technology, the Food and Drug Administration, and the Department of Transportation, which earlier this week unveiled its Federal Automated Vehicles Policy.

Silvers said some of those agencies’ plans, along with previously issued guidance from the National Telecommunications and Information Administration and the Federal Trade Commission, will factor into the DHS’ final set of principles.

Despite having been previously articulated elsewhere, best practices around IoT haven’t stuck, Silvers said, stressing that the agency has a responsibility to coordinate its own principles. Silvers didn’t provide a timetable but said the agency would release documentation on the strategic principles after an extensive review period, which he said has already begun.

Addressing vulnerabilities in devices that are already on the market complicates things and serves as a challenge to the agency but will have to be taken into account, Silvers said.

“We have a small and closing window of time to take decisive and effective action,” Silvers said, “the challenge of addressing IoT security is outweighed only by the greater challenge of patching, or building on the security of already deployed systems. While some of this may sound like common sense, it’s an undeniable fact that some companies are not being held accountable,” Silvers said, “Products haven’t benefited from best practices and we need to change that together.”

Near the end of his talk, Silvers issued a call of action to attendees, urging them to “accelerate everything” they’re working on and tackle issues that pop up in cybersecurity in real time.

“The longer we deliberate, the further ground we’re going to have to recover, so lets all get together with focus and resolve, because at the end of the day we want a future that’s innovative but secure.”

Comments