November 28, 2016 By Douglas Bonderud 2 min read

Internet of Things (IoT) security is an emergent property. As individual pieces of technology become intrinsically linked, the result is a kind of ongoing security struggle that presents not only a public relations nightmare, but also a real risk to consumers, utilities and government agencies.

According to SecurityWeek, the U.S. Department of Homeland Security (DHS) recently published a set of nonbinding principles for securing the Internet of Things. But is it already too little, too late?

A Rapidly Closing Window

The DHS document, titled “Strategic Principles for Securing the Internet of Things,” warned that “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.” This window is informed by time-to-market.

For many manufacturers, security is a return on investment (ROI) handicap that could delay product rollouts and equate to reduced overall revenue. But are IoT threats really that risky? Since most connected devices are small and relatively innocuous in nature, what’s the real harm?

A Worm of a Different Color

According to Forbes, researchers were able to infect IoT-enabled, color-changing lightbulbs with a worm that quickly spread to other devices and allowed total control over color, brightness and the on/off cycle. Seems more like a prank than a security threat, right?

But here’s the thing: Security teams from the Weitzmann Institute of Science and Dalhousie University were also able to introduce code that prevented the connected lightbulbs from receiving any future updates over Wi-Fi, in effect rendering them useless.

Since these lightbulbs depend on active network connections, there’s already a built-in route upstream to more sensitive functions and critical controls. In the worst case scenario, corporate networks can be disabled entirely because someone left the lights on.

Securing the Internet of Things Is an Uphill Battle

Despite the increasing seriousness of IoT security issues, however, finding widespread support for stricter controls is an uphill battle. As noted by Computerworld, cybersecurity expert Bruce Schneier recently warned Congress that both “buyer and seller don’t care” about securing the IoT.

It makes sense, since small devices mean thin profit margins, and users only complain if their connected technology doesn’t work. What’s more, lawmakers worry that over-regulating IoT development could stifle innovation and make the U.S. less competitive.

Some companies are taking steps on their own. CNET reported that smart gadget maker Z-Wave is rolling out new security standards that include unique personal identification numbers (PINs) and quick response (QR) codes for each device.

A Solid Starting Point

What about the DHS best practices? They’re nonbinding, which means businesses can ignore them at will, but they do offer some solid starting points. The paper offers advice for securing the Internet of Things in six areas:

  1. Incorporate security at the design phase.
  2. Advance security updates and vulnerability management.
  3. Build on proven security practices.
  4. Prioritize security measures according to potential impact.
  5. Promote transparency across IoT.
  6. Connect carefully and deliberately.

Put simply, the DHS wants companies to make IoT security a native part of the manufacturing process rather than an aftermarket add-on. They should approach securing the Internet of Things like they would secure their own IT resources.

Ultimately, organizations must decide to invest time, effort and funds in better IoT security before the market can undergo any significant change. The DHS best practices provide a straightforward framework that respects the need for innovation while reaffirming the role of enhanced device protection.

More from

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today