Internet of Things (IoT) security is an emergent property. As individual pieces of technology become intrinsically linked, the result is a kind of ongoing security struggle that presents not only a public relations nightmare, but also a real risk to consumers, utilities and government agencies.

According to SecurityWeek, the U.S. Department of Homeland Security (DHS) recently published a set of nonbinding principles for securing the Internet of Things. But is it already too little, too late?

A Rapidly Closing Window

The DHS document, titled “Strategic Principles for Securing the Internet of Things,” warned that “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.” This window is informed by time-to-market.

For many manufacturers, security is a return on investment (ROI) handicap that could delay product rollouts and equate to reduced overall revenue. But are IoT threats really that risky? Since most connected devices are small and relatively innocuous in nature, what’s the real harm?

A Worm of a Different Color

According to Forbes, researchers were able to infect IoT-enabled, color-changing lightbulbs with a worm that quickly spread to other devices and allowed total control over color, brightness and the on/off cycle. Seems more like a prank than a security threat, right?

But here’s the thing: Security teams from the Weitzmann Institute of Science and Dalhousie University were also able to introduce code that prevented the connected lightbulbs from receiving any future updates over Wi-Fi, in effect rendering them useless.

Since these lightbulbs depend on active network connections, there’s already a built-in route upstream to more sensitive functions and critical controls. In the worst case scenario, corporate networks can be disabled entirely because someone left the lights on.

Securing the Internet of Things Is an Uphill Battle

Despite the increasing seriousness of IoT security issues, however, finding widespread support for stricter controls is an uphill battle. As noted by Computerworld, cybersecurity expert Bruce Schneier recently warned Congress that both “buyer and seller don’t care” about securing the IoT.

It makes sense, since small devices mean thin profit margins, and users only complain if their connected technology doesn’t work. What’s more, lawmakers worry that over-regulating IoT development could stifle innovation and make the U.S. less competitive.

Some companies are taking steps on their own. CNET reported that smart gadget maker Z-Wave is rolling out new security standards that include unique personal identification numbers (PINs) and quick response (QR) codes for each device.

A Solid Starting Point

What about the DHS best practices? They’re nonbinding, which means businesses can ignore them at will, but they do offer some solid starting points. The paper offers advice for securing the Internet of Things in six areas:

  1. Incorporate security at the design phase.
  2. Advance security updates and vulnerability management.
  3. Build on proven security practices.
  4. Prioritize security measures according to potential impact.
  5. Promote transparency across IoT.
  6. Connect carefully and deliberately.

Put simply, the DHS wants companies to make IoT security a native part of the manufacturing process rather than an aftermarket add-on. They should approach securing the Internet of Things like they would secure their own IT resources.

Ultimately, organizations must decide to invest time, effort and funds in better IoT security before the market can undergo any significant change. The DHS best practices provide a straightforward framework that respects the need for innovation while reaffirming the role of enhanced device protection.

More from

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…