November 28, 2016 By Douglas Bonderud 2 min read

Internet of Things (IoT) security is an emergent property. As individual pieces of technology become intrinsically linked, the result is a kind of ongoing security struggle that presents not only a public relations nightmare, but also a real risk to consumers, utilities and government agencies.

According to SecurityWeek, the U.S. Department of Homeland Security (DHS) recently published a set of nonbinding principles for securing the Internet of Things. But is it already too little, too late?

A Rapidly Closing Window

The DHS document, titled “Strategic Principles for Securing the Internet of Things,” warned that “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.” This window is informed by time-to-market.

For many manufacturers, security is a return on investment (ROI) handicap that could delay product rollouts and equate to reduced overall revenue. But are IoT threats really that risky? Since most connected devices are small and relatively innocuous in nature, what’s the real harm?

A Worm of a Different Color

According to Forbes, researchers were able to infect IoT-enabled, color-changing lightbulbs with a worm that quickly spread to other devices and allowed total control over color, brightness and the on/off cycle. Seems more like a prank than a security threat, right?

But here’s the thing: Security teams from the Weitzmann Institute of Science and Dalhousie University were also able to introduce code that prevented the connected lightbulbs from receiving any future updates over Wi-Fi, in effect rendering them useless.

Since these lightbulbs depend on active network connections, there’s already a built-in route upstream to more sensitive functions and critical controls. In the worst case scenario, corporate networks can be disabled entirely because someone left the lights on.

Securing the Internet of Things Is an Uphill Battle

Despite the increasing seriousness of IoT security issues, however, finding widespread support for stricter controls is an uphill battle. As noted by Computerworld, cybersecurity expert Bruce Schneier recently warned Congress that both “buyer and seller don’t care” about securing the IoT.

It makes sense, since small devices mean thin profit margins, and users only complain if their connected technology doesn’t work. What’s more, lawmakers worry that over-regulating IoT development could stifle innovation and make the U.S. less competitive.

Some companies are taking steps on their own. CNET reported that smart gadget maker Z-Wave is rolling out new security standards that include unique personal identification numbers (PINs) and quick response (QR) codes for each device.

A Solid Starting Point

What about the DHS best practices? They’re nonbinding, which means businesses can ignore them at will, but they do offer some solid starting points. The paper offers advice for securing the Internet of Things in six areas:

  1. Incorporate security at the design phase.
  2. Advance security updates and vulnerability management.
  3. Build on proven security practices.
  4. Prioritize security measures according to potential impact.
  5. Promote transparency across IoT.
  6. Connect carefully and deliberately.

Put simply, the DHS wants companies to make IoT security a native part of the manufacturing process rather than an aftermarket add-on. They should approach securing the Internet of Things like they would secure their own IT resources.

Ultimately, organizations must decide to invest time, effort and funds in better IoT security before the market can undergo any significant change. The DHS best practices provide a straightforward framework that respects the need for innovation while reaffirming the role of enhanced device protection.

More from

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Is AI saving jobs… or taking them?

4 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job. Well, which is it? As with all things security-related, AI-related and employment-related, it's complicated. How AI creates jobs A major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today