Internet of Things (IoT) security is an emergent property. As individual pieces of technology become intrinsically linked, the result is a kind of ongoing security struggle that presents not only a public relations nightmare, but also a real risk to consumers, utilities and government agencies.
According to SecurityWeek, the U.S. Department of Homeland Security (DHS) recently published a set of nonbinding principles for securing the Internet of Things. But is it already too little, too late?
A Rapidly Closing Window
The DHS document, titled “Strategic Principles for Securing the Internet of Things,” warned that “there is a small — and rapidly closing — window to ensure that IoT is adopted in a way that maximizes security and minimizes risk.” This window is informed by time-to-market.
For many manufacturers, security is a return on investment (ROI) handicap that could delay product rollouts and equate to reduced overall revenue. But are IoT threats really that risky? Since most connected devices are small and relatively innocuous in nature, what’s the real harm?
A Worm of a Different Color
According to Forbes, researchers were able to infect IoT-enabled, color-changing lightbulbs with a worm that quickly spread to other devices and allowed total control over color, brightness and the on/off cycle. Seems more like a prank than a security threat, right?
But here’s the thing: Security teams from the Weitzmann Institute of Science and Dalhousie University were also able to introduce code that prevented the connected lightbulbs from receiving any future updates over Wi-Fi, in effect rendering them useless.
Since these lightbulbs depend on active network connections, there’s already a built-in route upstream to more sensitive functions and critical controls. In the worst case scenario, corporate networks can be disabled entirely because someone left the lights on.
Securing the Internet of Things Is an Uphill Battle
Despite the increasing seriousness of IoT security issues, however, finding widespread support for stricter controls is an uphill battle. As noted by Computerworld, cybersecurity expert Bruce Schneier recently warned Congress that both “buyer and seller don’t care” about securing the IoT.
It makes sense, since small devices mean thin profit margins, and users only complain if their connected technology doesn’t work. What’s more, lawmakers worry that over-regulating IoT development could stifle innovation and make the U.S. less competitive.
Some companies are taking steps on their own. CNET reported that smart gadget maker Z-Wave is rolling out new security standards that include unique personal identification numbers (PINs) and quick response (QR) codes for each device.
A Solid Starting Point
What about the DHS best practices? They’re nonbinding, which means businesses can ignore them at will, but they do offer some solid starting points. The paper offers advice for securing the Internet of Things in six areas:
- Incorporate security at the design phase.
- Advance security updates and vulnerability management.
- Build on proven security practices.
- Prioritize security measures according to potential impact.
- Promote transparency across IoT.
- Connect carefully and deliberately.
Put simply, the DHS wants companies to make IoT security a native part of the manufacturing process rather than an aftermarket add-on. They should approach securing the Internet of Things like they would secure their own IT resources.
Ultimately, organizations must decide to invest time, effort and funds in better IoT security before the market can undergo any significant change. The DHS best practices provide a straightforward framework that respects the need for innovation while reaffirming the role of enhanced device protection.