By Megan Bozman
Government, at least here in the US, isn’t widely regarded as being helpful to the development and adoption of new technology. On the contrary, many feel that government regulation will be the hurdle that delays the autonomous car. (38,300 people were killed and 4.4 million injured on U.S. roads in 2015, but yes, let’s focus on the one, injury-free accident the Google Car had in more than 1.3 million miles driven since 2009.)
However, there have been some positive developments recently for IoT.
Earlier this month, both the Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST) released new security guidelines for the IoT. The voluntary guidance was developed by NIST over a four-year period, and released one month ahead of schedule as a result of last month’s massive DDoS attack.
The DHS document provides non-binding principles and suggested best practices. It is, “a first step to motivate and frame conversations about positive measures for IoT security among IoT developers, manufacturers, service providers, and the users who purchase and deploy the devices, services, and systems.”
IoT Security is a Matter of Homeland Security
In the press release announcing the new guidelines, Secretary of Homeland Security Jeh Johnson stated, “We increasingly rely on functional networks to advance life-sustaining activities, from self-driving cars to the control systems that deliver water and power to our homes. Securing the Internet of Things has become a matter of homeland security.”
IoT Security is lacking, but why?
Secretary Johnson continued, “The growing dependency on network-connected technologies is outpacing the means to secure them.”
I think the fundamental flaw in this quote is that the ‘means to secure’ IoT do exist. It’s implementation of those means that is not keeping pace.
Specific strategies for IoT security are out there, and known by many technology professionals. They just aren’t bothering to implement them.
So I certainly agree with Secretary Johnson about the problem, but I strongly disagree on the cause. Indeed, the DHS document itself seems to weigh in on my side here, “Many of the vulnerabilities in IoT could be mitigated through recognized security best practices, but too many products today do not incorporate even basic security measures.”
Security: Can’t Bolt it on Later
I was particularly pleased to read that the security guidance encompass the entire development lifecycle.
The purpose of the principles is stated as, “to equip stakeholders with suggested practices that help to account for security as they develop, manufacture, implement, or use network connected devices.”
Indeed, attempting to bolt security on after the fact is not a pathway to robust, secure solutions. It must be factored into the development cycle from inception through product launch.
DHS Guidelines Broad, NIST Granular
Including the glossary, the NIST document is 242 pages long, whereas the DHS is 17; a count which includes the cover page. NIST Special Publication 800-160, “This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical and human components that compose the systems and the capabilities and services delivered by those systems.”
IoT Security Guidelines to Build Public Trust
“Really what we’re trying to do is get the same trustworthiness that you have when you cross a bridge or fly on an airplane,” NIST Fellow Ron Ross said recently at cybersecurity firm Splunk Inc.’s annual summit. “That trustworthiness doesn’t happen by accident. You have to engineer it into the system.”
“The increasing prevalence of IoT devices in critical industries — power production, transportation infrastructure and medical technology — means federal security mandates could soon be on their way, Ross added.”
While my initial inclination is to view government regulation as a hindrance to the advancement of technology, I have to admit Mr. Ross made an excellent analogy. I know commercial air traffic is profoundly safe, which is certainly in large part to the credit of the FAA. If that safety track record persists, this is excellent news for the future of IoT.