In a recent post, we noted that the US federal government has become increasingly concerned about the security of Internet of Things (IoT) devices. On November 15, the US Department of Homeland Security (DHS) issued guidance to help stakeholders account for security in the development, manufacturing, implementation, and use of IoT devices.

The set of nonbinding principles and suggested best practices for IoT device security includes the following:

  • Provide manufacturer-supplied usernames and passwords that are unique and difficult for botnets to crack (in recognition of the fact that many consumers never reset default usernames and passwords initially provided with their devices).
  • Coordinate software updates among third-party vendors to ensure consumer devices have the most updated set of protections.
  • Implement an end-of-life strategy and communicate to consumers the risks of using devices beyond their usability dates.
  • Apply basic software security and cybersecurity practices while also referring to industry-specific security guidance, if available.
  • Perform “red-teaming” exercises—during which developers actively try to bypass the security measures of an IoT device—and use the results to prioritize what and where additional security measures are needed.
  • Advise consumers about the intended purpose of any network connections—especially since the critical functions of many IoT devices do not require a connection to the internet.

The guidance concludes with four areas that government and industry should address to reduce the cybersecurity risk of IoT devices:

  1. DHS and other federal departments and agencies should continue to engage with IoT stakeholders to build on and refine the current guidance.
  2. DHS will work with stakeholders to expand public awareness and education about the risks posed by IoT devices.
  3. Stakeholders and policymakers should better incentivize efforts to enhance the security of IoT devices, as the owners of compromised devices are rarely the ultimate victims of cyberattacks (and often are unware that their devices have even been used in an attack).
  4. Because IoT devices are part of a global ecosystem, future efforts must be consistent with the development of any international standards or rules.