U.S. Department of Homeland Security’s Robert Silvers says his purpose in speaking at the Security of Things Forum in Cambridge on Thursday wasn’t to scare anyone, but then he went ahead and called on everyone in the room to “accelerate everything you’re doing” to secure the internet of things. As the Assistant Secretary for Cyber Policy at DHS says, IoT security is a public safety issue that involves protecting both the nation’s physical and cyber infrastructures.
Acknowledging a growing national dependency on the internet of things, be it in the medical, utility or transportation fields, Silvers says IoT has his department’s full attention. And a straightforward undertaking it is not, he says.
“The challenge of addressing IoT security on the front end is outweighed only by the far greater challenge of trying to bolt on or patch on security on the back end once an ecosystem is deployed,” he says. “So we all need to think about what we can do right now to get this architecture built the right way.”
Long-term and parallel short-term solutions are needed, says Silvers, who adds that DHS is attempting to synch its efforts with ongoing work by NIST (Cyber-Physical Architecture), the Food & Drug Administration (on medical device security), the Department of Transportation (autonomous vehicles) and in the private sector.
More specifically, DHS is formulating a series of unifying principles – and best practices -- relating to IoT security, including how to patch stuff that’s already in the field and not relying on an unsustainable physical recall process. Building security into the cloud will also be an option. While much of this will wind up being non-technical and just plain common sense for those who work full time in the security industry, awareness needs to be ratcheted up in the mainstream, Silvers says (he didn’t specify when the principles would be released, only that it would be after lots of “extensive consultation” with industry stakeholders).
“The undeniable fact is that there are companies out there that are not accountable for these best practices and approaches,” he says. “The undeniable fact is that there is product being pushed to market right now that has not benefited from best practice security planning.”
The feds will be pushing for everyone from manufacturers to consumers to tech vendors to share IoT security approaches with each other, keeping in line with a broader effort by the Obama administration on information security sharing.
Not that this is a U.S.-only issue, of course, Silvers says. "Everything in cybersecurity is transnational, but IoT especially so," where you might have a device designed in the United States, built in China and deployed in Germany. "It's a global issue," he says, and coming up with policies to secure the disaggregated world of IoT will require serious diplomatic efforts.