CAMBRIDGE, Mass.—All players involved in the issue of security and the internet of things need to accelerate the work they’re doing, according to an official with the Department of Homeland Security.
Speaking to attendees of the Security of Things Forum 2016 here Sept. 22, Robert Silvers, assistant secretary for cyber policy for DHS, said improving security in the fast-growing internet of things (IoT) is going to be a long-term issue, but that along the way there will continue to be issues in the near term that have to be addressed immediately. Procrastinating on dealing with those short-term challenges will only make the problems grow larger and more complex, Silvers (pictured) warned.
“I want to call on everyone to accelerate what you’re doing,” he said. “This isn’t easy stuff and there needs to be a lot of development problems. … I encourage people to start tackling those now because they’re only going to get harder.”
Silvers was one of almost a dozen speakers and panelists of the day-long annual event, which looks to address the perplexing problem of how to bring security to the wide-open and varied field that is the IoT. Vendors and industry analysts expect the number of connected devices, systems and sensors to grow rapidly in the coming years, with predictions of the number of connected devices worldwide hitting 50 billion by 2020. The IT security field is continuing to wrestle with a broad array of challenges, from how to implement security in a vast and growing attack surface created by all those devices to how to secure the massive amounts of data those devices are generating.
The agenda for the event was replete with security experts from a range of vendors, including such top-tier players as Intel and IBM, as well as security officials from companies. However, Silvers said the government, in general, and DHS, in particular, have significant roles to play in the effort to secure the IoT. He pointed to plans that have been developed by such government agencies as the National Institute of Standards (NIST), Food and Drug Administration (FDA) and Federal Trade Commission (FTC) as examples. Silvers also noted the Department of Transportation’s (DOT’s) guidelines for connected and autonomous vehicles released this week, and lauded efforts by standards bodies in developing procedures.
For example, this week the Industrial Internet Consortium released the Industrial Internet Security Framework to address security issues at a time when the systems that run the world’s industrial operations are becoming increasingly connected and interconnected.
For its part, DHS is developing a set of unifying principles around IoT security that outlines challenges and pulls in best practices that businesses, vendors, standards bodies, end users and other players can lean on as the IoT grows, Silvers said. The United States and the world are seeing many of the parts of their lives—and “life-sustaining” technologies—become increasingly connected, he said. Making these safe and secure is becoming an even greater priority.
“We’re growing a national dependency [on connected devices] and it’s important that we recognize that and that internet of things security … is now a public safety issue.”
The national strategic principles that DHS is releasing will serve as a baseline that tech vendors and end users can use as they develop security strategies for their IoT projects, he said. DHS is working with other players in the IoT security space in developing these standards and has started a review process though Silvers did not say when they would be released.
DHS Developing IoT Security Framework of Principles
The principles will not be a regulatory document or overly prescriptive or technical, he said. Instead, the agency will be detailing best security practices, putting them on a platform and making them available to the public and the various players involved, Silvers said. It will address such issues as the need for updating and patching policies to protect against security vulnerabilities, building security into the IoT devices at the design stage and figuring out how to secure those products already on the market, and encouraging transparency throughout the supply chain, from manufacturers and suppliers to system and component makers and end users.
In addition, the platform will stress the need for standards to accelerate innovation. It will be a “foundational” document upon which others can build strategies. Silvers pushed back at a question about whether DHS’ plans essentially outline principles that have been developed elsewhere, saying the agency has the responsibility to take such principles that have not gained much traction and make them more accessible to the industry and public.
“We need long-term solutions and short-term actions in parallel,” he said. “The longer we deliberate, the further ground we’re going to have to recover, so let’s all get together with focus and resolve, because … we want a future that’s innovative and secure.”