Homeland Security Issues Guidance on IoT Security

Posted on



The Department of Homeland Security (DHS) published its recent IoT security guidelines after many months of deliberation. The document codifies many of the recommendations we’ve been prescribing at GrammaTech in the past year or so. In this post, I review the guidance briefly and relate how this guidance fits into our security-first methodologies.


Recognition of a Problem

Not surprisingly, the report, Strategic Principles for Securing the Internet of Things, starts out dhs-seal-250.jpgwith the recognition that IoT is a huge phenomenn and security has not kept pace with innovation. As we discussed in a previous post, VDC research shows that almost a quarter of teams aren’t doing anything to mitigate security risks in their embedded devices. The recognition that “the time to address IoT security is right now” is refreshing and I hope manufacturers take this seriously; however, I suspect without concrete certification guidelines to enforce, it’s difficult to get the industry to take notice.

The Principles

Equally satisfying is seeing the recommendations that GrammaTech has been making for the last year be equally emphasized by the DHS. Although these recommendations are not earth-shattering, they do reinforce what many developers may know but not practice:

  • Incorporate Security at the Design Phase: This is our number one recommendation to our customers and it’s good that this is their top guideline. Security can’t be an afterthought — it must be built-in. 
  • Advance Security Updates and Vulnerability Management: Developers know how to deal with defects well enough, but overlook vulnerability management. Creating devices that can be updated easily and cheaply is critical in order to disseminate security patches.
  • Build on Proven Security Practices: Secure design is well understood, but not by most developers. It is critical for developers to become more security-conscious, learning about secure practices and how to enforce them. 
  • Prioritize Security Measures According to Potential Impact: Performing risk-management for security uses the same principles as it does for safety. Not understanding the impact makes it difficult to allocate resources. Again, the methods are known but not necessarily implemented in embedded device development.
  • Promote Transparency Across IoT: One of our key recommendations is a full end-to-end threat analysis for systems. This goes well beyond the boundaries of the device under development and into the infrastructure it is part of. Without transparency within companies and among vendors and customers, full end-to-end assessment is difficult. Transparency carries over into fully disclosing vulnerabilities and plans for mitigation. The days of “security by obscurity” are gone. 
  • Connect Carefully and Deliberately: Not every device in the IoT universe needs to be connected directly to the Internet. Manufacturers must communicate to customers the intended purposes of device connections and how to use them securely. Although security issues can be traced to user error, and they often are, it’s a responsibility of the manufacturer to mitigate these errors as much as possible.


I recommend reading the DHS guidelines. They are concise and readable (which might be unexpected), the advice is sound, and it puts an official stamp on recommended IoT security best-practices. 


Related Posts

Check out all of CodeSecure’s resources and stay informed.

view all posts

Book a Demo

We’re ready to help you integrate SAST and SCA security into your DevSecOps flow. Get a personally guided tour of our solution offerings to ensure you are receiving the right solution for your development team. 

book now