With recent IoT-related cyberattacks, organizations and at least one government agency are now focusing on preventative security measures with another set of recommendations just released.
In addition to the U.S. Department of Homeland Security’s IoT security principles, the Broadband Internet Technical Advisory Group (BITAG) just outlined its recommendations for IoT device security.
The guidelines are intended specifically for the area of consumer-facing IoT devices, although most of the recommendations are for increased process and oversight in the supply chain of those devices.
Most of the recommendations are simply to follow current best practices that have already been established in other similar devices, like personal computers and other consumer electronics.
BITAG recommends using current best practices for software standards, device naming and addressing, security and cryptography. The group also recommends that the IoT devices industry comes together to explore the creation of a more formal cybersecurity program.
Most of these guidelines seem to be similar to the principles for IoT security that DHS recently released.
Those guidelines include incorporating security at the design phase of IoT products and services and enabling security by default through unique usernames and passwords.
However, there has yet to come a legal governance for IoT device security. Rather, the guidelines from both DHS and BITAG are recommendations for IoT device manufacturers.
Here are the IoT device security recommendations outlined by BITAG:
- Follow current software best practices
- Follow current security and cryptography best practices
- IoT device communication should be restrictive, not permissive, by default
- IoT device core functionality should work if the internet connection is disrupted
- IoT device core functionality should work if the cloud service fails
- Support naming and addressing best practices
- Disclose if the device functionality can be remotely limited by the manufacturer
- IoT device industry should establish a cybersecurity program
- IoT device supply chain should be actively involved in addressing privacy and security