DHS and NIST Release New IoT Guidance | Practical Law

DHS and NIST Release New IoT Guidance | Practical Law

Both the US Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released new cybersecurity guidance related to internet-connected devices, commonly known as the Internet of Things (IoT).

DHS and NIST Release New IoT Guidance

Practical Law Legal Update w-004-5860 (Approx. 3 pages)

DHS and NIST Release New IoT Guidance

by Practical Law Intellectual Property & Technology
Published on 17 Nov 2016USA (National/Federal)
Both the US Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released new cybersecurity guidance related to internet-connected devices, commonly known as the Internet of Things (IoT).
On November 15, 2016, the US Department of Homeland Security (DHS) released Strategic Principles for Securing the Internet of Things, a set of non-binding strategic principles designed to enhance the security of the Internet of Things (IoT) across a range of fields, including:
  • Design.
  • Manufacturing.
  • Deployment activities.
DHS published this guide in furtherance of its mission to secure cyberspace, protect critical infrastructure, and ensure public safety. The document, which is geared towards IoT developers, manufacturers, service providers, and industrial and business-level consumers, focuses on six core principles that span the IoT device lifecycle:
  • Incorporate security at the design phase.
  • Advance security updates and vulnerability management.
  • Build on proven security practices.
  • Prioritize security measures according to potential impact.
  • Promote transparency across IoT.
  • Connect carefully and deliberately.
For each principle, the guide includes several suggested practices stakeholders can follow to ensure IoT security. DHS also suggests four lines of effort needed across the public and private sectors, including:
  • Coordinating multistakeholder efforts to jointly explore managing IoT risks.
  • Building awareness of IoT risks.
  • Identifying and encouraging incentives to improve IoT security.
  • Contributing to international IoT standards development processes.
The National Institute of Standards and Technology (NIST) also released an IoT-related publication on November 15, 2016. Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, highlights engineering-based approaches to system security solutions with a focus on IoT issues. The guide also sets out a series of standards-based systems engineering processes that can be applied throughout the lifecycle to build in reasonable security measures for a variety of system types.