Securing the Internet of Things (IoT)

The growth in the number of network-connected devices has increased concerns about securing those items and their connections. DHS and NIST have created the following pages and publications to help individuals and organizations think about how to address these challenges.

The Department of Homeland Security
offers general guidance on security the Internet of Things at https://www.dhs.gov/securingtheIoT, including the following document:

Strategic Principles for Securing the Internet of Things (IoT)
The growth of network-connected devices, systems, and services comprising the Internet of Things (IoT)1 creates immense opportunities and benefits for our society. IoT security, however, has not kept up with the rapid pace of innovation and deployment, creating substantial safety and economic risks. This document explains these risks and provides a set of non-binding principles and suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate. The principles in this document offer stakeholders a way to organize their thinking about how to address these IoT security challenges.

The National Institute of Standards and Technology (NIST) provides more detailed information in its publication:

Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems. It starts with and builds upon a set of well-established International Standards for systems and software engineering published by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the Institute of Electrical and Electronics Engineers (IEEE) and infuses systems security engineering methods, practices, and techniques into those systems and software engineering activities. The objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.