U.S. Department of Homeland Security Issues Strategic Principles for Securing the Internet of Things


By: Matthew N. Foree

As we have reported previously, the growth of network connected devices (“Internet of Things”) has created increasing concerns about the security risks of those devices.  Recently, the U.S. Department of Homeland Security (“DHS”) issued non-binding guidance on this issue entitled “Strategic Principles for Securing the Internet of Things” (the “Principles”). The purpose of the Principles is to “equip stakeholders with suggested practices that help to account for security as they develop, manufacture, implement, or use network connected devices.” To that end, the Principles provide a “set of non-binding principles and suggested best practices to build toward a responsible level of security for the devices and systems businesses design, manufacture, own, and operate.”

In the Principles, the DHS addresses security challenges through the following suggested steps: incorporate security at the design phase, advance security updates and vulnerability management, build on proven security practices, prioritize security measures according to potential impact, promote transparency across the Internet of Things (“IoT”), and connect carefully and deliberately. The DHS notes that the Principles are designed for IoT developers to factor in security when a device is being designed and developed, manufactures to improve security for consumer devices and vendor management devices, service providers that implement services through IoT devices, and industrial and business level consumers (including the federal government) to serve as leaders in engaging manufacturers and service providers on IoT security.

For each step, the DHS makes several suggestions for best practices. For example, as it relates to incorporating security at the design phase, it suggests enabling security by default through unique, hard to crack default user names and passwords. It also recommends building the device using the most recent operating system that is technically viable and economically feasible. Regarding the promotion of security updates and vulnerability management, the DHS suggests considering ways to secure the device over network connections or through automated means and coordinating software updates among third party vendors. To build on recognized security practices, it recommends starting with basic security and cyber security practices and applying them to the IoT ecosystem in flexible, adaptive and innovative ways.

The DHS notes that “[o]ur nation cannot afford a generation of IoT devices deployed with little consideration for security.” Therefore, the DHS identifies four lines of effort across government and industry to fortify the security of the IoT. First, it suggests coordinating across federal departments and agencies to engage with IoT stakeholders and jointly explore ways to mitigate the risk posed by the IoT.  Second, it suggests building awareness of risk associated with the IoT across stakeholders. Third, it recommends identifying advance incentives for incorporating IoT security. Fourth, it suggests contributing to international standards development processes for IoT devices.

In sum, the DHS’s Principles is another example in a developing list of guidelines for dealing with the growing concerns about the security of IoT devices. It remains to be seen how those who design, manufacture, own, and operate IoT devices choose to incorporate or collaborate regarding these and other suggestions. We will continue to monitor and report on these developments.

For any questions, please contact Matt Foree at