[iot-discussion] US Homeland Security published recommendations for IoT Security
Hello List, German heise.de Newsservice just published an article (in German, sorry) about a publication of US Homeland Security: https://www.heise.de/downloads/18/2/0/3/5/4/8/9/DHS-Strategic-Principles-Sec... best regards Wolfgang heise.de article in German: https://www.heise.de/security/meldung/Internet-of-Things-US-Regierung-veroef... -- Wolfgang Tremmel Phone +49 69 1730902 26 | Fax +49 69 4056 2716 | Mobile +49 171 8600 816 | wolfgang.tremmel@de-cix.net Geschaeftsfuehrer Harald A. Summa | Registergericht AG Köln HRB 51135 DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net
Hi, I think the main point of the article is when developing an IoT device you should think about security as you would do with any other operating system or network enabled device. Security by design, security updates and management, usage of common security rules and so on. Sounds a bit like common sense but an interesting article. Regards, Klaas Tammling Am Donnerstag, den 17.11.2016, 08:55 +0000 schrieb Wolfgang Tremmel:
Hello List,
German heise.de Newsservice just published an article (in German, sorry) about a publication of US Homeland Security: https://www.heise.de/downloads/18/2/0/3/5/4/8/9/DHS-Strategic-Princip les-Securing-IoT-2016.pdf
best regards Wolfgang
heise.de article in German: https://www.heise.de/security/meldung/Internet-of-Things-US-Regierung -veroeffentlicht-Security-Strategie-3488886.html
_______________________________________________ iot-discussion mailing list iot-discussion@ripe.net https://lists.ripe.net/mailman/listinfo/iot-discussion
On 17-11-16 10:55, Klaas Tammling wrote:
Sounds a bit like common sense but an interesting article.
What was that quote again? "Common sense is less common than you think"... Julf
Am Donnerstag, den 17.11.2016, 11:05 +0100 schrieb Johan Helsingius:
On 17-11-16 10:55, Klaas Tammling wrote:
Sounds a bit like common sense but an interesting article.
What was that quote again? "Common sense is less common than you think"...
Ok I agree with you.
Klaas & all, At 2016-11-17 10:07:32 +0000 Klaas Tammling <klaas@tammling.hamburg> wrote:
Am Donnerstag, den 17.11.2016, 11:05 +0100 schrieb Johan Helsingius:
On 17-11-16 10:55, Klaas Tammling wrote:
Sounds a bit like common sense but an interesting article.
What was that quote again? "Common sense is less common than you think"...
Ok I agree with you.
I think that I disagree with everyone in this thread so far. I don't think this paper is "common sense", or else we wouldn't be in the mess that we are all in now. (Of course, I think that "common sense" is really just an excuse to mock people who don't share your background or expertise, so maybe I am biased.) While the recommendations in the paper *do* make sense, I think the most crucial issue was identified in this sidebar on pages 14 and 15: Identify and advance incentives for incorporating IoT security. Policymakers, legislators, and stakeholders need to consider ways to better incentivize efforts to enhance the security of IoT. In the current environment, it is too often unclear who bears responsibility for the security of a given product or system. In addition, the costs of poor security are often not borne by those best positioned to increase security. DHS and all other stakeholders need to consider how tort liability, cyber insurance, legislation, regulation, voluntary certification management, standards-settings initiatives, voluntary industry-level initiatives, and other mechanisms could improve security while still encouraging economic activity and groundbreaking innovation. Going forward, DHS will convene with partners to discuss these critical matters and solicit ideas and feedback. Giving people with power to solve problems the responsibility to solve them along with proper rewards if they do seems quite obvious, so maybe that is what you meant by "common sense"? :) I'm glad that DHS seems to "get it", but I am also nervous because I doubt that they can make an impact with legislators and regulators here. Setting up markets so they align with the best interests of society is likely to be considered government meddling by many; especially business folks who instinctively fear and hate any constraints on their activities. Cheers, -- Shane
I think that I disagree with everyone in this thread so far.
I don't think this paper is "common sense", or else we wouldn't be in the mess that we are all in now. (Of course, I think that "common sense" is really just an excuse to mock people who don't share your background or expertise, so maybe I am biased.)
While the recommendations in the paper *do* make sense, I think the most crucial issue was identified in this sidebar on pages 14 and 15:
Identify and advance incentives for incorporating IoT security. Policymakers, legislators, and stakeholders need to consider ways to better incentivize efforts to enhance the security of IoT. In the current environment, it is too often unclear who bears responsibility for the security of a given product or system. In addition, the costs of poor security are often not borne by those best positioned to increase security. DHS and all other stakeholders need to consider how tort liability, cyber insurance, legislation, regulation, voluntary certification management, standards-settings initiatives, voluntary industry-level initiatives, and other mechanisms could improve security while still encouraging economic activity and groundbreaking innovation. Going forward, DHS will convene with partners to discuss these critical matters and solicit ideas and feedback.
Giving people with power to solve problems the responsibility to solve them along with proper rewards if they do seems quite obvious, so maybe that is what you meant by "common sense"? :)
I'm glad that DHS seems to "get it", but I am also nervous because I doubt that they can make an impact with legislators and regulators here. Setting up markets so they align with the best interests of society is likely to be considered government meddling by many; especially business folks who instinctively fear and hate any constraints on their activities.
Sure I can agree with you that "common sense" doesn't seem to be that common as we wouldn't have the current situation. So at the moment I don't know if this is the right thing to talk about. What I am a bit worried about is that everytime regulators or even in the extreme case the government comes in to set up rules, strange things happen. In the extreme case when the government steps in it will need technical advice otherwise laws appear where you have to be discussing about privacy again or where an engineer knows that these measures won't be serving anyone except everything will be getting more expensive and/or complicated. At the moment I couldn't even imagine what such a "reward" could be. Maybe certificates for IoT security which can be traded on the market if you want to release a product which isn't that secure as it should be. "To enhance security while keeping economic costs low" maybe.
On 17.11.2016 09:55, Wolfgang Tremmel wrote:
German heise.de Newsservice just published an article (in German, sorry) about a publication of US Homeland Security: https://www.heise.de/downloads/18/2/0/3/5/4/8/9/DHS-Strategic-Principles-Sec...
Thanks, Wolfgang. These principles pretty much read like the 101 of SW development that fresh CS students would listen to during their first lecture. Sheds some pretty "interesting" light on the Status Quo of the IoT part of our industry... Best, -C.
participants (5)
-
Carsten Schiefner -
Johan Helsingius -
Klaas Tammling -
Shane Kerr -
Wolfgang Tremmel