Incorporating IoT Security At The Design Phase

What the Department of Homeland Security considers necessary to secure the IoT.


The U.S. Department of Homeland Security (DHS) has outlined six Strategic Principles for securing the Internet of Things. Perhaps the most important of these principles is the concept of implementing security at the design phase, with the DHS recommending the use of hardware that incorporates security features to strengthen the protection and integrity of a device. This includes leveraging computer chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption and anonymity.

Treating security as a primary design parameter rather than a tertiary afterthought is certainly an approach that is long overdue for a very vulnerable Internet of Things. To be sure, Network World recently reported that an IoT security camera can be infected with malware just 98 seconds after going online. As more and more “things” connect to the Internet, the danger of nefarious attackers exploiting unsecured devices looms ever larger.

Building hardware that incorporates hardened security features would see devices protected throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and its cloud service.

In addition to implementing security at the design phase, the DHS recommends device manufacturers promote security updates and vulnerability management. This is because even when security is included at the design stage, vulnerabilities may be discovered in products after they have been deployed. These flaws, says the DHS, can be mitigated through patching, security updates and vulnerability management strategies.

From Rambus’ perspective, over-the-air updates and vulnerability management are crucial elements of IoT security. However, to be truly secure, both must be tied to a hardware root-of-trust. Infected, hijacked or spoofed devices that are not authenticated are denied access to the service. This approach can also help mitigate the effectiveness (and damage) of DDoS attacks against service providers.

As the DHS notes, building on recognized security practices is also quite important. For example, many tested practices used in traditional IT and network security can be used as a starting point for IoT security. These approaches can help identify vulnerabilities, detect irregularities, respond to potential incidents and recover from damage or disruption to IoT devices.

In conclusion, the six “Strategic Principles” outlined by the DHS will go a long way in helping to convince the industry that IoT devices should not be pushed to market with little regard for security. Put simply, IoT security needs to be treated as a primary design consideration, rather than a haphazard afterthought.