The Aspen Cybersecurity Group has issued seven principles to bolster the security of Internet-of-Things devices, calling on manufacturers to increase investment, accountability and transparency in their products’ security, to design devices with “updateable” security and to build a multi-layered IoT defense, The Washington Post reported.
“When left unsecured, however, these devices also carry increased risks to public health and safety, business operations and individual privacy,” the ACG said in a recently-released memo. “As the attack surface continues to expand, there is an acute need to ensure the benefits of IoT— and technological innovation more broadly — are nurtured while simultaneously mitigating against the associated risks.”
ACG’s IoT Security First Principles:
1. Manufacturers should incorporate security at the design phase of IoT devices.
2. Transparency should include details on the security attributes of products and services for the consumer’s awareness.
3. Developers should provide information on product privacy.
4. Manufacturers should be held accountable for the security of their devices.
5. IoT devices should have updateable security to keep up with changing security risks.
6. Products should have multi-layered security and countermeasures that function
without degrading in the absence of connectivity.
7. Manufacturers should limit device features to “necessity.”
“Changing the dynamic requires an environment that incentivizes products to be secure-by-design and increases transparency to give consumers an opportunity to consider the security and privacy impacts of a product in their purchasing decisions,” the group said.
The ACG also provided recommendations for increasing the size of the U.S. cybersecurity workforce and a framework to improve cybersecurity collaboration between the federal government and the industry.
The Aspen Institute established the group in 2017, which consists of lawmakers, former government officials, technology experts, scholars and other cybersecurity professionals.