Aspen Cyber Group Issues IoT Security Policy Recommendations

Internet of Things IoT Data Architecture diagram

The Aspen Cybersecurity Group (ACG), which was formed last year by the Aspen Institute think tank to “translate pressing cybersecurity conversations into action,” has issued several policy recommendations to bolster the security of internet of things (IoT) devices including suggesting that device manufacturers invest more in building in better security, and that manufacturers be held accountable for the security of devices that they make.

Among the seven recommendations issued by the group, first among them is “baking in” device security, which ACG acknowledged is “difficult to achieve” but which would reduce the burden of poor security on consumers and supply chain participants.

In a related recommendation on manufacturer accountability for security of their devices, ACG said “the responsibilities of all parties should be articulated and there should be an enforcement and redress mechanism.” It also said that “devices should ‘timeout’ if updates are unavailable and the device can no longer meet a minimum standard.”

Further, the group said IoT devices should have updateable security features, and that security should be in multiple layers such that “security controls should be equivalent across interfaces and countermeasures must perform at volume without degrading in the absence of connectivity; this includes device, router, and network.”

ACG also said manufacturers should provide transparent disclosure on product security and privacy, and should limit IoT device features “by necessity…stripping down to the minimum viable feature set and devices should connect carefully and deliberately.”

The ACG policy document noted the range of “great benefits” that connected devices have for individuals, communities, and businesses, but said that when left unsecured they “also carry increased risks to public health and safety, business operations, and individual privacy.”

“As the attack surface continues to expand, there is an acute need to ensure the benefits of IoT– and technological innovation more broadly–are nurtured while simultaneously mitigating against the associated risks,” it said.

ACG also said its recommendations “are put forth with a clear-eyed understanding that further work is necessary to find effective ways to encourage the adoptions of these–or similar–principles.”

Recent