The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach.
The CoP provides outcome-focused practical steps for IoT manufacturers and industry stakeholders to improve the security of their products. To achieve this, it has specifically identified thirteen guidelines that it considers essential to the safeguarding of IoT devices:
- No default passwords – all IoT device passwords should be unique and not resettable to a universal factory default value.
- Implement a vulnerability disclosure policy – companies that provide IoT devices and services are to provide a public point of contact as part of a vulnerability disclosure policy, to enable issues to be reported. A disclosed vulnerability should be acted on in a “timely manner”.
- Keep software updated – updates should be timely and should not impact on the functioning of the device, and the need for which should be made clear to consumers.
- Securely store credentials and security-sensitive data – credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
- Communicate securely – security-sensitive data should be encrypted and all keys managed securely.
- Minimise exposed attack surfaces – devices and services should operate on the principle of “of least privilege”.
- Ensure software integrity – software should be verified using secure boot mechanisms.
- Ensure that personal data is protected – personal data should be protected in accordance with the GDPR and Data Protection Act 2018.
- Make systems resilient to outages – resilience should be built into IoT devices.
- Monitor system telemetry data – telemetry data should be monitored for security anomalies.
- Make devices easy for consumers to delete personal data – devices should be configured so that an individual can easily delete their personal data from it.
- Make installation and maintenance for devices easy – this should employ minimal steps and should follow security best practice. Consumers should be given guidance on how to set up their device securely.
- Validate input data – data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.
Security by design
Consumers are increasingly using IoT devices, with internet-connected devices now controlling home networks and associated services. The CoP gives examples of its applicability, such as to smart cameras and TVs, health trackers, connected appliances and smart home assistance products, all of which are connected to the internet.
Historically, such devices have had limited cybersecurity protections, either in terms of manufacturer-installed software or consumers’ lack of security awareness (such as failure to change default passwords). The CoP tackles this by placing the onus on the manufacturer to create devices with security central to the design process.
The government has also published a mapping document to assist manufacturers in implementing the guidelines, and Consumer Guidance on how to secure internet-connected products.
The CoP is the first code of its kind, going further than anything previously to improve cyber resilience. In providing guidance to consumers as well as manufacturers, it will further public awareness. Therefore, despite the CoP being voluntary, IoT manufacturers should pay close attention as it would be difficult to justify to consumers why it has not adhered to the CoP’s recommendations.
The CoP, which itself recognises, is not a “silver bullet” for all IoT device security challenges, but is instead part of a wider drive to shift the security mindset to create and invest in a “secure development lifecycle”.