The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach.

The CoP provides outcome-focused practical steps for IoT manufacturers and industry stakeholders to improve the security of their products. To achieve this, it has specifically identified thirteen guidelines that it considers essential to the safeguarding of IoT devices:

  1. No default passwords – all IoT device passwords should be unique and not resettable to a universal factory default value.
  2. Implement a vulnerability disclosure policy – companies that provide IoT devices and services are to provide a public point of contact as part of a vulnerability disclosure policy, to enable issues to be reported. A disclosed vulnerability should be acted on in a “timely manner”.
  3. Keep software updated – updates should be timely and should not impact on the functioning of the device, and the need for which should be made clear to consumers.
  4. Securely store credentials and security-sensitive data – credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
  5. Communicate securely – security-sensitive data should be encrypted and all keys managed securely.
  6. Minimise exposed attack surfaces – devices and services should operate on the principle of “of least privilege”.
  7. Ensure software integrity – software should be verified using secure boot mechanisms.
  8. Ensure that personal data is protected – personal data should be protected in accordance with the GDPR and Data Protection Act 2018.
  9. Make systems resilient to outages – resilience should be built into IoT devices.
  10. Monitor system telemetry data – telemetry data should be monitored for security anomalies.
  11. Make devices easy for consumers to delete personal data – devices should be configured so that an individual can easily delete their personal data from it.
  12. Make installation and maintenance for devices easy – this should employ minimal steps and should follow security best practice. Consumers should be given guidance on how to set up their device securely.
  13. Validate input data – data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.

Continue Reading UK government releases IoT security code of practice