“Code of Practice” Proposed in UK to Help Manufacturers Secure IoT Devices

Last updated: 12 March 2018

Securing the Internet of Things (IoT) is one of the most pressing challenges confronting today’s digital world, and consumers know it. In Gemalto’s 2017 IoT device security survey, 90 percent of individual users revealed their lack of confidence in the security of smart devices. An equal percentage of consumers and almost every organization surveyed (96 percent) went on to vocalize support for government-sponsored IoT security regulations.

Jason Hart, CTO of data protection at Gemalto, thinks these views reveal who needs to take the lead on IoT security going forward.

“It’s clear that both consumers and businesses have serious concerns around IoT security and little confidence that IoT service providers and IoT Devicesdevice manufacturers will be able to protect IoT devices and more importantly the integrity of the data created, stored and transmitted by these devices,” Hart explains. “With legislation like GDPR showing that governments are beginning to recognize the threats and long-lasting damage cyber-attacks can have on everyday lives, they now need to step up when it comes to IoT security. Until there is confidence in IoT amongst businesses and consumers, it won’t see mainstream adoption.”

The UK Government came to the same conclusion espoused by Hart. To help instill that sense of confidence among businesses and consumers, officials conducted a review for which it sought input from industry leaders, academic figures, and other stakeholders on the burden of securing IoT devices. It then analyzed those responses to identify the rights and responsibilities of consumers and businesses regarding IoT security.

A key achievement of the “Secure by Design” review was the development of a “Code of Practice” that manufacturers can use to improve the security of the IoT products they sell and operate. Currently, the Code consists of 13 IoT security best practices. These are as follows:

1. Do not ship out IoT devices with default passwords.
2. Create a vulnerability disclosure policy with a public point of contact.
3. Make all software components in smart products capable of receiving remote updates.
4. Use encryption and similar measures to securely store credentials on IoT devices.
5. Encrypt sensitive IoT-generated data as it moves across the web.
6. Implement the principle of least privilege on all Internet of Things gadgets.
7. Use secure boot mechanisms to ensure products software integrity.
8. Make IoT devices’ data-processing procedures comply with data protection law.
9. Design resiliency into smart gadgets so that they withstand outages.
10. Monitor telemetry data generated by IoT devices for security anomalies.
11. Enable users to easily delete their personal data collected by Internet of Things products.
12. Minimize the difficulty of IoT device installation and maintenance.
13. Validate users’ input data on smart gadgets.

Margot James, minister for digital and creative industries, is proud of the UK Government’s work in developing the Code of Practice, voluntary labeling scheme for smart products, and other proposals that could help improve IoT security.

“Everyone to benefit from the huge potential of internet-connected devices,” James clarifies, as quoted by V3. “It is important they are safe and have a positive impact on people’s lives. We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed. This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”

That being said, many feel the Government shouldn’t stop there.

Ken Munro, an analyst at security firm Pen Test Partners, thinks the review serves as a good starting point, but he feels it has a ways to go before actually helping to address the challenges of IoT security. As he told BBC News:

It’s a good start but misses too much to be of great use. Responsible IoT (internet of things) manufacturers are already addressing security. It’s the irresponsible manufacturers who aren’t interested, don’t care about our security or who refuse security on grounds of cost that we need to worry about. Without ‘teeth’, this standard is meaningless. Manufacturers who already play fast and loose with our security to make a quick buck from us won’t change anything.

The Government is currently seeking feedback on its Code of Practice and other proposals. Interested parties can submit their comments to the Department for Digital, Culture, Media & Sport by emailing securitybydesign@culture.gov.uk before 25 April 2018.

In the meantime, learn how Gemalto can help organizations that are considering investing in solutions that help secure their IoT devices.

Leave a Reply

Your email address will not be published. Required fields are marked *