The UK government has launched a voluntary Code of Practice for internet-connected devices. The IoT Code of Practice is a world first and aims to boost the security of devices such as smart watches and virtual assistants.
The measures have been set out by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) to coincide with tougher guidelines set out in the ‘Secure by Design’ review earlier this year.
It will ensure that IoT manufacturers consider security throughout the design process and not as an afterthought.
The security surrounding IoT devices has been of growing concern. Many have weak security, such as default passwords that can easily be found in user manuals and exploited by hackers.
With some internet-connected devices, such as pacemakers or driverless cars, security can become a life or death situation.
Minister for digital, Margot James, said: “From smartwatches to children’s toys, internet-connected devices have positively impacted our lives but it is crucial they have the best possible security to keep us safe from invasions of privacy or cyberattacks.
“The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices.”
Technology companies HP and Centrica Hive are the first to pledge to agree to the IoT Code of Practice.
“Cyber-crime has become an industry and IoT ‘endpoint’ devices increasingly constitute the frontline of cybersecurity,” said HP Inc. UK managing director George Brasher.
“Today we design our commercial products with security built-in not bolted on, not only designed to protect, but also to detect and self-heal from cyber-attacks.
“We are delighted to be joining forces with the UK Government in our shared ambition to raise the bar broadly in consumer IoT device security, starting with the connected printers we are all used to at home.”
Industry reacts to IoT Code of Practice
With more than 420 internet-connected devices expected to be in use across the UK over the next three years, industry experts have welcomed the IoT Code of Practice.
Ilkka Turunen, global director of solutions architecture at Sonatype, said:
“Passing the onus onto device manufacturers to keep their devices safe and automate security is another step in the right direction for a safer, connected world.
As attacks and breaches are often the result of easily exploited – and easily rectified – vulnerabilities, there is no excuse for other areas of industry not to implement similar governance policies.”
Gavin Millard, VP intelligence at Tenable, said:
“Virtually all consumers are so used to buying a device, ripping the wrapping off and not giving a moment’s thought to the cybersecurity implications of their new shiny toy. We can’t expect everyone to be an expert though, so a “secure by default” approach should be encouraged.
He added that defining a password during device set up and auto-updating when bugs are found are two simple steps that could “drastically reduce the cyber exposure of internet-connected devices.”
IoT Code of Practice favours incumbents
Matt Walmsley, EMEA director at Vectra, says that while the Code of Practice recognises key IoT risks, there are problems surrounding it.
“Voluntary codes of practices will likely only attract organisations who are already proactive and bought into addressing the issues the Code of Practise seeks to address,” he explained.
“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the framework’s recommendations.
He added that consumers “can’t rely on such a Government initiative” and recommended that consumers at the very least change their IoT devices’ default password and ensure it has the latest firmware.
Andy Kays, CTO at threat detection and response specialist Redscan, said that the code of practice will help improve awareness but it’s difficult to tell how it will improve standards.
“While it’s positive that some large technology companies have already announced their backing of the new code, I suspect that smaller companies may be in less of a hurry to sign up,” he said.
“New manufacturers and start-ups don’t have the same level of brand equity as more established organisations so there may be a tendency for the to take bigger risks in order to get products to market – and this can mean that cybersecurity risks are less of a concern.
He also called for retailers to ensure they stock products that meet “recognised security standards” and for cooperation at a “global level”.