The race to standardisation in the Internet of Things (IoT), particularly when it comes to security, is a long and knotted one. Getting security baked in at the design stage is increasingly important – and it is with that goal in mind that the UK government has announced a Code of Practice around consumer IoT.
HP and Centrica Hive are the first two companies to have signed up to the agreement to help manufacturers bolster security of various internet-connected devices.
There are 13 initial guidelines given to vendors, with the code set to be updated periodically. Many will be, to regular readers of this publication at least, common sense; keeping software updated, no default passwords – at least, not resettable to any universal factory default value – and making device installation and maintenance straightforward. Others are based around compliance, such as policies around deletion and protection of personal data.
Overall, however, these are best practices that the security community has been eulogising for years. Liviu Arsene, senior threat analyst at Bitdefender – which earlier this year found the first botnet that could survive resets of compromised devices – said that while it was a good first step, companies outside of the behemoths need to be encouraged to sign up.
“This new Code of Practice for smart device makers represents an important milestone for IoT security. However, it’s not just large tech giants that must adhere to it, but all IoT manufacturers,” said Arsene. “The problem has always been low-end smart devices, as these are the ones that are usually lacking in the security area. It’s because of these that we’ve seen IoT botnets and denial of service attacks.
“While the new Code of Practice is a step in the right direction, especially since it makes use of security best practices, similar documents and even legislation should be adopted in order to nudge IoT manufacturers into implementing security best practices into smart devices,” added Arsene.
Andy Kays, CTO at threat detection company Redscan, noted a similar view. “While it’s positive that some large technology companies have already announced their backing of the new code, I suspect that smaller companies may be in less of a hurry to sign up,” said Kays. “New manufacturers and startups don’t have the same level of brand equity as more established organisations so there may be a tendency for them to take bigger risks in order to get products to market – and this can mean that cybersecurity risks are less of a concern.”
The Code of Practice was developed by the Department of Culture, Media and Sport in conjunction with the National Cyber Security Centre, alongside other government departments, industry, and academia. You can read the full guide here.
Interested in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.