Government puts IoT security at the forefront with new Code of Practice for industry

The IoT has gone unsecured for too long, say DCMS and NCSC

The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have published new measures to combat the insecurity of the Internet of Things.

The IoT has a poor cyber reputation. Manufacturers often don't install appropriate safeguards on their products, and consumers fail to change default passwords or update the pre-installed software.

With connected devices now controlling entire homes full of electronics, including door locks, childrens' toys, cameras and medical products, the importance of securing the IoT is greater than ever.

The DCMS and NCSC, in what the government is calling a ‘world first', have set out plans to embed security by design, rather than as an afterthought.

The government has worked with industry partners to develop a new Code of Practice, to improve security and consumer safety.

The Code defines 13 guidelines for manufacturers, service providers, developers and retailers to implement in order to ensure that IoT products are safe to use. They are:

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimise exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

HP Inc. and Centrica Hive are the first companies to sign up to the new Code. Minister for Digital Margot James said that these pledges are "a welcome first step," but "it is vital other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is designed."

The government has published a mapping document to make it easy for other manufacturers to follow HP Inc. and Hive Centrica's example; and a document for consumers with guidance on securing IoT devices in the home.

CA Veracode's consultant solution architect, John Smith, praised the move:

"This government initiative is exactly what many in the industry have been craving for years. Manufacturers have not really felt any market pressure to improve the security of these devices because consumers still have a lack of understanding of the security implications of IoT devices.

"Providing concrete guidance to manufacturers while also raising public awareness of these issues can only help address the gap that currently exists. It's not just about the hardware anymore, it's about the software behind it, and it's really encouraging to see that the UK government wake up to the potential vulnerabilities in consumer IoT devices."

Ronen Priel, VP of product and strategy at Allot Communications, welcomed the guidelines but pointed out that as a voluntary document, "ultimately there are no guarantees companies will sign up, particularly if it affects time to market."

However, Judy Krieg - privacy, security and information partner at Fieldfisher - said that companies risk ignoring the document at their peril:

"Although this is a voluntary 'Code of Practice' and contains security 'recommendations', any IoT manufacturer would be hard-pressed to explain why they have not adhered to this guidance. Particularly in the case of a cyber weakness in the design of an IoT product, this document would be an important tool for both regulators and private litigants to show the expected standard of care. Irrespective of whether a company wants to affirmatively sign up to the Code, they ignore it at their great peril."