UK gov’t releases ‘world first’ IoT Code of Practice – Technologist

The UK government has unveiled a ‘world first’ Internet of Things (IoT) Code of Practice to ensure the security of connected consumer devices at the design stage.

This came on the heels of the introduction of a landmark legislation in the US state of California — the IoT cybersecurity law — that also aims to have built-in security features that can guard against attack or intrusion.

The UK measure is also expected to guide manufacturers secure internet-connected devices, including home alarm systems, refrigerators, and toys.

The British government disclosed that the within the next three years, the projection is that over 420 million IoT devices will be in use in the country, and poorly secured devices can leave people exposed to security issues and even large scale-cyber attacks.

Prior to the release of the Code of Practice, the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have undertaken a ‘Secure by Design’ review “to embed security in the design process of new technology rather than bolt it on as an afterthought.”

While adherence to the code is voluntary, tech companies HP Inc. and Centrica Hive Ltd. have signed up to partner with the government in putting together the building blocks of IoT cybersecurity.

“The pledges by HP Inc. and Centrica Hive Ltd are a welcome first step but it is vital other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is designed,” said Margot James, Minister for Digital.

Hence, the government has also published a mapping document to make it easier for other manufacturers to join the initiative.

13 guidelines

The document released by the Department of Digital, Culture, Media and Sport outlines 13 guidelines manufacturers of consumer devices can implement into their product’s design.

These include making sure that devices have no factory default passwords, which had been a source of many security issues in the past; implementing a vulnerability disclosure policy so that any issues can be acted on in a timely manner; keeping the software updated throughout the product lifecycle and ensuring software integrity; and making installation and maintenance of devices easy.

The Code wants manufacturers as well to design devices that can securely store credentials and security-sensitive data, ensure that personal data is protected, make it easy for consumers to delete personal data, communicate securely, and make systems resilient to outages.

The Code also defines the kind of devices that the ruling may be applied to and these include connected children’s toys and baby monitors; safety  products such as smoke detectors and door locks; smart cameras, TVs and speakers; wearable health trackers; connected home automation and alarm systems; connected appliances (e.g. washing machines, fridges); and smart home assistants.

“With the amount of connected devices we all use expanding, this world-leading Code of Practice couldn’t come at a more important time,” said Dr. Ian Levy, the NCSC’s Technical Director.

“We want retailers to only stock internet-connected devices that meet these principles so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime,” he added.

The Code, however, acknowledges that “supply chains of IoT products can be complex and international, often involving multiple component manufacturers and service providers.”

As such, the code, at this stage, is only meant to initiate and facilitate a security mindset among stakeholders.

This initiative is a key part of the government’s five-year, £1.9-billion National Cyber Security Strategy.