In 2019, the Cybersecurity Tech Accord signatories highlighted Internet of Things (IoT) security as one of the priority issues for providers, manufacturers, and governments to work on collectively. The dramatic increases in the numbers of connected devices have not necessarily been matched by a focused investment in security of those devices across the board. Similarly, the lessons, often learnt the hard way by software providers over the past few decades, are not always heeded. However, the only way these technologies can truly reach their full potential, and transform how we live and work, is for them to be trusted by consumers. This will only happen, if connected devices are designed with security in mind, and helpfully, good practice models are being introduced and promoted to get us to that goal.
An approach worth emulating to get us to that goal is the collaborative process employed by the UK National Cybersecurity Center (NCSC). As a reminder, the NCSC worked closely with industry, consumer associations and academia to put forward a code of conduct build around 13 outcome focused principles. IoT products in scope include connected children’s toys and baby monitors, printers, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health monitors, connected home automation and alarm systems, connected appliances (e.g. washing machines, fridges) or smart home assistants. The thirteen practices are mapped against published standards, recommendations, and guidelines from nearly 100 documents and 50 organizations. This makes it easier for developers to leverage existing and industry-wide acknowledged guidelines, as well as ensures that we are building upon established best practices, rather than reinventing the wheel.
Over the past year, the NCSC worked with the European Telecommunications Standards body (ETSI) to build on the code and agree a technical specification (TS 103 645) and now work is underway to transpose TS 103 645 into a European Standard (ETSI EN 303 645)[1]. In addition to the principles included in the original code of conduct, the standard will include further explanation regarding the meaning and intent of each of the thirteen principles, to ensure that it can be leveraged more effectively by emerging certification schemes. Indeed, we have already seen the first of such schemes emerge. The Finnish Transport and Communications Agency, Traficom, launched a cybersecurity label based on the standard at the end of last year. By introducing the labeling system, Traficom aims to raise consumer awareness of information security and the safe use of connected devices.
We believe that the adoption at the European level will be an important and positive step forward that can drive harmonization of voluntary approaches in this area, as well as demonstrate how industry and governments can come together to deliver real change in security of IoT consumer products. However, it is always important to remember that at the heart of all good cybersecurity practices, lies successful risk management. Standards and good practices, such as these, are only effective, if vendors and customers understand how to prioritize cybersecurity risks and employ appropriate risk management techniques.
The Cybersecurity Tech Accord signatories see IoT security as a pivotal issue. The recent webinar on how cybersecurity practices in this space differ from what we are used in the software sector – which you can revisit here – was just one of the initiatives we plan for this space in 2020. In the coming months, we will not only partner to ensure that technology providers and manufacturers adopt good security practices, but also launch an initiative to increase consumer awareness of how to select trustworthy products. Both of these approaches will be critical to security of our cyberspace in the future.
[1] The EN draft is currently under ballot which closes on Feb 24th