Consumers are increasingly adopting the use of connected devices in their daily lives, resulting in the so-called “Internet of Things” (IoT). These “things” can range from children’s toys to door locks, printers, speakers, wearable health trackers, fridges, and even smart home assistants that have traditionally not been connected to the internet. This increasing fusion of our physical and digital worlds comes with lots of benefits but also presents new cybersecurity challenges.
As IoT continues to grow and transform how we live, protecting it against threats to the safety and privacy of consumers will be critical. Without public trust, the implementation of these exciting technologies may not achieve its full potential. Manufacturers need to take steps to address cybersecurity challenges and protect consumers from digital threats. Connected devices should, therefore, be designed with security in mind. As a result, industry and governments alike have been working to develop best practices to improve the security of these devices and empower consumers to use them responsibly.
An example of a collaborative dialogue with different stakeholders is the UK government Code of Practice for consumer IoT security. It has now also been adopted as an ETSI Technical Specification to establish a security baseline for Internet-connected consumer products and provide a basis for future IoT certification schemes, in Europe and more broadly. The signatories of the Cybersecurity Tech Accord believe that the Code of Practice is an important and positive step forward, showing how both governments and industry can and should work together to improve the security of consumer IoT products.
The Code sets out thirteen security guidelines that manufacturers of IoT consumer devices are encouraged to implement, including:
- No default passwords;
- Implement a vulnerability disclosure policy;
- Keep software updated;
- Securely store credentials and security-sensitive data;
- Communicate securely;
- Minimize exposed attack surfaces;
- Ensure software integrity;
- Ensure that personal data is protected;
- Make systems resilient to outages;
- Monitor system telemetry data;
- Make it easy for consumers to delete personal data;
- Make installation and maintenance of devices easy; and
- Validate input data.
The thirteen practices are mapped against published standards, recommendations, and guidelines from nearly 100 documents and 50 organizations, including from the Industrial Internet Consortium (IIC), Cloud Security Alliance (CSA), the US National Institute of Standards and Technology (NIST), and the European Agency for Network and Information Security (ENISA). This makes it easier for developers to leverage existing and industry-wide acknowledged guidelines, as well as ensures that we are building upon established best practices, rather than reinventing the wheel.
Instead of being prescriptive, the outcome-focused nature of these principles provides manufacturers enough flexibility to improve the security of their devices based on current best practices, and to evolve as better methods become available. As the Code acknowledges, there is no silver bullet for securing the billions of different IoT devices in use today, or the many more yet to come, but implementing these principles can go a long way to providing the best protection for consumers. While not mandatory, manufacturers are able to pledge to adopt all of the Code’s practices in specific products.
The signatories of the Cybersecurity Tech Accord not only support the document but also commend the way it was developed. The collaborative process employed by the UK government – engaging with industry, consumer associations and academia throughout – represents a successful model to improve the security of consumer IoT products by leveraging the valuable perspectives of all stakeholders. Of the Cybersecurity Tech Accord signatories, HP Inc. was the first to sign up to commit to the guidelines of the Code of Practice, having worked closely with the UK government to develop them. Similarly, ARM has been a vocal proponent since its announcement, encouraging their wider adoption.
Finally, as a group we believe that the Code of Practice provides a successful model that governments around the world should draw on, endorsing as far as possible the basic principles in the Code. We are delighted that with this in mind it is already available in eight languages (English, French, German, Japanese, Korean, Mandarin, Portuguese, and Spanish). As a community, we need to establish a globally relevant common basis for IoT Security, and the steps made to ensure it is accessible to a wider community, as well as the fact that ETSI is taking up this effort, represent steps in the right direction.