While consumers should be aware of the importance of cybersecurity of their IoT devices, it is highly crucial for manufacturers to do as much as possible on their end to ensure that their products are trusted and secure. Overall, their efforts will be beneficial to ensuring that their products are secure and trusted. As the application of this technology continues to grow and is expected to reach 50 billion IoT connected devices in use by the year 2022 (Juniper Research), national and international regulators, as well as influential actors in the IoT space, have published several reports and guidelines spelling out what manufacturers can do to ensure that their products are secure by design.
US National Institute of Standards and Technology – NISTIR 8259
The US National Institute of Standards and Technology (NIST) recently published a second draft of the Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, or NISTIR 8259 for short. The draft sets out voluntary and recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These activities are intended to help manufacturers lessen the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromise and the attacks performed using compromised IoT devices.
The draft can be found here.
IoT Security Foundation
The Internet of Things Security Foundation (IoTSF), a collaborative, non-profit, international initiative created in response to the complex reality of cybersecurity in the hyper-connected IoT industry, has produced multiple publications of best practices that manufacturers should consider implementing such as vulnerability disclosures, secure design best practice guides and other resources manufacturers may find useful.
Their full reports and recommendations can be found here.
European Telecommunications Standards Institute – Technical Specification on Consumer IoT
The European Telecommunications Standards Institute (ETSI) published the ETSI Technical Specification on Cyber Security for Consumer Internet of Things, a document which sets out thirteen outcomes-focused security guidelines that manufacturers of IoT consumer devices are encouraged to implement. These include avoiding the use of default passwords, implementing a vulnerability disclosure policy, keeping software updated, and storing sensitive data securely in the manufacture of consumer goods. The document maps the guidelines against established standards from national and international cybersecurity regulatory bodies, helping developers build on best practices from across the industry.
More information on the ETSI consumer IoT standards can be found here.
UK Government Consumer IoT Legislation and Consultation
In May 2019, the Government of the United Kingdom launched a consultation on regulatory proposals for consumer IoT security, which concluded in June 2019. The consultation found that there was a need to restore transparency within the market, with a focus on the need for manufacturers to be more transparent about what security requirements were built in to IoT devices. In February 2020, the UK Government presented its response to the consultation through a legislation which comprises three main security requirements for IoT manufacturers: IoT device passwords must be unique and not resettable to any universal factory setting, manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy, and finally, manufacturers of IoT products must explicitly state the minimum length of time for which the device will receive security updates. Achieving compliance with these three standards ensures consumers are being given important protection against the most basic vulnerabilities of IoT devices.
The UK Government’s response to the consultation can be found here.
Consumer International Trust by Design Guidelines
Consumers International has published a set of principles and guidelines to help manufacturers create safe and trusted consumer IoT devices. The Trust by Design principles and accompanying guidelines set out requirements across six areas, to ensure the security, privacy, transparency, user-friendliness and ethical nature of smart devices. The guidelines include a checklist, which manufacturers can use to ensure that their consumer goods are Trust by Design approved, and useful case studies which can help manufacturers with their implementation.
The full report, its guidelines and checklists can be found here.
Singapore’s Infocomm Media Development Authority – IoT Guidelines
Singapore’s Infocomm Media Development Unit (IMDA), a statutory board of the City State’s Government, published a practical guide for IoT developers, providers and users, which focuses on the security aspects of developing and operating IoT systems. The guide gives baseline recommendations on both the implementation and operational phase for IoT projects, which include employing strong cryptography, protecting impactful systems data, conducting threat modelling, enforcing proper access controls, preparing for and protecting against attacks and conducting periodic assessments. The guide also includes a practical checklist, which can guide users to the process of threat modelling.
IMDA’s full report can be found here.
Japan Ministry of Economy, Trade and Industry – IoT Security Guidelines
In July 2016, the IoT Acceleration Consortium set up by Japan’s Ministry of Economy, Trade and Industry (METI), released a set of IoT Security Guidelines based on the “Security by Design Principle.” The Guidelines were envisaged to help IoT manufacturers take proactive actions to secure IoT and to create an environment where users can utilize IoT devices, systems, and services securely. The Guidelines are based on five principles: (i) establish a basic policy with consideration of the nature of the IoT; (ii) recognize risks on IoT; (iii) consider a design to protect what should be protected; (iv) consider security measures on network side; and (v) maintain a safe and secure state and dispatch and share information. Each principle includes a list of 4-5 security measures that manufacturers and users should follow to ensure IoT cybersecurity. The Guidelines were designed with a broad list of target readers including device manufacturers, system providers, service providers, corporate users as well as general users.
You can find METI’s IoT Security Guidelines here.
Australian Cyber Security Centre – of Practice for Securing the Internet of Things for Consumers
The Australian Department of Home Affairs, together with the Australian Signals Directorate and the Australian Cyber Security Centre have released a voluntary Code of Practice for manufacturers of IoT devices. The Draft Guidelines, released in November 2019, are meant to provide industry standards for Australian manufacturers and comprise of 13 principles that are set to improve the security of IoT devices. The first three principles are the highest priority and include: setting unique, unpredictable, complex and unfeasible to guess passwords; providing a public point of contact as part of a vulnerability disclosure policy in order to report issues; and keeping software timely updated. The Draft Code of Practice has just undergone a consultation period which ended on 1 March 2020.
The Draft Code of Practice can be found here.
European Union Agency for Cybersecurity – IoT Security Good Practices
The European Union Agency for Cybersecurity (ENISA) released the Good Practices for Security of IoT report, aimed at promoting the security by design of IoT products. The report has a particular focus on guidelines for software development, a key aspect for achieving security by design of IoT devices and outlines good practices in the Software Development Life Cycle of IoT systems. This entails ensuring the security of the entire IoT ecosystem (devices, communications, networks, cloud, etc.) in order to bolster the security of the development process, resulting in devices that are fundamentally more secure.
The full report can be found here.