March 7th 2018
The UK’s Department of Digital, Culture, Media and Sport (DCMS) published its Secure by Design Report today for improving the cyber security of consumer IoT. [www.gov.uk/government/publications/secure-by-design].
Naturally it is a development that we welcome at the Foundation and we have been active contributors through this first consultation occupying positions as industry practitioners, and also sitting on the Expert Advisory Board.
The subject matter of the report supports the broader aim of the UK’s Digital Charter for creating a free, open, peaceful and secure cyberspace as Government has the ambition to make the UK the safest place in the world to be online. It is therefore taking a number of measures to realise that ambition which also include the creation of the National Cyber Security Centre (NCSC), officially opened February 14, 2017.
Currently, the situation for online security and privacy is of concern to many – for example one in ten adults have fallen victim to online crime, usually financial fraud. And as we connect the infrastructure of our homes, offices, roads, hospitals and industry into the “Internet of Things”, cyber security breaches have the potential to cause not just financial loss but physical harms including injury and death. Other countries have suffered cyber-attacks on their infrastructure, and there have been many recent scare stories about consumer gadgets and toys being sold with laughably poor security. It is vital therefore that suppliers of goods and services take the same care about the security of their online gadgets and services, as they are required to do for their physical safety.
Industry Take Note!
Whilst Government is keen to have industry take the lead on ensuring internet connected “products and related services” are safe, it provides a clear signal that it will look to enforce regulation if safeguards are not widely adopted voluntarily.
Naturally we agree with this position, yet favour voluntary means – this was why the IoT Security Foundation was established – included in our charter are raising awareness, education and providing pragmatic best-practice guidance and assessment tools. We believe the proposed Code of Practice will help our shared mission.
The UK Government proposed Code of Practice
The Code of Practice identifies 13 priority principles that manufacturers, service providers, app developers and retailers should follow when they develop, make and supply IoT products and services (see side bar). A common thread that runs throughout the report is the need to gain consensus from all stakeholders. We know this is vital as security is a collaborative endeavour and, for effective defence, we all need to play a part. Each part of the supply chain should make sure that their suppliers follow good security practice; apply it themselves; and be ready to satisfy their customers’ requirements for security – both expressed and tacit. We call this a “Supply Chain Of Trust”.
But, for companies finding their way in the IoT for the first time, security is often a closed book, and translating Principles into actions is not so obvious. To help translate the Principles into the management controls needed, we have produced an Application Note (see side bar to download) which directly maps the Code of Practice to the IoT Security Foundation Compliance Framework. Comprehensive security solutions are composed of people, process and technology considerations hence the Framework has elements aimed at all the key departments of a company – from developers through procurement, manufacturing, marketing, sales, and operations to boards of directors. As well as the Compliance Framework, we have also published a set of simple, easy to understand guidance sheets that can be used as a daily reminder of good practice.
And it does not stop there. We’ve discussed the need for international collaboration at IoTSF many times – indeed we hold the notion of a “global security accord” for cyber hence we’re also delighted that the report specifically mentions building an international consensus.
Needless to say, we will continue to work with DCMS and other kindred spirits, in a bid to meet our mutual agenda of making it safe to connect – collaboratively – globally – by building, buying and being secure.
Code of Practice
In priority order:
1) No default passwords
2) Implement a vulnerability disclosure policy
3) Keep software updated
4) Securely store credentials and security-sensitive data
5) Communicate securely
6) Minimise exposed attack surfaces
7) Ensure software integrity
8) Ensure that personal data is protected
9) Make systems resilient to outages
10) Monitor system telemetry data
11) Make it easy for consumers to delete personal data
12) Make installation and maintenance of devices easy
13) Validate input data