February 15th 2022
Today, IoTSF joins forces with global cybersecurity leaders in calling on device manufacturers and vendors to take immediate action on basic security provisions. We fully support the aims of the Consumer IoT Security Statement of Support signed by approximately 100 organisations including IoTSF and its members. The essential statement reads:
As a global community representing a diversity of interests and expertise, we collectively endorse these five capabilities in particular – (1) No universal default passwords; (2) Implementing a vulnerability disclosure policy; (3) Keeping software updated; (4) Securely communicating; and (5) Ensuring that personal data is secure – as a global baseline
The statement is led by the Cybersecurity Tech Accord, Consumers International and I Am The Cavalry, and convened through the World Economic Forum’s Future of the Connected World Global Action Plan and the Centre for Cybersecurity.
The full statement can be found on the Cybersecurity Tech Accord website at cybertechaccord.org/industry-hackers-and-consumers-for-a-global-baseline-for-consumer-iot-security
We’re here to help:
IoTSF is a keen activist in driving up cybersecurity standards and improving the quality of solutions, and has been since we were founded in 2015. All of our activity is designed to make the digital world a safer place to connect to and keep our members on the front-foot. IoTSF leads in the pre-standards and pre-regulatory zone – as the regulations and standards generally fail to move at market speed (and for good reason). As part of this endeavour, we have supported the emerging international standards, regulatory and labelling work that address commodity attacks and build on common foundations. These foundations start with the three most common elements of:
- No universal default passwords
- Providing a means to report vulnerability &;
- Keeping software security up to date
Each of the ‘top 3’ provisions is supported by a series of quick guides and on-demand webinars available from the IoTSF website along with a Vulnerability Disclosure Best Practice Guide – all available for free download from the IoTSF website publications section. See side-bar for links or navigate to the Consumer IoT Resource Page or the Publications Page.
This latest statement adds two more requirements to form the baseline:
- Secure Communications &;
- Ensuring that personal data is secure
So today is a milestone moment, it signifies a new baseline and represents an accumulation of a great deal of work by many stakeholders heralding a global point of consensus.
And there will be more to follow…
Security is never done as it is a constant competition between the nefarious with malicious intentions, and those of us striving for a safe and secure world – what we like to refer to as ‘the super blue team’. This means security needs long-term thinking, on-going maintenance and successive upgrades. It requires many collaborating players including developers, entrepreneurs, blue-chips, policy makers, governments and even users.
IoTSF also publish the highly popular Secure Design Best Practice Guides – a concise collection of security practices, and IoT Security Assurance Framework which supports the baseline and standards work in greater, practical detail. It also has an actionable tool to help manufacturers self-master and ensure greater coverage. These resources are co-developed and maintained by security experts and product personnel to ensure they remain usable and fresh – they’re also free to download so what’s not to like?
The latest versions of all our materials can be be downloaded from the publications page https://www.iotsecurityfoundation.org/best-practice-guidelines/
In conclusion 1,2,3:
- If you’re a manufacturer or vendor – there is no place in the digital world for products with poor security features – provision good security.
- If you’re a purchaser, know your suppliers – don’t buy insecure products or services – specify security objectives in your purchase orders.
- If you’re a user – it can be as simple as having a strong password and updating your software – use and maintain the security features of your products.
Or to put it another way Build secure, Buy secure, Be secure