IoT Security Guidelines Published by UK Government
The UK Government has laid out clearcut guidelines for IoT device manufacturers and has underlined security as a key issue.
A voluntary Code of Practice for consumer IoT security will be established under plans by the UK Government, according to a report.
These measures, described by the Department for Digital Culture, Media and Sport as a “world first”, could set out clearcut guidelines to boost security for devices such as home security systems, toys or fridges.
As households across the UK continue to incorporate connected devices, poorly secured products pose grave risks to consumers and organisations alike. There are expected to be more than 420 million internet-connected devices in use across the country within the next three years.
The initiative is a key component in the Government’s £1.9 billion National Cyber Security Strategy, which aims to make the UK the most secure place in the world to live and do business online.
The Code of Practice for Consumer IoT Security was developed by the DCMS in collaboration with the National Cyber Security Centre; and with support from other Government departments, industry and academic partners.
Leading technology companies, such as HP and Centrica Hive, are among the first to commit to the code of conduct.
The DCMS has also worked closely with a number of consumer groups and industry incumbents to develop guidance for consumers.
Consumer watchdog Which? welcomed the announcement. Alex Neill, managing director of Home Products and Services, said: “We welcome the Government taking a lead in tackling the growing issue of security in internet-connected products. Manufacturers of these smart devices must now show they are taking security seriously and sign up to the Code to better protect consumers who use their products every day.”
The new Code of Practice outlines 13 guidelines that manufacturers of consumer devices should implement into their designs in order to keep consumers safe. These include the secure storage of personal data, regular software updates to sure devices are protected and the removal of default passwords (which can often grant attackers easy access).
A number of industry bodies are currently developing security recommendations and standards for IoT. However, the report said its own recommendations were “designed to be complementary to and supportive of those efforts.”
Speaking on its commitment, HP’s UK managing director, George Brasher, said the company and UK government has a shared ambition to “raise the bar broadly” in consumer IoT device security.
“Today we design our commercial products with security built-in not bolted on, not only designed to protect, but also to detect and self-heal from cyber-attacks,” he said. “We are delighted to be joining forces with the UK Government in our shared ambition to raise the bar broadly in consumer IoT device security, starting with the connected printers we are all used to at home.”
Brasher added that in an increasingly dangerous cybersecurity landscape IoT devices are on the frontline and face growing threats.
“Cyber-crime has become an industry and IoT ‘endpoint’ devices increasingly constitute the frontline of cybersecurity,” he explained. “At HP, we are reinventing the state of the art in device security to address modern threats.”
The Government has also published a ‘mapping document’ to make it easier for other manufacturers and organisations to follow suit. The DCMS said that “further work” is currently underway to develop regulation that will continue to strengthen consumer products.
While cybersecurity is a key focus of the Code of Practice, so too is GDPR compliance. The implementation of these standards could help organisations ensure smart devices that process personal data are compliant with EU regulations introduced in May.
Failure to comply with GDPR means firms risk fines of up to £17 million or 4% of global turnover for the most serious data breaches. Recent high-profile breaches have raised the stakes for organisations using internet-connected devices – attacks on smartwatches, CCTV cameras and children’s toys have caused damaging losses for both consumers and organisations.
Dr Ian Levy, the NCSC’s Technical Director, said the “world-leading” Code of Practice “couldn’t have come at a more important time”.
Levy added that the long-term objective of these standards is to encourage retailers to only stock IoT devices that adhere to the principles laid out. In doing this, he claimed, consumers can incorporate such devices in their homes safe in the knowledge they will be properly supported and maintained.