AA+W - Fotolia

IoT firms sign up to UK security code of practice

Internet of things technology firms have begun signing up to a UK code of practice to strengthen the security of internet-connected devices. The code is expected to form the basis of an international standard

The UK has published a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT).

The first of its kind in the world, the Secure by Design CoP was developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC).

The CoP was developed with the support of government departments, academic partners, device manufacturers and retailers in conjunction with a public consultation on a draft proposal published in March 2018 to address the security vulnerabilities in IoT devices, such as smart watches, TVs, alarm systems, fridges, toys, speakers and fitness trackers.

While the final version of the CoP is largely unchanged from the draft version, it has been revised to ensure compliance with the EU’s General Data Protection Regulation (GDPR) and the UK’s new GDPR-aligned Data Protection Act to facilitate regulatory implementation in future.

Although the CoP is aimed at consumer products, the government hopes it will establish standards and principles that will filter through to the industrial, enterprise and other IoT markets. Also, government departments plan to engage with individual sectors about industry-specific IoT security issues.

In light of the fact that IoT security is an international problem, the UK government is working with counterparts and standards bodies in countries such as the US, Canada, France, New Zealand and Australia. To further aid these efforts, the CoP has been translated into French, German, Spanish, Korean, Japanese and Mandarin.  

Badly secured IoT devices have already been implicated in a number of high-profile cyber security events that compromised consumer data. In early 2017, for example, more than 800,000 owners of a connected teddy bear had their data exposed because of a poorly secured MongoDB database, while hundreds of thousands of other devices are still being co-opted into damaging IoT botnets.

There are expected to be more than 420 million internet-connected devices in use across the UK alone within the next three years that could provide gateways for cyber attacks if there is no industry action. 

In view of the risk posed by IoT devices, the UK is leading global efforts to improve the security of internet-connected devices by encouraging device makers to embed security into the design of new technology rather than bolt it on afterwards.  

Tech companies HP and Centrica Hive are the first to commit to implement the CoP by 2021. The code is aimed at encouraging innovation while ensuring tech consumers are safe by addressing potential security vulnerabilities at the design stage.

Although the CoP is voluntary, incentives to implement it include GDPR compliance, avoidance of any connection with future data breaches and cyber attacks, and organisations’ desire to protect their consumers and brand reputation.

Cabinet Office minister David Lidington said the UK’s National Cyber Security Strategy sets out ambitious plans to defend citizens, deter adversaries and develop capabilities to ensure the UK remains the safest place to live and do business online.
 
“Tech companies like HP and Centrica Hive are helping us put in place the building blocks we need to transform the UK’s cyber security,” said Lidington.
 
“I am proud to say the UK is leading the way internationally with our new code of practice, to deliver consumer devices and services that are secure by design.”

Read more about IoT security

Minister for digital Margot James said: “From smartwatches to children’s toys, internet-connected devices have positively impacted our lives, but it is crucial that they have the best possible security to keep us safe from invasions of privacy or cyber attacks.

“The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices.
 
“The pledges by HP and Centrica Hive are a welcome first step, but it is vital that other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is developed.”

While the CoP is aimed at reducing the burden on consumers so they do not have to make security decisions when buying and setting up IoT devices, to help them make purchasing decisions until the CoP is adopted more widely, the DCMS and the NCSC have worked closely with consumer groups and industry to develop guidance for consumers on smart devices in the home. The guidance also includes help for consumers and retailers on how to set up and use IoT devices securely.

The CoP outlines 13 outcome-based guidelines for manufacturers of consumer devices to help ensure their products are safe for consumers to use.

The guidelines cover matters such as the storage of personal data, regular software updates to make sure devices are protected against emerging security threats, avoiding default passwords, and making it easier for users to delete their personal data from the product. 

NCSC technical director Ian Levy said that with the number of connected devices expanding constantly, this world-leading code of practice could not have come at a more important time.

“The NCSC is committed to empowering consumers to make informed decisions about security, whether they’re buying a smart watch, kettle or doll,” he said. “We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime.”

Mapping document

The UK government has also published a mapping document for existing standards and regulation to make it easier for other manufacturers to identify what they need to do to implement the CoP and follow the lead of HP and Centrica Hive.

Further work is also under way with the European Telecommunications Standards Institute (Etsi) to develop an international standard and regulation to strengthen the security of internet-connected consumer products. The Etsi IoT standard based on the CoP is expected to be finalised in early 2019.

As part of this process, the NCSC is engaging with retailers to discuss the idea of developing a labelling system so that consumers can tell at a glance that a product conforms to the CoP on matters such as providing ongoing security support.

Implementing the code of practice can help organisations ensure that smart devices that process personal data are compliant with the stronger data protection laws that came into force in May. Failure to comply with the GDPR means firms could risk fines of up to £17m, or 4% of their global turnover, for the most serious data breaches.

Seb Chakraborty, Centrica Hive’s chief technology officer, said that meeting customers’ privacy and data protection expectations is a priority.

“We invest heavily in the security of our products and are delighted to support the government in this global step forward, building strong security measures into devices at the point of design,” he said.

George Brasher, UK managing director at HP, said cyber crime has become an industry and IoT “endpoint” devices increasingly constitute the front line of cyber security.

“At HP, we are reinventing the state of the art in device security to address modern threats,” he said. “We design our commercial products with security built-in, not bolted on, not only designed to protect, but also to detect and self-heal from cyber attacks.

“We are delighted to be joining forces with the UK government in our shared ambition to raise the bar broadly in consumer IoT device security, starting with the connected printers we are all used to at home.”

This initiative is a key part of the government’s five-year, £1.9bn National Cyber Security Strategy which is aimed at making the UK the most secure place in the world to live and do business online, in part through funding research and innovation in the IoT, including the three-year £30m IoT UK Programme.

Significant steps

Ollie Whitehouse, global chief technical officer at NCC Group, said that since the publication of the draft CoP in March, significant steps have been made, with initiatives launched on both national and international scales. 

“But the UK’s pragmatic and comprehensive response means that we have solidified our position at the forefront of IoT security,” he said. “Today’s revisions are further evidence of the DCMS’s commitment to ensure that the code remains relevant as IoT technology, and its vulnerability to new threats, continue to evolve. 

“Although challenges still remain within the realm of connected devices, it is encouraging to see the solid foundations that have been laid by the DCMS and the NCSC. It is now up to all of us to think further about how we drive the adoption of the code’s principles and encourage investment in the security development lifecycle from the outset, in order to secure smart devices now and in the future.

“By committing to this, adopting assurance and TrustMark schemes, along with meeting procurement requirements, manufacturers will be making a good start.

“Improving cyber resilience across the IoT is not only increasingly important for consumers, but also for industries that utilise these devices in their own environments, especially when these concern critical infrastructures.”

Whitehouse added: “Ensuring the robustness of the code so that everyone can trust it is therefore essential for safeguarding the UK as a whole from modern-day threats. We hope that other governments will now take note of the UK’s leadership on this matter and adopt similar principles.”

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

oh dear. I wonder why DCMS went to 'Thing Makers', rather than 'System Builders'?  The economic motivations for the former are all wrong to get any reasonable security. The latter can make it happen.

Reading some of the guidelines highlights some of the gaps that are well addressed by academic research, eg the conflicting advice to consumers of "use secure passwords"/"don't write down passwords", vs a requirement on Thing Makers: use passwordless designs.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close