The UK Department for Digital, Culture, Media and Sport (DCMS) announced last week that it is launching a consultation on how it can regulate industry to better secure IoT devices.
Digital Minister Margot James said that whilst the government had hoped a voluntary approach to IoT security would work, over time this has proven not to be the case. The government continues to see “significant shortcomings in many products in the market”. It’s aim is to “restore transparency within the market” and to ensure “manufacturers are clear and transparent with consumers by sharing important information with consumers”.
What will the legislation include?
The plans for the new law include the top three security requirements as already set out in the current Secure by Design code of practice, aimed at IoT device manufacturers:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
Default Passwords… I’ve got déjà vu!
Shipping products with default passwords is persistently an issue with IoT devices. If devices use a default password such as ‘admin’ or ‘1234’ then it only takes seconds for a hacker to infiltrate. The resource required to manage passwords for hundreds, thousands or even millions of devices can be difficult to support, however when security and safety is involved, it’s crucial. [Pssst - This is the reason why we developed our Automated Password Management (APM) solution designed for IoT devices. APM automatically sets and manages local account passwords from manufacturer default on devices. Password rotation policies are enforced which dramatically reduces the attack surface of using static passwords.]
Vulnerability Disclosure Policy
What happens when someone discovers a security issue in a connected product? Having a process for reporting vulnerabilities is important – this will allow for them to be acted up sooner rather than later, and to notify consumers of risks. The IoT Security Foundation published best practice guidelines for Vulnerability Disclosure which are worth a read.
Security Software Updates
Once an IoT device is delivered to the user, with software pre-installed – that’s not enough. Updates are required to fix any bugs or vulnerabilities within devices. It’s important that the updates are pushed and delivered to devices in a secure way, ensuring only trusted software is installed. The security management plane must be able to control access to devices for updates, verify the source and integrity of the update image, and validate the integrity of the updates themselves. [Yep, we have a secure updates solution for this too.]
The consultation on regulatory proposals is a positive step towards legislation for IoT security. However, in our experience the above is only just the start. For several industries or IoT use cases which require more robust IoT security foundation, such as medical devices and smart factories, there is a wider end-to-end security architecture.
Reflecting on the current Secure by Design code of practice
Last year (2018), UK DCMS published a code of practice for Secure by Design which aims to shift the burden of IoT security from the consumer or end user to other parties including device manufacturers, IoT service providers and application developers in an effort to improve security and ultimately safety. The 13 sections in the proposed code of practice focuses on the need for security, privacy and safety for individuals and personal data, while also recognizing the threat of cyberattacks launched from IoT devices.
The guidance and recommendations provided are supported by Device Authority. Our KeyScaler platform can help with the majority of the 13 sections. In fact, we encourage a Secure by Design approach through our Enterprise IoT Security Blueprint which provides an architecture for best practice in IoT security.