New code of practice seen as a step in the right direction, but more needs to be done to improve the security of connected devices

The UK government’s new code of practice for Internet of Things (IoT) devices has been widely welcomed as a step towards implementing security by design – though many within the industry say it doesn't go far enough to protecting consumers or organizations.

Introduced last week, the voluntary code consists of 13 basic guidelines, including avoiding default passwords, keeping software updated, storing credentials securely, and minimizing exposed attack surfaces.

Security professionals contacted by The Daily Swig are giving the code cautious approval. However, its non-compulsory nature is a concern for many.

“While it’s certainly a step in the right direction that the UK government has issued a new code of practice to help manufacturers improve the security of internet-connected devices, it's unlikely that the industry will act upon it, given that it is voluntary,” warns John Sheehy, vice president of strategy at security firm IOActive.

This view is one echoed by Bharat Mistry, principal security strategist at Trend Micro, who would like to see a certification process similar to the CE mark.

“The industry needs to go a lot further, as currently we’re only seeing the big tech players signing up,” he told The Daily Swig. “In reality, it’s the small niche vendors of IoT devices that pose the most risk.”

The code of practice was released by the British government last week after an initial draft appeared in its Secure by Design report, published in March of this year.

It was drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) to encourage manufacturers to secure their products before putting them on sale.

But there is a danger that suppliers will cut corners in their rush to market, suggests Andy Kays, CTO at threat detection and response firm Redscan.

“New features and services are driving sales, not robustness,” he said. “Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible.”

Others query how far down the supply chain the code will be applied.

“The vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the framework’s recommendations,” Matt Walmsley, EMEA director at AI security firm Vectra, told The Daily Swig.

Hewlett Packard (HP) and Centrica Hive are the first companies to pledge their commitment, aiming to fully implement the standards by 2021.

Only time will tell whether the voluntary code will be a success with other British companies.

All in all, though, the move is welcomed by the industry as a promising first step.

“Manufacturers have a responsibility to implement security by design into smart devices – and the government code of practice will provide positive encouragement,” said David Emm, principal security researcher at Kaspersky Lab.