The Daily Swig Web security digest

Secure by Design: UK gov’t issues IoT guidelines

James Walker | 07 March 2018 at 17:03

New measures aim to boost cybersecurity in millions of ‘smart’ devices.

The UK government has issued new guidelines aimed at improving the safety of IoT-enabled devices following a spate of security breaches over recent months.

Developed in collaboration with the National Cyber Security Centre (NCSC), manufacturers and retailers, the Secure by Design review lays out plans to embed security in the IoT design process, rather than bolt them on as an afterthought.

“Poorly secured devices threaten individuals’ online security, privacy, safety, and could be exploited as part of large-scale cyber-attacks,” read a government release published earlier today.

“Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras, and children’s dolls.”

Draft Code of Practice

The Secure by Design review contains numerous guidelines for IoT device manufacturers, including calls for all passwords to be unique and not resettable to a universal factory default value.

Companies involved in the provision of internet-connected devices must also ensure software is kept updated, whilst maintaining a vulnerability disclosure policy and cybersecurity point of contact.

In addition, customer credentials must be encrypted and stored securely within services and on devices.

‘A small step in the right direction’

Although the Secure by Design report is not a legislative document, the government said it is working to implement a “rigorous” new code of practice to improve the cybersecurity of consumer internet-connected devices, while continuing to encourage innovation in new technologies.

Commenting on the launch of the guidelines, Ian Levy, the NCSC’s technical director, said: “The NCSC is committed to ensuring the UK has the best security it can, and stop people being expected to make impossible safety judgements with no useful information.

“Shoppers should be given high quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cybersecurity of technology products.”

For Richard Parris, CEO of Intercede, the new Security by Design review marks a “small step in the right direction” when it comes to improving the security of IoT devices, but he expressed doubts as to whether all manufacturers will take heed of the guidelines.

“It’s great to see the government recognizing that, for far too long, security has remained an afterthought rather than a key component in IoT product design,” he said.

“Given these are voluntary guidelines, I’m not optimistic that they will be followed by manufacturers around the world. For consumers to trust the innovations they use, and to ensure that tomorrow’s IoT devices don’t impact on critical communications infrastructure, we need buy in from all companies involved.”

James Lyne, head of research and development at the SANS Institute, said the guidelines address some of the “most important areas” of IoT device security. Like Parris, however, he agreed that there is a need to “go further to develop a trustworthy and lower risk IoT space”.

“I hope to see these guidelines bolstered with greater specifics on security testing and even guidelines on requirements and timeframes to rectify issues – much as we see in other consumer protection constructs,” Lyne said.