The UK government claims to be leading the way with a newly released Code of Practice (CoP) designed to drive security-by-design in the manufacture of IoT products.
Developed in partnership with the National Cyber Security Centre (NCSC), the ICO and others, the "world first" CoP aims to improve baseline security in the sector and ensure smart devices that process personal data are aligned with the GDPR.
It’s focused initially on the consumer space.
HP and Centrica Hive are the first two IoT-makers to sign up, and the government hopes its mapping document will make it easier for others to follow.
Regulation is also being developed to improve the security of consumer-grade IoT products, according to the government.
The move can be seen as a response to the risks posed to individuals and businesses from unsecured consumer IoT devices, as exploited most famously by the Mirai botnet attacks of 2016.
It also comes as the British Standards Institution (BSI) readies a new kitemark scheme for consumers and businesses to help them better identify products they can trust to be reliable and secure.
The CoP received a cautious welcome from security experts, but many argued it doesn’t go far enough.
“A code of practice is a step in the right direction, but more needs to be done. The industry should follow best practices and self-regulate, before regulators put a static, cumbersome device security framework in place,” argued John Sheehy, VP of strategy at IOActive.
“Security must be built in from the design phase of any new connected device. It cannot be an afterthought, which only makes it more costly to the manufacturer. Until the industry takes a long-term view on cybersecurity risk or faces material financial consequences, we are likely to see things get worse before they get better.”
Andy Kays, CTO at Redscan, added that global standards are needed to improve IoT security across the development lifecycle.
“Right now, cybersecurity is often last in a long list of some manufacturers’ priorities. New features and services are driving sales, not robustness. Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible,” he added.
“Retailers need to do their part in helping to protect consumers by ensuring that they choose to stock products that meet recognized security standards.”
Matt Walmsley, EMEA director at Vectra, was sceptical of the CoP’s impact.
“Voluntary codes of practices will likely only attract organizations who are already proactive and bought into addressing the issues the CoP seeks to address,” he argued.
“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the frame work’s recommendations.”
If you found this article insightful, why not join our #InfosecWebinar on Malware in IoT, Crypto-coins & Smart Devices