The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have published a new voluntary Code of Practice to boost the security of IoT devices.
The measures form the world’s first national directive aimed at boosting the security of internet connected devices, such as home alarm systems, fridges, and toys.
Tech companies HP and Centrica are the first firms to commit to the new manufacturing code.
DCMS and NCSC have also published a mapping document to make it easier for other manufacturers to see how the firms are implementing the new standards.
Internet of Secure Things
The volume of connected devices worldwide is booming and is set to herald in a new era of industrial and public sector productivity and efficiency, in addition to providing consumers with a range of new interactive products. In the UK alone there are expected to be more than 420 million devices active within the next three years.
Cybersecurity experts have been warning for some time that these devices, such as virtual assistants, toys and smartwatches, can leave people and their home networks vulnerable to attack, and society as whole exposed to large-scale cyber attacks.
The new code of practice incorporates most of the recommendations set out in the government’s Secure by Design report earlier this year and was developed in consultation with consumer groups, industry, and academic partners. Additional measures to help facilitate GDPR compliance have been added.
The CoP outlines thirteen guidelines, including personal data storage requirements, regular software updates to ensure continuous security, and the elimination of default passwords. The full thirteen guidelines can be read in the new 24-page report.
Margot James, Minister for Digital said the UK is ‘taking the lead’ on product safety and shifting security responsibility to manufacturers.
“The pledges by HP Inc. and Centrica Hive Ltd are a welcome first step but it is vital other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is designed,” she added.
Dr Ian Levy, the NCSC’s Technical Director, said the new measures ‘couldn’t have come at a more important time’.
“We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime,” he said.
Jamie Bennett, VP of IoT and Devices and Canonical, said that while the code is a good start, it could go further.
“The fact this code is voluntary means consumers will continue to be at risk, because mistakes or negligence do happen – that’s the nature of software. Businesses need to be at the forefront of security and adopt a culture of ongoing protection from the point of design and manufacture,” he said.
“If the government does go the extra step to actively enforce the 13 guidelines then even better, but every IoT manufacturer should start with the OS and build from there with security in mind,” he added.
By publishing these measures, the UK government hopes to accelerate the country’s status as an international leader in the development and uptake of IoT.
As part of the strategy, the government funded a £30 million IoT research and innovation programme.