UK Government Publishes IoT Security Code of Practice

The UK Government has published an IoT Code of Practice draft code, which would help ensure better data security while using IoT devices.

The draft is part of a report titled Secure by Design, published by the Department for Digital, Culture, Media & Sport. The report begins with a Foreword by Margot James, Minister for Digital and Creative Industries, who says- “Increased connectivity via the internet of things (“IoT”) provides fantastic opportunities for the UK. A key part of this Government’s ambition is to expand on the aspirations set out in our Digital Strategy through enhancing our status as an international leader in the development and uptake of IoT. However, we must ensure that individuals are able to access and benefit from connected technologies safely, confident that adequate security and privacy measures are in place to protect their online activity. The recent Mirai and WannaCry attacks, which affected core public services and used internet connected devices to breach private companies, reinforce the need for effective cyber security as part of our digital economy…I am delighted to be publishing this report, which advocates a fundamental shift in approach to moving the burden away from consumers having to secure their internet connected devices and instead ensure strong cyber security is built into consumer IoT products and associated services by design. ”

The report focuses on how it can be ensured that consumer internet-connected products and associated services are secure and also discusses the rights and responsibilities of consumers as well as the industry. It discusses various aspects of IoT security; it says that with IoT devices being rampantly used now, there are two kinds of risks that we face now. On the one hand, IoT devices being vulnerable, it undermines consumer security, privacy and safety while on the other hand, insecure IoT devices could mean an increasing threat of large-scale cyber attacks happening and affecting the wider economy.

The report executive summary says- “The central proposal of this report is a draft Code of Practice aimed primarily at manufacturers of consumer IoT products and associated services. It has been developed through extensive engagement with industry and subject matter experts and sets out thirteen practical steps to improve the cyber security of consumer IoT…The publication of this report, and particularly the draft Code of Practice, is intended to stimulate further dialogue with industry, academic institutions and civil society over the coming months. The Government needs to collectively balance the need to create effective incentives for manufacturers, the supply chain and retailers, while also continuing to encourage innovation in new technologies.”

It further says- “The Government’s preference would be for the market to solve this problem – the clear security guidelines we set out will be expected by consumers and delivered by IoT producers. But if this does not happen, and quickly, then we will look to make these guidelines compulsory through law. We will review progress throughout 2018.”

IoT security is a rather delicate area, with manufacturers tending to overlook security considerations in the rush to get products to the market. As per statistics provides by security consultants Gartner, by 2020, there will be an excess of 20 billion IoT-enabled devices around the world. It is basically factors relating to cost and size that make manufactures omit IoT security provisions. Thus, many IoT devices today have lots of vulnerabilities that hackers could easily exploit. But let’s remember that IoT security doesn’t just concern the security of an IoT device; a vulnerable IoT device would provide a hacker the chance to not just steal data from the device, but to carry out overall surveillance on the owner too. It could also give the hacker a chance to gain access to other devices in a network. IoT devices are increasingly being and hence widescale breaches of IoT devices could cause chaos on a large scale, even on the national level. Similarly, IoT security is important as it concerns the security of the UK’s critical national infrastructure and major industries.

It’s to address such issues that the UK government seeks to lay out its plan regarding IoT security and, if needed, come out with a law. The government also sees it as an international issue; the report says- “IoT security is a global challenge requiring global collaboration. The Government is working with our international partners and through international organisations to collectively take action to secure consumer IoT products and associated services at every stage of their lifecycle. ”

There are many security experts who consider that though it’s easy to discuss these things on paper, it would be harder in practice. There could also be countries that could refuse to fall in line on this issue. State-backed threat actors may continue to go against such policies, even if they are accepted on an international level. Thus, overall, it has to be said that IoT security is indeed a very delicate, rather complex area and it has to be handled with utmost care.