New code of practice seen as a step in the right direction, but more needs to be done to improve the security of connected devices.
IoT guidelines- The UK government’s new code of practice for Internet of Things (IoT) devices has been widely welcomed as a step towards implementing security by design – though many within the industry say it doesn’t go far enough to protecting consumers or organizations.
Introduced last week, the voluntary code consists of 13 basic guidelines, including avoiding default passwords, keeping software updated, storing credentials securely, and minimizing exposed attack surfaces.
Security professionals contacted by The Daily Swig are giving the code cautious approval. However, its non-compulsory nature is a concern for many.
“While it’s certainly a step in the right direction that the UK government has issued a new code of practice to help manufacturers improve the security of internet-connected devices, it’s unlikely that the industry will act upon it, given that it is voluntary,” warns John Sheehy, vice president of strategy at security firm IOActive.
This view is one echoed by Bharat Mistry, principal security strategist at Trend Micro, who would like to see a certification process similar to the CE mark.
“The industry needs to go a lot further, as currently we’re only seeing the big tech players signing up,” he told The Daily Swig. “In reality, it’s the small niche vendors of IoT devices that pose the most risk.”
The code of practice was released by the British government last week after an initial draft appeared in its Secure by Design report, published in March of this year.
It was drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) to encourage manufacturers to secure their products before putting them on sale.
But there is a danger that suppliers will cut corners in their rush to market, suggests Andy Kays, CTO at threat detection and response firm Redscan.
“New features and services are driving sales, not robustness,” he said. “Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible.”
Others query how far down the supply chain the code will be applied.
“The vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the framework’s recommendations,” Matt Walmsley, EMEA director at AI security firm Vectra, told The Daily Swig.