IoT Security by Design
The Internet of Things (IoT) has a poor reputation when it comes to cyber security. Frequently manufacturers and IoT service providers often do not implement appropriate safeguards. Businesses and consumers typically do not change the default passwords nor update the pre-installed software.
IoT security is too easy to ignore. What could happen with these IoT devices if they are not properly secured?
U.K. Code of Practice
The U.K. Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have published new measures in a 24-page document to combat the insecurity of Internet of Things products for consumers. The document, "Code of Practice for Consumer IoT Security," is also relevant for industrial and business IoT security. The document's focus is to deliver IoT products that embed security by design, rather than as an add-on afterthought.
IoT products deliver a range of technologies that have become increasingly common in businesses, manufacturers, and homes, making industry more efficient and safer and people's lives easier and more enjoyable. We entrust ever more data to online devices and services. The cyber security of these products is equally as important as their physical security. This document's guidelines can help all parties ensure that products are secure by design and stay secure in a digital world.
Who is Impacted?
Those who provide products and services supporting IoT are the stakeholders who should sign on and abide by the code of practice. The stakeholders include:
- IoT device manufacturers -- These are organizations that produce the assembled Internet-connected products (hardware and software) which may contain the products of other manufacturers.
- IoT service providers -- These are businesses that provide services that include networks, cloud storage, and data transfer. These may be packaged as part of IoT solutions as well as Internet-connected devices offered as part of the service.
- Mobile application developers -- These are businesses that develop and provide applications which operate on mobile devices. These may be offered as a means of interacting with IoT devices.
- Retailers -- These are the marketers and sellers of Internet-connected products and services.
13 Code Guidelines to Follow
The following guidelines should be verified by the customer when IoT devices are purchased and/or IoT services are subscribed to.
- Default passwords -- Many IoT devices are being sold with universal default usernames and passwords. The customer is expected to change the password before use. All IoT device passwords shall be unique and not resettable to any universal factory default value.
- Vulnerability disclosure policy -- Anyone who offers Internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy. This allows security researchers and others to be able to report issues in a timely manner.
- Software updates -- Software resident in Internet-connected devices should be securely updateable. Updates should not impact the functioning of the device and be delivered in a timely manner.
- Store credentials and sensitive data securely -- Any credentials should be securely stored within IoT services and devices. Hard-coded credentials are not acceptable in device software.
- Secure communications -- Using open, peer-reviewed Internet security standards is highly recommended.
- Limit exposed attack surfaces -- Security-sensitive data should be encrypted when communicating, including any remote management and control. All keys should be securely managed.
- Software integrity -- IoT device software should be verified using secure boot mechanisms. When an unauthorized change is detected, the device should alert operators to the issue. The issue notification should not connect to wider networks than necessary to deliver the alert.
- Data protection -- IoT device manufacturers and service providers shall provide clear and transparent information about how the organization's data will be used, by whom, and for what purposes, for all devices and services. This applies to any third parties as well.
- Deliver resilient operation -- IoT services should continue operating even when there is a loss of network connectivity, and they should recover cleanly when power is restored. IoT devices should return to a network operation in a sensible state and in an orderly fashion.
- Telemetry data -- Usage and measurement data should be monitored for security anomalies.
- Data ownership and deletion -- Who owns the collected data? IoT devices may change ownership and may be recycled or disposed of. Mechanisms should be provided that allow the consumers (if they're covered by GDPR or CCPA regulations) and businesses to remain in control and remove data from services, devices and applications (see "First GDPR, and Now CCPA").
- Easy device installation and maintenance -- IoT device installation and maintenance should require few steps and follow security best practices.
- Data input validation -- Data input through user interfaces and transferred by APIs or between networks in services will be validated.
When you select IoT products and services, provide a copy of these guidelines to your vendors and providers. Ask them how they respond to the guidelines and if they do not adopt any of the guidelines. Those who do not adopt the guidelines should be considered as not appropriate vendors or providers.