Building a slide deck, pitch, or presentation? Here are the big takeaways:
- The UK government has presented security guidelines for IoT device makers that include the elimination of default passwords, secure credential storage, and more.
- The UK government’s “Secure by Design” policy report aims to shift the burden of IoT security from the end user to the manufacturer, in an effort to improve protections.
In an effort to improve Internet of Things (IoT) security, the UK government recently released a report calling for an end to default passwords, more transparency in vulnerability disclosure, and secure credential storage, among other best practices.
The report–officially titled Secure by Design: Improving the cyber security of consumer Internet of Things Report–was published in response to what the government sees as a growing security threat in IoT.
At its core, the report is predicated on the proliferation of two distinct risks: “consumer security, privacy and safety is being undermined by the vulnerability of individual devices; and the wider economy faces an increasing threat of large scale cyber attacks launched from large volumes of insecure IoT devices,” the report said.
SEE: Internet of Things policy (Tech Pro Research)
As such, the authors sought to provide some guidelines as to what constitutes proper IoT security. The report lists 13 total priorities in order of importance.
The top three practices should be regarded “as a matter of priority,” the report said. The first is to eliminate any default passwords and force each user to create unique credentials for their device. Secondly, manufacturers must create a vulnerability disclosure policy in which they notify consumers of risks in a timely manner. Third, software updates should be provided for a relevant period of time after a device’s sale, and there should be a clear end-of-life policy, the report said.
While not in the top three, the following recommendations are still important. Next in line is to implement secure storage of credentials and security-sensitive data, the report said. Encrypted, secure communications are also recommended.
Operating on the “principle of least privilege,” device makers should seek to minimize attack surfaces as much as possible. They should also ensure software integrity, and guarantee that personal data is protected, the report said.
Being that many people’s daily lives rely so heavily on connected devices, the report recommends that IoT systems be resilient to outages. It also recommends monitoring system telemetry data, while also making it as easy as possible for consumers to delete personal data if they want to.
Finally, the report noted that IoT leaders should make installation and maintenance of devices easy and validate user input, whether its coming through an API or not.
While the guidelines presented in the report are a step in the right direction, they’re currently just suggestions, and won’t be enforced by any regulatory body. Because of that lack of enforcement, and the business need to be first to market, it’s likely that many businesses may avoid these practices for the sake of competitive agility, as noted by Danny Palmer of our sister site ZDNet.