After a period of significant public consultation, including consideration of submissions from over 4,000 organisations, on 3 September 2020, the Commonwealth Government of Australia released its Code of Practice: Securing the Internet of Things for Consumers (Code).
The Code sets out a voluntary set of 13 principles that vendors
of Internet of Things (IoT) devices (as well as
service providers in related fields (such as connectivity
providers) can comply with, and is intended to act as a public
reference point, so that vendors specifically reference their
compliance with particular principles. For instance, it is
anticipated that vendors will promote their devices as saying, for
"Our organisation has complied with principles X, Y, and Z of the Code of Pr-actice: Securing the Internet of Things for Consumers".
Many of the principles will be familiar to those working in the cyber security fields, although some cross over into broader privacy and consumer protection related fields. Their purpose is to create a market where mass market IoT devices are fundamentally designed with usability and security in mind. This is of course of fundamental importance when you consider the anticipated explosion in IoT device sales over the coming years. With the market increasingly populated with connected versions of previously 'dumb' devices like vacuums, fridges and even security systems, there is an ever-increasing attack surface, and so this initiative is a welcome step in the right direction to enable consumers to make wise choices.
The principles are:
- No duplicated default or weak passwords;
- Implement a vulnerability disclosure policy;
- Keep software securely updated;
- Securely store credentials;
- Ensure that personal data is protected;
- Minimise exposed attack surfaces;
- Ensure communication security;
- Ensure software integrity;
- Make systems resilient to outages;
- Monitor system telemetry data;
- Make it easy for consumers to delete personal data;
- Make installation and maintenance of devices easy; and
- Validate input data.
As an adjunct to the Code, the Australian Cyber Security Centre has also developed and published a guide to help consumers understand how to buy, use and dispose of Internet of Things devices securely. With this combination of consumer awareness and education, and market-led security improvements, we can expect that IoT will continue to develop as an attractive consumer proposition while not creating widespread and unmanageable cyber vulnerabilities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.