The Australian government today released the first version of its Internet of Things (IoT) Code of practice. The voluntary code, aimed at industry, outlines 13 security principles which represent the “standard for IoT devices” for device manufacturers, IoT service providers, and application developers.
The seven page document includes brief recommendations for data storage, password standards and a requirement to establish a “vulnerability disclosure policy”, the latter should include a public point of contact for reporting vulnerabilities and that they be acted on in a “timely manner”.
There is also a principle that industry makes it “easy” for consumers to delete data stored on the device and in “associated backend/cloud accounts and mobile applications”.
The code is subject to change based on consultation with the public, which will run until 1 March 2020. The final code will be reviewed iteratively, according to the departments overseeing it: the Department of Home Affairs and the Australian Signals Directorate.
But the government claims the Australian first IoT code will help establish best security practice, which has often come at the expense of functionality in IoT devices, and raise awareness about the growing security threat of interconnected devices.
Home Affairs Minister Peter Dutton announced the code today in Melbourne.
Dutton said the growing number of interconnected devices – estimated by Gartner to reach 64 billion by 2025 – have the potential to bring many benefits to Australians but many of the devices have poor security features.
“We’re releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cyber security,” Dutton said at the 2019 Home Affairs Industry Summit.
“Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design.”
The government says it will also work with states and territories to further develop the code and further IoT security initiatives will be explored through the 2020 Cyber Security Strategy.
Voluntary code limitations
While the code of practice is welcome, the voluntary approach has certain limitations, particularly for an IoT industry with a supply chain with varying security resources, according to Kevin Vanhaelen, regional director, Asia-Pacific, Vectra AI.
“In the government’s draft voluntary Code of Practice we see recognition of some of the key IoT risks and associated steps responsible IoT vendors and service providers might take. However, voluntary codes of practises will likely only attract organisations who are already proactive and bought into addressing the issues the code seeks to address.
“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have some vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the framework’s recommendations.”
Vanhaelen said consumers can not rely on government initiatives such as the code of practice for their IoT security and urged them to conduct their own password changes and firmware updates.
The first three principles – strong passwords, a vulnerability disclosure policy and regular software updates – are the highest priority and should be prioritised by the IoT industry, according to the draft code of practice.
The full list of principles are:
- No duplicated default or weak passwords
- Implement a vulnerability disclosure policy
- Keep software securely updated
- Securely store credentials and security-sensitive data
- Ensure that personal data is protected
- Minimise exposed attack surfaces
- Ensure communication integrity
- Ensure software integrity
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data