The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have jointly released new guidelines for the manufacture of smart devices, intended to build security into the foundations.
The issue of digital security is one which has been long-running and frequently brushed aside. While it is now generally accepted 100% secure is an impossible ambition, embedding security into the building blocks of every product or service is a way to mitigate as much risk as possible. This idea has also been aired numerous times, with little apparent action, though new Code of Practice aims to correct this oversight.
“From smartwatches to children’s toys, internet-connected devices have positively impacted our lives but it is crucial they have the best possible security to keep us safe from invasions of privacy or cyber-attacks,” said Minister for Digital, Margot James. “The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices.”
“With the amount of connected devices we all use expanding, this world-leading Code of Practice couldn’t come at a more important time,” said Ian Levy, the NCSC’s Technical Director. “The NCSC is committed to empowering consumers to make informed decisions about security whether they’re buying a smartwatch, kettle or doll. We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime.”
As it stands, the digital world is not secure. Innovation is progressing at an exciting speed, though advancements in security or even investments in security departments and products, are not keeping pace. The world is currently sleep-walking into a digital environment tailor made for hackers and other nefarious actors to thrive in. These individuals might be in the vast minority, but that does not make the threat any less real.
The new guidelines are as follows:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for users to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
Should the UK Government and the NCSC be able to nudge manufacturers into maintaining these principles, protections will certainly increase. This is not to say everything will be rosy, but by ensuring security is more than an afterthought in the design and manufacturing process, the right foundations are set.
“This government initiative is exactly what many in the industry have been craving for years,” said John Smith of CA Veracode. “Manufacturers have not really felt any market pressure to improve the security of these devices because consumers still have a lack of understanding of the security implications of IoT devices. Providing concrete guidance to manufacturers while also raising public awareness of these issues can only help address the gap that currently exists. It’s not just about the hardware anymore, it’s about the software behind it, and it’s really encouraging to see that the UK government wake up to the potential vulnerabilities in consumer IoT devices.”
These ideas are not new, more it is promising to see proactive action from the Government. Security experts have long discussed the merit of building security into the foundations of products, for example, Rik Ferguson of Trend Micro has previously suggested an official badge or certification for products which have been designed with the right security protocols and concepts in mind, similar to batteries. People don’t need to know the process of achieving the validation, but a properly audited process can provide peace of mind for the consumer.
However, it is critical the process is embraced by the majority and soon becomes an industry standard. Energy company Centrica has become one of the first to embrace the guidelines with its Hive smart energy devices, while HPE has also committed. This is a good start, and potentially sets the ball rolling for a process which is more official. Right now, the Code of Practice is voluntary.
Security has long been an ignored issue in the industry, mainly because it is incredibly difficult to deal with. If companies were honest with consumers about the threats of the digital economy, many would be turned off from taking more of their lives online. At least there is some positive action to addressing the significant problem of cybersecurity.