The Australian Government has released The Code of Practice: Securing the Internet of Things for Consumers (Code of Practice). The guide represents a first step in the Australian Government’s approach to improve the security of IoT devices in Australia. This Code of Practice is a voluntary set of measures the Australian Government recommends for industry as the minimum standard for IoT devices. The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption.
The Code of Practice was developed by the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, and follows nation-wide engagement with industry and the Australian public. The Code of Practice was recognized as a necessary step to lifting the cyber security of internet-connected devices domestically. The Code of Practice is designed for an industry audience and comprises 13 principles. The Australian Government recommends industry prioritize the top three principles because action on default passwords, vulnerability disclosure and security updates will bring the largest security benefits in the short term.
In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.
Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software, says, “Consumer IoT is at the extreme end of the ‘ease of use versus security’ conflict because the devices in question are typically seen as non-threatening, simple in terms of function and very much ‘fit and forget’. However, any vulnerable device is a foothold that may be exploited to enable a more damaging breach to be enacted, so IoT security is still a real and serious threat to personal information and financial theft."
"The Code of Practice is welcome because there needs to be official guidance for manufacturers and consumers and ultimately, in the event of any negligence on the part of a manufacturer, a set of minimum standards against which litigation can be taken when needed," adds Kedgley. "Where they may have gone further is to compel device manufacturers to make setup and management tasks both mandatory and automatic. For example, setting unique credentials, disabling function and enabling software updates, rather than just suggesting these practices should be provided.”
Ben Pick, Senior Application Security Consultant at nVisium, a Falls Church, Virginia-based application security provider, notes that these practices demonstrate a good starting point for IoT security. "However, two of them will be difficult, if not impossible, to maintain. Keeping software securely updated and making it easy for consumers to delete their personal data defies the standard usage of such devices. Most companies have found it cheaper to build new devices rather than support robust software maintenance plans. Additionally, collected data tends to be sold to third parties, preventing their complete deletion," says Pick. "Personally, I hope companies are forced to follow these practices and that the practices themselves become a springboard for more extensive security policies in the coming years.”