Government Release Code of Practice for Industry

As part of the Government’s Secure by Design initiative, the Department for Culture Media and Sports (DCMS) has put IoT security at the forefront by publishing a Code of Practice for Consumer IoT Security that draws on PETRAS research led by the team at UCL.

The Government’s Code is aimed at industry – manufacturers, service providers and developers – and aims to shift the burden of security away from the consumer and towards the implementation of security by design. The Code defines 13 guidelines, which are:

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Securely store credentials and security-sensitive data
  5. Communicate securely
  6. Minimise exposed attack surfaces
  7. Ensure software integrity
  8. Ensure that personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

To help simplify the implementation of the guidelines for industry, the Government have provided a mapping document giving additional context against the main industry standards and recommendations.

As part of this initiative the CSI project, led by Professor Shane Johnson and Dr. John Blythe at UCL, DCMS have published their report evaluating labelling scheme designs on consumer behaviour and the potential implications for an IoT security label.

DCMS have also produced co-ordinated guidance for consumers around protecting internet connected devices based on work completed by the Cyberhygiene project.

UCL have also released a blog post available here.