As part of the Government’s Secure by Design initiative, the Department for Culture Media and Sports (DCMS) has put IoT security at the forefront by publishing a Code of Practice for Consumer IoT Security that draws on PETRAS research led by the team at UCL.
The Government’s Code is aimed at industry – manufacturers, service providers and developers – and aims to shift the burden of security away from the consumer and towards the implementation of security by design. The Code defines 13 guidelines, which are:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
To help simplify the implementation of the guidelines for industry, the Government have provided a mapping document giving additional context against the main industry standards and recommendations.
As part of this initiative the CSI project, led by Professor Shane Johnson and Dr. John Blythe at UCL, DCMS have published their report evaluating labelling scheme designs on consumer behaviour and the potential implications for an IoT security label.
UCL have also released a blog post available here.