In October 2018, the UK government launched the Code of Practice for Consumer IoT Security, which is a surprisingly user-friendly read. The “Secure by Design” initiative is a voluntary code of practice developed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) and supported by the UK government, corporations making IoT products, and academics. This Code of Practice for smart home devices comes at a time when fear around security is growing amongst both consumers and manufacturers. This is a short guide on what the code means for companies making connected products.
The Code is not mandatory and has no associated testing and labeling regime -- there are no teeth to the code -- so it is really an advisory list for companies making connected products. Companies making connected products have no obligation to follow the code, and will likely not gain any measurable sales bump from announcing that they follow the code.
That is not to say there is no benefit to following the code. The code includes straightforward principles that will likely become consumer expectations over time, if they aren’t already. The code not only addresses basic security items (like not using default passwords), but also identifies other areas where the market needs to mature (like setting customer expectations about how long products will be supported by their cloud services). Together the list of items in the Code make up set of functionality that any high-quality product should adhere to, and it is not at all unreasonable for a product manager to include all 13 guidelines in the Code as product requirements.
To sum it up, there are 13 guidelines in the code:
- No default passwords for the device
- Implement a vulnerability disclosure policy (aka have a plan if there’s a breach)
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Ensure personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
The list is fairly straightforward, and every company should pay attention to these principles and make sure engineers understand the principles. Many companies making connected products don’t have deep expertise in security, and these principles can be used as a checklist to ensure a minimal level of security.
Likely Market Impact of the Code
The reality is that while many connected product manufacturers want to deliver secure products, they have a long list of priorities that must get done to get the product shipped. The problem is not the lack of concern about security of their products, but the lack of resources to solve the problem. In our experience working firsthand with many product companies, it’s evident that there are only so many hours in a day and companies have to ship products. Engineering teams are making tough choices, prioritizing product features, and some security features may not make the cut off. No company wants to ship insecure products, but every company wants to get products into the market.
Our prediction is that most companies won’t immediately change their products because of the code, but over time these guidelines will become market expectations. Companies making connected products are on notice that security is important, and delivering insecure products is a real risk. We recommend taking this code seriously -- not because of any risk of enforcement, but because your team, your management, and your customers will be happier if your products are secure.
Here at Cirrent we help our customers with security, reliability, and ease of use. Using the Cirrent Agent in you product can help with 9 of the 13 items in the Code. If you need help, call us.