The UK government has launched a voluntary code of practice for manufacturers of internet-connected devices. The first of its kind in the world, the code is founded on 13 guidelines and could serve as the basis for a future bill on the cybersecurity of the Internet of Things (IoT) in the UK. While the guidelines are not binding, they are designed to inform manufacturing practices and make manufacturers liable in the event of legal action.
On Monday 15 October, the UK’s Department for Digital, Culture, Media and Sport and the National Cyber Security Centre published a code of practice for improving the security of consumer Internet of Things (IoT). These guidelines for manufacturers are a world first, as reported by specialist website ObjetConnecté.
Reassurance for the public
The first country to trial the Amazon Echo, the UK has witnessed a series of high-profile cyber security events. With a view to reassuring the general public and protect against the even greater risk of self-driving cars and medical equipment being hacked, the British government has decided to promote a voluntary code of practice.
The aim is to encourage companies to integrate the concepts of security by design and privacy by design into the devices and software they sell. The code has been drawn up in collaboration with the manufacturers of connected devices and IT experts, and comprises the following 13 guidelines :
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
The basis for a future bill?
HP and Centrica Hive have already committed to the 226-page document, which takes the form of an Excel spreadsheet and comprises the main guidelines and links to other resources proposed by NGOs, companies and government agencies (white papers, W3C standards and recommendations by a series of different bodies). The code provides the basis for a possible future bill on the cybersecurity of the Internet of Things in the UK.
Though manufacturers are not legally obliged to comply with the guide, the government hopes that they will feel compelled to observe the 13 guidelines. The aim of the document is to make manufacturers acutely aware of consumer concerns. Should their products be hacked and suffer security failures, they could face legal action.
Contact Allianz Partners
Jan 15, 2018
According to a report published by the European Patent Office last December, requests for patents in the field of the Internet of Things rose significantly in Europe across 2016.
Jan 2, 2018
Among the many and varied applications that it can have in day-to-day-life, the Internet of Things could soon be used to help those hit by natural disasters, such as the hurricanes that [...]