Australian Government Releases First Version of IoT Code of Practice

The government of Australia has released the first version of its IoT Code of practice. This voluntary code is aimed at the IoT industry. It outlines 13 security principles that represent the standards for IoT devices that are needed to follow by device manufacturers, IoT service providers, and application developers.

The document is comprised of 7 pages and includes brief recommendations for data storage, password standards and a requirement to establish a vulnerability disclosure policy. The vulnerability disclosure policy should include a public point of contact for reporting vulnerabilities and that they are acted on in a "timely manner".

One of the principles enables the industry to make it convenient for consumers to delete data stored on the device. They can also delete the data stored in associated backend/cloud accounts and mobile applications as well.

The code addresses the change based on consultation with the public, which will run until 1 March 2020. According to the Department of Home Affairs and the Australian Signals Directorate, the department will review the final code iteratively.

However, the Australian government claims that the first IoT code will help establish the best security practice without compromising functionality in IoT devices. It is also subjected to raise awareness about the growing security threat of interconnected devices.

Home Affairs Minister Peter Dutton stated that the growing number of interconnected devices, which is estimated to reach 64 billion by 2025 by Gartner, possess the potential to supply several benefits to Australians but many of them have poor security attributes.

He quoted, "we're releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cybersecurity. Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built-in by design."

The Australian government has decided to work with states and territories to further develop the code. Moreover, IoT security initiatives will be explored through the 2020 Cyber Security Strategy.

What are the limitations of the Voluntary Code? 

It has certain limitations for an IoT industry with a supply chain with varying security resources.

Kevin Vanhaelen, regional director, Asia-Pacific, Vectra AI said – "In the government's draft voluntary Code of Practice we see recognition of some of the key IoT risks and associated steps responsible IoT vendors and service providers might take. However, voluntary codes of practice will likely only attract organizations who are already proactive and bought into addressing the issues the code seeks to address. In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have some vendors and supporting supply chains that simply don't have the resources, skills, or even the will to meet the framework's recommendations."

According to him, consumers cannot depend upon such government initiatives. He further went on to urge the people to conduct their own password changes and firmware updates.

What are its 13 Principles?

The first 3 principles of IoT Code of practice are – strong passwords, a vulnerability disclosure policy, and regular software updates. These three are on the highest priority and it has been recommended to be prioritized by the IoT industry. Below is the full list of principles.

•  No duplicated default or weak passwords

•  Implement a vulnerability disclosure policy

•  Keep software securely updated

•  Securely store credentials and security-sensitive data

•  Ensure that personal data is protected

•  Minimize exposed attack surfaces

•  Ensure communication integrity

•  Ensure software integrity

•  Make systems resilient to outages

•  Monitor system telemetry data

•  Make it easy for consumers to delete personal data

•  Make installation and maintenance of devices easy

•  Validate input data