The UK government recently released a Code of Practice for Consumer IoT Security. The aim of the Code of Practice is “to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.”
Listed below, the new guidelines are well thought out and promote a strong standard of security to protect consumers. They also help ensure that IoT devices are able to comply with the General Data Protection Regulation (GDPR) laws that went into effect earlier this year.
If you are building your own IoT platform, this adds a new dimension to the engineering and maintenance challenges of that effort. If you are taking the better/faster/cheaper route and using the Afero IoT platform, then you’ll be pleased to know that Afero is providing you with everything a platform can provide to keep you compliant.
Afero started out with a strong focus on security. Security is not only a core and seamless part of the design and implementation of the Afero Platform, it actually enables many of its cool capabilities. For example, end users can activate/onboard their devices in less than a minute, thanks to the security architecture that has already resolved several common issues before the device is shipped. All without compromising the best practices in secure data, transmission, supply chain, etc.
In fact, in a recent independent study by Parola Analytics, Afero was recognized globally as #5 in all IoT patents and also in IoT security patents. Having the 5th largest patent portfolio in the IoT space, behind such large companies as Samsung, Qualcomm, Intel, and IBM, is quite an achievement, and a testimony to the quality of engineering that Afero has assembled. It’s also a testimony to the market gap that existed for a fully integrated and secure IoT platform. The patent portfolio is a reflection of the benefits that our customers get by using the Afero platform.
Here are the UK government Code of Practice for Consumer IoT Security:
- No default passwords – All IoT device passwords should be unique and not resettable to a universal factory default value.
- Implement a vulnerability disclosure policy – companies that provide IoT devices and services are to provide a public point of contact as part of a vulnerability disclosure policy, to enable issues to be reported. A disclosed vulnerability should be acted on in a “timely manner”.
- Keep software updated – updates should be timely and should not impact on the functioning of the device, and the need for which should be made clear to consumers.
- Securely store credentials and security-sensitive data – credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.>
- Communicate securely – security-sensitive data should be encrypted and all keys managed securely.
- Minimise exposed attack surfaces – devices and services should operate on the principle of “of least privilege”.
- Ensure software integrity – software should be verified using secure boot mechanisms.
- Ensure that personal data is protected – personal data should be protected in accordance with the GDPR and Data Protection Act 2018.
- Make systems resilient to outages – resilience should be built into IoT devices.
- Monitor system telemetry data – telemetry data should be monitored for security anomalies.
- Make devices easy for consumers to delete personal data – devices should be configured so that an individual can easily delete their personal data from it.
- Make installation and maintenance for devices easy – this should employ minimal steps and should follow security best practice. Consumers should be given guidance on how to set up their device securely.
- Validate input data – data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.
Find out more about the ultra-secure by design Afero Platform and how we can help you ensure compliance with these regulations.