The UK Department for Digital, Culture, Media and Sport (DCMS) has launched a Code of Practice for consumer IoT security. The aim of the Code of Practice is to "support all parties involved in the development, manufacturing and retail of consumer IoT", as stated on the UK.gov website. The set of guidelines have been developed to help ensure that IoT products are secure by design and to make it easier for people to stay secure in a digital world. The aim of the Code is to initiate and facilitate positive security change throughout the entire supply chain.
DDoS attacks are harder to defend against due to rise in IoT devices
The Code of Practice comes at a time when IoT devices are increasingly being used as part of massive botnets to send huge volumes of traffic to targeted servers. The use of IoT devices to initiate these DDoS attacks is expected to increase in the coming years, partly due to a lack of built-in security measures. A good example is the Mirai botnet attack. The attack, which authorities initially feared was the work of a hostile nation-state, was in fact the work of the Mirai botnet.
The sheer power and spread of this attack can be attributed to an IoT botnet. By using default password combinations, it was able to amass an army of compromised closed-circuit TV cameras and routers, ready to do its bidding. With the scale of the production of IoT devices only expected to rise, the opportunity to compromise them is growing in parallel. Even though many IoT devices have low processing power, the total volume is enormous. The source code of Mirai has since been published and several spin-offs are already active. All of this means that this newer generation of IoT botnets is a much bigger threat, and mitigating such massive traffic volumes with DDoS protection solutions is considered to be a major cyber security challenge for businesses today.
13 guidelines for IoT Security
The Code of Practice brings together what is widely considered to be best practices in IoT security. It was developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the UK National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia. The Code of Practice entails the following thirteen outcome-focused guidelines:
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Securely store credentials and security-sensitive data
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make installation and maintenance of devices easy
- Validate input data
Even though the Department says the Code of Practice is 'not a silver bullet for solving all security challenges', it could however encourage other governments to come up with comparable Codes of Practice for IoT security.
Implementation of Code of Practice for IoT-security
The Code of Practice comes with a mapping document and an open data JSON file that links each of the Code’s guidelines against the main industry standards, recommendations and guidance. This mapping gives additional context to the Code’s thirteen guidelines is intended to help organisations to implement them. The mapping also shows the relationship between the Code and the work on IoT security that is being carried out by a wide array of global organisations.