Australia plays its part in safeguarding Internet of Things devices
EVER SINCE its conception, the internet of things (IoT) has redefined connectivity. At the rate it is progressing, 2020 will see IoT embedded in more of our daily life.
However, with the increase of things connected to one another over the internet, the risks of encountering a cyber attack is high.
Businesses must be mindful of this, as the consequence of an attack is costly. The aftermath of an attack is not isolated, and can have a cascading effect across all aspects of the business.
Therefore, organizations must ensure that IoT devices are sufficiently protected to mitigate risks of cyber security breaches.
To tackle this issue, Australia’s government has released a draft code of practice for securing the IoT for consumers.
This code is intended to serve as a best practice guideline for industrial audiences, and can be used regardless of geographical regions. Out of the 13 principles outlined in the code, the first 3 are marked as the highest priority.
# 1 | There must be no duplicated default or weak passwords
Primarily applicable to device manufacturers, it is noted that IoT devices (including associated backend/cloud account) should have passwords that are unpredictable and unfeasible to guess.
It must not be passwords that can be reset to factory default values that is common to multiple devices.
# 2 | Implementation of Vulnerability Disclosure Policy
It is written that there must be a public point of contact. This provides a platform for vulnerabilities to be disclosed responsibility and in a coordinated matter. A bug bounty program can also be put into place to encourage this.
# 3 | Keep software securely update.
Software must be securely updateable, where updates must not change devise functionality and user-configured preferences.
Consumers must also be made aware of update details, such as time frame and reasons for updates, and receive assurance that updates are from a trusted source. For devices that cannot be updated physically, the product should be made replaceable.
Aside from this, the code also calls for credentials and sensitive personal data to be securely stored and protected. In accordance to Australian data privacy laws, personal data must have ‘industry-standard encryption’. This applies to both data at transit and data at rest.
The code also states that exposed attack surfaces must be minimized. Devices should operate on the ‘principle of least privilege’, where unused functionalities are disabled. Software should be securely developed, undergo penetration testing and verified with boot mechanisms.
Further, input data should always be validated conforms to expectations.
Finally, the code outlines the fact that systems must be made resilient to outages by monitoring telemetry data for cyber anomalies, to give consumers a better control over their data and to make installation and maintenance of devices easy.
Australia’s initiative to make the IoT cyberspace safer is an applaudable one. Society today is heavily reliant on IoT devices, and shows no sign of slowing down.
Because of this, it is understandable that tech companies are rushing to dominate this economy. However, companies must also take up their responsibility in taking necessary measures to safeguard IoT devices.
Thanks to the code, consumer confidence in IoT technology will be built, and both businesses and consumers alike can reap the benefits of greater IoT adoption.