Draft IoT Security Code Is a Great Start but Must Grow Some Teeth

By Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic

Credit: ID 93804838 © Wissanustock | Dreamstime.com

The Australian government’s new Draft Code of Practice for Securing the Internet of Things for Consumers is an excellent foundation which contains many best practices for making connected devices more resilient to cyberattacks and increasing the privacy of personal information. Whether it will be effective or not depends on if it is going to be clearly enforced. Any code of practice without real penalties for non-compliance will allow manufacturers and service providers to continue to focus on ease of use by sacrificing these exact best practices.

Before suggesting any improvements, let’s take a step back. The Internet of Things (IoT) is nothing new. It’s something that’s been around ever since computers have been connected together. Computers are the Internet of Things. Networked devices, phones, servers – anything you connect to the network is the Internet of Things. So, while we like new buzzwords and new terms, the IoT is really just another connected device or set of devices. Though we appear to be treating IoT devices as something new or different, it’s not fundamentally different from a network as it was many years ago.

What has changed are the functions of these devices that get connected; what tasks they carry out. Whereas, in the past, it was computers which were programmed to carry out different functions and could be reprogrammed again and again – whether it be a web application or some type of financial application – today devices are often carrying out more specific, targeted or simple tasks and cannot be reprogrammed. And that’s really what we’re seeing: more microprocessors and sensors being put in place.

We also tend to look at the IoT in the wrong way from a security perspective. We look at these new devices as something that are very vulnerable and high risk. But in fact, most IoT devices have very low risk; they are actually more a privacy risk than a security risk. I don’t look at an IoT device as an IoT device. What we really need to understand is what its function is. Is it a data processor? Is it a data collector? Is it a data correlator?

I look at IoT devices from a risk perspective. What is its actual role in the network and what is the possible risk impact? What is the risk of one and what is the risk of many?

Is it something that could potentially attack the network? Could it be vulnerable to data poisoning, where the data that it is generating could be manipulated? Is it providing an access point for an attacker to gain access to the network and move around or elevate privileges?

So, we really need to change how we define these devices and look at it from much more of a risk perspective such as a web camera versus a thermometer or lightbulb. What is the type of device and data it’s gathering or participating in or processing? And what can that data be used against? So, it’s not from an IoT perspective, but from a function and a risk perspective. We need to do better risk assessments of IoT or network-connected devices, versus just looking at them as connected devices.    

The good news is that the draft code of practice for IoT takes on board some of this concept and proposes a guide for what Australia is expecting from manufacturers and service providers. However, for it to be effective and make a difference, everyone must be held accountable and responsible for failure to meet these principles.  

In fact, the Australian initiatives are very similar to other countries such as the UK, European Union and US. Other countries may be a little further ahead than Australia but not by much. Several are considering including a label on IoT or connected devices to make the consumer aware of the risks, but honestly I do not believe that leaving it up to consumers to make security and privacy decisions will be effective. For IoT devices to be secure with privacy by design all devices must be held to a minimum standard such as cars are with seatbelts. For example, you should not be able to get cyber insurance if you installed and used an IoT device that did not meet the minimum principles set out in the code of practice.   

This is the main area where the draft code could be improved. I believe that the code of practice should clearly state that it is the foundation for any future legal requirements for IoT devices and that manufacturers should start to implement these security principles today. This should be required for them to be able to keep selling into the Australian market in the future or else risk future penalties or restrictions.

These security principles should also be the minimum to be used in critical infrastructure or services. I do not believe business and consumer need separate code of practices but there does need to be more emphasis on the responsibility and accountability of manufacturers and service providers and the consequences of any failure to meet the code. When it comes to businesses it should be about the execution of the code and the ability to report on compliance.

While a voluntary code is absolutely not sufficient, it is a first step and my recommendation is to make it clear that this is a foundation and it will either become enforced in the future and/or there will be penalties for failure to comply. Making it clear that enforcement will come later will make companies and manufacturers start putting the necessary processes and checks in place to meet the code of practice in the future as well as taking it more seriously.

Overall, I really like the code of practice and you always need a starting point. Great work by the Australian Cyber Security Centre and Australian Government for taking a proactive approach on this critical challenge and continuing to make Australia more resilient from cyber threats and increase the digital safety for Australian citizens. These new initiatives, along with the recent Cyber Strategy 2.0, are very much welcomed by industry and are putting Australia on the forefront of global cybersecurity standards.


About the author

Joseph Carson is the Chief Security Scientist & Advisory CISO for Thycotic, a provider of privileged access management (PAM) solutions for more than 10,000 organisations worldwide. Carson has over 25 years’ experience in enterprise security, is the author of “Privileged Account Management for Dummies” and “Cybersecurity for Dummies”, and is a cyber security professional and ethical hacker. He is a cyber security advisor to several governments and the critical infrastructure, financial and transportation industries.

Show Comments