Commonwealth Government releases IoT Security Code of Practice

After a period of significant public consultation, including consideration of submissions from over 4,000 organisations, on 3 September 2020, the Commonwealth Government of Australia released its Code of Practice: Securing the Internet of Things for Consumers (Code).

The Code sets out a voluntary set of 13 principles that vendors of Internet of Things (IoT) devices (as well as service providers in related fields (such as connectivity providers) can comply with, and is intended to act as a public reference point, so that vendors specifically reference their compliance with particular principles. For instance, it is anticipated that vendors will promote their devices as saying, for example,
“Our organisation has complied with principles X, Y, and Z of the Code of Practice: Securing the Internet of Things for Consumers”.

Many of the principles will be familiar to those working in the cyber security fields, although some cross over into broader privacy and consumer protection related fields. Their purpose is to create a market where mass market IoT devices are fundamentally designed with usability and security in mind. This is of course of fundamental importance when you consider the anticipated explosion in IoT device sales over the coming years. With the market increasingly populated with connected versions of previously ‘dumb’ devices like vacuums, fridges and even security systems, there is an ever-increasing attack surface, and so this initiative is a welcome step in the right direction to enable consumers to make wise choices.

The principles are:

• No duplicated default or weak passwords;
• Implement a vulnerability disclosure policy;
• Keep software securely updated;
• Securely store credentials;
• Ensure that personal data is protected;
• Minimise exposed attack surfaces;
• Ensure communication security;
• Ensure software integrity;
• Make systems resilient to outages;
• Monitor system telemetry data;
• Make it easy for consumers to delete personal data;
• Make installation and maintenance of devices easy; and
• Validate input data.

As an adjunct to the Code, the Australian Cyber Security Centre has also developed and published a guide to help consumers understand how to buy, use and dispose of Internet of Things devices securely. With this combination of consumer awareness and education, and market-led security improvements, we can expect that IoT will continue to develop as an attractive consumer proposition while not creating widespread and unmanageable cyber vulnerabilities.

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.