Australian government releases voluntary IoT cybersecurity code of practice
The Australian government has released a voluntary code of practice for securing the Internet of Things (IoT) in Australia.
The voluntary Code of Practice: Securing the Internet of Things for Consumers [PDF] is intended to provide industry with a best-practice guide on how to design IoT devices with cybersecurity features.
It will apply to all IoT devices that connect to the internet to send and receive data in Australia, including “everyday devices such as smart fridges, smart televisions, baby monitors, and security cameras”.
“Internet-connected devices are increasingly part of Australian homes and businesses and many of these devices have poor security features that expose owners to compromise,” Minister for Home Affairs Peter Dutton said.
“Manufacturers should be developing these devices with security built in by design.
“Australians should be considering security features when purchasing these devices to protect themselves against unsolicited access by cybercriminals.”
The voluntary code of practice is based on 13 principles.
These principles include not duplicating default or weak passwords as well as using multi-factor authentication; implementing a vulnerability disclosure policy that includes a public point of contact so security researchers and others can report on any cybersecurity issues; keeping software securely updated; and securely storing credentials by avoiding hard-coded credentials within devices and software.
The code also states manufacturers should ensure personal data is protected according to data protection laws such as the Privacy Act 1988 and Australian Privacy Principles; minimise exposed attack surfaces; ensure communication security; ensure software integrity by verifying the software on IoT devices and use secure boost mechanisms; make systems resilient to outages; and monitor system telemetry data for security anomalies.
Additionally, while voluntary, the code of practice also encourages that IoT manufacturers make it easy for consumers to delete personal data when they dispose of the device; make installation and maintenance of devices easy; and ensure any data received via user interfaces, API, and network interfaces are validated.
Alongside the code of practice, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has released a guide to help manufacturers implement the IoT code of practice.
Additionally, the ACSC has released an IoT guide for consumers and small and medium-sized businesses on how to protect themselves against cyber threats when buying, using, and disposing of IoT devices.
“Boosting the security and integrity of internet-connected devices is critical to ensuring that the benefits and conveniences they provide can be enjoyed without falling victim to cybercriminals,” Minister for Defence Linda Reynolds said.
Publishing the code of practice on Thursday follows on from the Australian government’s release of the draft version last November, and a nation-wide consultation with industry across various sectors, including cybersecurity, government, not-for-profit advocacy groups, critical infrastructure providers, and domestic and international consumers.
The code of practice is also a key deliverable of the government’s 2020 Cyber Security Strategy.
In July last year, Australia co-signed a statement of intent regarding the security of IoT with the Five Eyes nations in London. The voluntary code of practice, according to the government, “aligns and builds upon” the guidance provided by the UK and is consistent with “other international standards”.
A similar code [PDF] has also been developed by the European Union.