Internet of things (IoT) service providers will be compelled to implement a vulnerability disclosure policy, keep software securely updated and ensure communication security under a series of new proposals by the Australian Government.
The federal government has released a proposed voluntary Code of Practice aimed at improving the security of the IoT landscape for consumers in Australia, including the security of everyday smart devices that connect to the internet.
"This rapid growth in connectivity brings significant benefits to all Australians," Australia’s Minister for Home Affairs, Peter Dutton, said. "However, many of these devices have poor cyber security features, posing risks to Australia families, our economy and national security.
"The safety of Australians and the security of our economy is paramount. That's why the Morrison Government has developed a voluntary Code of Practice to inform industry about the cyber security features expected of these devices in Australia.”
While the proposed Code has broad applications to consumer devices, it appears it will also apply to enterprise IoT applications, along with the service providers that support and roll out IoT infrastructure, as well as IoT device manufacturers, retailers and application developers.
The Code of Practice, consisting of 13 principles, was developed drawing on the technical expertise of the Australian Cyber Security Centre (ACSC), with the Code designed to align with guidance provided by the United Kingdom.
Of the 13 principles outlined in the draft Code, 11 apply to IoT service providers and at least eight apply to mobile application developers playing in the IoT space.
Among the principles that apply to IoT service providers is the requirement to implement a vulnerability disclosure policy. This would see IoT device manufacturers, service providers and mobile application developers compelled to provide a public point of contact as part of a vulnerability disclosure policy.
“Disclosed vulnerabilities should be acted on in a timely manner,” the draft Code of Practice states. “Implementing a bug bounty program encourages and rewards the cyber security community for identifying and reporting vulnerabilities, thereby facilitating the responsible and coordinated disclosure and remediation of vulnerabilities.”
IoT service providers would also be obliged to keep software securely updated under the Code. Specifically, software (including firmware) on IoT devices, including third party and open source software, as well as associated web services, should be securely updateable.
Moreover, any credentials should be stored securely within devices and on services, according to the draft Code, while devices that process personal data would need to operate in accordance with Australia’s Privacy Act 1988 and the Australian Privacy Principles.
Additionally, devices and services would be obliged to operate on the ‘principle of least privilege’ under the Code, while unused functionality should be disabled and hardware should not unnecessarily expose access. To further reduce the number of vulnerabilities, service providers and manufacturers would also be obliged to use a secure software development process and perform penetration testing.
The full list of principles can be found in the Draft Code of Practice: Securing the Internet of Things for Consumers [PDF], on which the government has called for feedback from industry and other stakeholders.
While the Code, once it makes it past the draft phase, will be a voluntary initiative, the government has said it will also work with states and territories to ensure an aligned and harmonious approach.
"We're releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cyber security," Dutton said.
"Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design.”