Almost a year since releasing the draft version, the Federal Government has released its voluntary Code of Practice for Internet of Things (IoT), aimed at improving the security of these types of devices for Australian consumers.
The Code of Practice: Securing the Internet of Things for Consumers represents the first step in the government’s approach to improving the security of IoT devices in Australia.
Leading up to the final version, the Department of Home Affairs and the Australian Signals Directorate held a national consultation to inform the development of the Code involving the views of more than 4,640 organisations from all sectors, including critical infrastructure providers, cyber security companies, government bodies, consumers and not-for-profit advocacy groups.
“The Code of Practice will also help raise awareness of security safeguards associated with IoT devices, build greater consumer confidence in IoT technology and allow Australia to reap the benefits of greater IoT adoption,” the Code states.
Out of the 13 principals, the government is asking the industry to prioritise the top three, actioning default passwords, vulnerability disclosure and security updates; in order "to bring the largest security benefits in the short term."
The principals also stand to inform local and international manufacturers of the security features required for smart devices that connect to the internet.
Out of the 13 principles, 11 apply to IoT service providers including implementing a vulnerability disclosure policy; keeping software securely updated; securely store credentials; ensure personal data protection; minimise exposed attack surfaces; communication security; system resilience to outages; monitoring system telemetry data; making it easy for consumers to delete personal data; make installation and maintenance of devices easy as well as validate input data.
Part of the code will also apply to retailers, who will face responsibility for ensuring consumer personal data is protected.
The Code will be reviewed on a regular basis to ensure it is ‘fit for purpose’.