1. CYBER SECURITY PRACTITIONER16
The Secure by Design concept is
persuasive, it strives for uniform cyber
security protections to be built into a
product or service from the outset and for
these to be universally applied to better
protect the consumer. This uprated cyber
engineering is to be achieved through
13 carefully formulated recommended
guidance measures, namely:
1. that all IoT device passwords be
unique and not resettable to any
universal factory default value;
2. all companies providing internet
connected devices and services must
provide a public point of contact as
part of a vulnerability disclosure policy
so that disclosed weaknesses or faults
can be acted on in a timely manner;
3. all software components in internet
connected devices must be
securely updateable. The need for
an update should be flagged up
by the device to the consumer so
that it is obvious and the update
should be easy to implement;
4. devices should securely store
credentials and security sensitive
data, hard coded credentials in
device software are unacceptable;
5. security sensitive data including
remote management and control
should be encrypted when
transiting the internet and all keys
should be managed securely;
6. all devices and surfaces should
minimise the exposed attack
surfaces; unused ports should be
closed and hardware should never
unnecessarily expose access so that
the devices and services operate
on a ‘principle of least privilege;’
7. software must be verified using
secure boot mechanisms and the
device should alert the consumer
to any issue and not connect
to networks wider than those
necessary to issue the alert;
8. devices and services must ensure
any personal data is protected
and processed in a way that is
compliant with data protection law;
9. ensure IoT services are
resilient to outages;
10.IoT services and devices should
monitor system telemetry data
so that security issues or unusual
Securing the Internet of Things
The Department for Digital, Culture Media and Sport (‘DCMS’) has produced a report on the cyber security
of the consumer Internet of Things (‘IoT’)(‘Report’). The Report acknowledges both the new opportunities
and increased risks for consumers in this ever expanding IoT world and seeks to promote a ‘Secure by
Design’ approach to the consumer IoT. Dan Hyde, Partner at Penningtons Manches LLP, assesses the
recommendations and voluntary Code of Practice proposed in the Report and argues that this does not
go far enough to protect the consumer and that there ought to a compulsory system of regulation - a
mandatory Code of Practice - and a labelling system, akin to that embraced within the food industry to
ensure that consumers are properly protected and manufacturers and service providers do not cut corners.
IOT
Dan Hyde Partner
dan.hyde@penningtons.co.uk
Penningtons Manches LLP, London
Image: Westend61 / Getty Images
2. A Cecile Park Media Publication | May 2018 17
circumstances are identified early;
11. devices and services should make
it simple for consumers to delete
their personal data, the process
should be straightforward with clear
instructions given to the consumer;
12. installation and maintenance of
IoT devices should be minimal
and usability should follow
security best practices; and
13. data input for devices or services,
such as via user interfaces and
that are transferred via application
programming interfaces or between
networks, must be validated to
ensure systems are not easily
subverted by incorrect code or data.
These measures or guidelines are in
order of priority (top down) with the first
three identified as being of particular
importance and, together with additional
explanatory notes, form a proposed
Code of Practice for the industry.
My own initial reaction to the Report
and its Code of Practice was positive.
The aims and suggested measures
are laudable, well thought out and
explained in plain succinct language.
The objective, to instil best practices
and reduce the burden on the consumer
by shifting the security responsibility to
the manufacturer, service provider, app
developer and retailer is a sound one as
is the intention that cyber security should
be embedded in the product from the
point of design so that consumers are
better protected going forward. But my
positivity faded on deeper reflection;
how could this or any voluntary code of
practice assist where there is negligence
or hostility on the part of the manufacturer,
developer, retailer or service provider?
The Report makes clear that it hopes for
industry cooperation rather than coercion
and that take up of the Code would be
voluntary. It also trumpets the UK and UK
consumer as being the best protected
in the world. Unfortunately the IoT and
the products and services we seek to
design cyber security into are global:
consumers are purchasing products
that are manufactured, developed or
supported by actors in a plethora of
countries. In order to control that process
we must accept two things. Firstly, that
a voluntary Code will be ignored or
abused by some. Secondly that even
a compulsory Code will be difficult to
enforce in certain reluctant states where
regulation is lax and there is resistance to
what is regarded as an alien jurisdiction/
governance. There also needs to be a
scheme of compulsory labelling, one
that sets out the information that must be
included on the product label. This way
consumers would be better able to judge
the design security of a product and it
would potentially expose those products
that do not meet best practice standards.
Intuition tells me that the majority of those
in the UK and other world regions that
are accustomed to modern standards of
consumer regulation, cyber compliance
and product certification will be more
likely to implement the Code, but even so
a voluntary Code may not be a sufficient
incentive if financial gains can be made
by not doing so and taking short cuts.
In short, the market cannot be trusted
to regulate itself, too much is at stake.
There needs to be legislation with teeth
that enforces these design standards
and makes labelling and service/product
information compulsory. Can one imagine
the food industry being left to self-
regulate? Imagine food producers being
politely asked to ensure their products
are safe for human consumption,
include correct allergen warnings or
ingredient information? It is remarkable
that a consumer, often blind to the
cyber security of a device at the point of
purchase, be offered less protection.
The difficulty will be that legislation
would need to snag all those involved
internationally. There may be hostile
states that are resistant to this.
One would expect a divergence
of philosophy from China (a major
manufacturer and distributor), Russia
and possibly the US. All three have
set rather divergent courses to ours
in their treatment of data protection
and cyber security and globally
achieving and enforcing a uniform
scheme of device/service certification
would be difficult if not impossible.
Without global buy-in or adherence
how could one ensure the success of
any code or certification scheme?
Local initiatives are afoot to encourage
take up of voluntary certification
schemes. The London Digital Security
Centre has launched Secured by Design,
a pilot cyber security certification
scheme backed by the Mayor’s Office
together with the Metropolitan and City
of London Police forces. The scheme
is split into two parts with two separate
awards. The first is titled ‘Secure by
Design - Police Preferred Specification’
and is aimed at ensuring cyber supply
chains are resilient. Seven early adopters
came forward to take part in the award
but it remains to be seen how great the
appeal of this award will ultimately be.
The second award, ‘Digitally Aware
- Secured by Design,’ uses a risk
assessment tool to educate participants
to cyber risk and increase their
protection from cyber crime. Though
such schemes undoubtedly add value
it is hard to imagine such a piecemeal
voluntary national approach being
sufficient; whilst cyber products and
services remain international and have
input beyond our borders we can only
engineer and certify security if we have
a means of enforcing the implementation
of industry standards extra-territorially.
At the very least, on a national level
there ought to a compulsory system of
regulation (a mandatory Code of Practice)
and a labelling system, akin to that used
in the food industry, to ensure products
and services sold to the UK consumer
contain essential information such as
‘unique passwords used,’ ‘vulnerability
disclosure supported device’ or ‘securely
updateable.’ If we are going to claim we
have the best protected consumers in
the world let’s at least begin a program
that might one day support that assertion.
There needs to be legislation with teeth that enforces these design
standards and makes labelling and service/product information compulsory.
Can one imagine the food industry being left to self-regulate?