The Australian Government launched the latest voluntary IoT cybersecurity code of practice derived from 13 basic principles – applicable to all IoT devices in Australia.
The Australian Government has launched a voluntary code of practice for securing IoT devices in Australia.
The voluntary Code of Practice focused on securing the Internet of Things for consumers is intended to provide the industry with a compiled best-practice guide on how to design these devices with advanced cybersecurity features.
It will apply to all IoT devices that connect to the internet to transmit data in Australia, including the everyday devices such as smart televisions, smart fridges, baby monitors, and security cameras.
All manufacturers of such devices should ensure inbuilt security by design. The Government also urged the citizens to consider these security features while purchasing these devices to protect themselves against any unsolicited access by cybercriminals.
This voluntary code of practice is based on the below 13 principles:
- No duplicated, weak, or default passwords IoT device
- Implement a vulnerability disclosure policy applicable to all IoT service providers, IoT device manufacturers, and mobile application developers
- Keep software securely updated, including firmware on IoT devices – for all third parties and open-source software.
- Securely store credentials within devices and on services.
- Ensuring that personal data is protected under data protection law like the Privacy Act 1988 and the Australian Privacy Principles.
- Minimize exposed attack surfaces, operating on the ‘principle of least privilege.’
- Ensure communication security maintaining data confidentiality or integrity protection through remote management and encryption.
- Ensure software integrity on IoT devices verified using secure boot mechanisms.
- Make systems resilient to outages taking into account the possibility of outages of power and data networks.
- Monitor system telemetry data collected from IoT devices and services for security anomalies.
- Make it easy for consumers to remove personal information when there is a transfer of ownership, or whenever the consumer wishes to delete it or dispose of the device.
- Easy installation and maintenance of IoT devices to employ minimal steps and follow the Australian Government’s best practice.
- Validate input data received via user interfaces, APIs, and network interfaces.
The code states that manufacturers should ensure personal data is protected according to data protection laws such as the Australian Privacy Principles and Privacy Act 1988.
Alongside the code of practice, the ACSC (Australian Signals Directorate’s Australian Cyber Security Centre) has released an integrated guide to allow manufacturers to implement the IoT code of practice.
Additionally, it has also released an IoT guide for small and medium-sized businesses and consumers on how to protect themselves against cyber threats while purchasing, using, and disposing of IoT devices.
“Boosting the security and integrity of internet-connected devices is critical to ensuring that the benefits and conveniences they provide can be enjoyed without falling victim to cybercriminals,” Minister for Defence Linda Reynolds confirmed.
Publishing the code of practice follows on from the Australian Government’s release of the draft version, and a nation-wide consultation with industry across sectors, including cybersecurity, Government, critical infrastructure providers, not-for-profit advocacy groups, and domestic and international consumers.
This code of practice is also a critical deliverable of the Australian Government’s 2020 CyberSecurity Strategy.
In July last year, Australia had co-signed a statement of intent concerning the security of IoT with the Five Eyes nations in London. And as per the Government, this voluntary code of practice aligns and builds upon the elaborate guidance provided by the UK, while remaining consistent with other applicable international standards.