The government is targeting internet of things (IoT) cybersecurity with a voluntary code of practice.

Peter Dutton announced the draft code of practice this morning, saying that the massive number of devices being internet-connected poses creates larger cyber attack surfaces for Australians.

“This rapid growth in connectivity brings significant benefits to all Australians,” Dutton said.

“However, many of these devices have poor cyber security features, posing risks to Australian families, our economy and national security.”

Currently in a draft format, the Code of Practice is aimed at improving the behavior of device manufacturers, IoT service providers, and app developers.

According to a statement from Home Affairs, 13 principles were developed in cooperation with the Australian Cyber Security Centre and in line with international standards.

The draft principles for IoT devices are:

  1. No duplicated default or weak passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software securely updated
  4. Securely store credentials and security-sensitive data
  5. Ensure that personal data is protected
  6. Minimise exposed attack surfaces
  7. Ensure communication security
  8. Ensure software integrity
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make installation and maintenance of devices easy
  13. Validate input data

“We’re releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cyber security,” Dutton said.

You can submit your thoughts on the Code of Practice: Securing the Internet of Things for Consumers until 1 March 2020.

Voluntary principles barely protect consumers

APAC regional director of cybersecurity firm Vectra AI, Kevin Vanhaelen, said he thought the voluntary codes of practice do not go far enough.

“Anything that brings more attention to the issue of IoT security is welcome,” he said.

“However, voluntary codes of practice will likely only attract organisations who are already proactive and bought into addressing the issues the code seeks to address.

“In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have some vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the framework’s recommendations.”

Vanhaelen also warned that it is not only consumers who are at risk from limited regulation around IoT security protocols.

“The interconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of industrial internet of things devices, has created a massive, attack surface for cybercriminals to exploit,” he said.

“Businesses and consumers alike stand to benefit from this code but time will only tell what the real impact will be given the lack of an official mandate."