Click to edit Master title style

Improving consumer IoT security: work by the UK Government and ETSI

1

Jasper PandzaSecure by Design team

ETSI IoT Week22 October 2018

Click to edit Master title styleRationale for intervention

• 12.9 billion consumer IoT devices by 2020(Gartner 2017)

• Poorly secured IoT threatens people’s privacy, online security, and safety

• Poorly secured IoT can be misused for large-scale DDoS attacks

2

Click to edit Master title style

There is a need to move the security burden from consumers to IoT manufacturers and service providers.

Good security must be built in by design.

3

Click to edit Master title styleUK Government approach

• 2017 - 2018: • Cooperation with industry, academia,

consumer associations and international partners

• March 2018: • Policy report

• October 2018: • Code of Practice for Consumer IoT Security• Mapping of the Code to existing

recommendations• Consumer guidance

• https://www.gov.uk/government/publications/secure-by-design 4

Click to edit Master title style

5

Click to edit Master title style

6

Code of Practice for Consumer IoT Security

10) Monitor system

telemetry data

12) Make installation

and maintenance

easy

8) Ensure that

personal data is

protected

6) Minimise exposed

attack surfaces

13) Validate input data

5) Communicate

securely

7) Ensure software integrity

11) Make it easy to delete personal data

2) Implement a vulnerability

disclosure policy

4) Securely store

credentials and sensitive

data

3) Keep software updated

9) Make systems

resilient to outages

1) No default passwords

• 13 outcome-focused, high-level guidelines. Top 3 are prioritised.

• Brings together what is widely considered good practice.

• Focuses on what matters most. Not a silver bullet to all problems.

• Primary audience: device manufacturers.

• Helps ensure GDPR compliance.

• Published in 8 languages.

Click to edit Master title styleGuideline 1: No default passwords

All IoT device passwords shall be unique and not resettable to any universal factory default value.

Many IoT devices are being sold with universal default usernames and passwords (such as “admin, admin”) which are expected to be changed by the consumer. This has been the source of many security issues in IoT and the practice needs to be eliminated. Best practice on passwords and other authentication methods should be followed.

7

1) No default passwords

Click to edit Master title style

• Analysed 100+ sources from 50+ organisations

• Mapping for each CoP guideline• Guideline 1 - No default passwords:

39 recommendations mapped from 13 organisations

• Published as report, open data JSON, and as interactive content on iotsecuritymapping.uk

8

CoP mapped against existing standards and recommendations

Click to edit Master title style

• IoT manufactures that have made a public commitment to implement the Code of Practice:

9

Your organisation / customer

here?

Pledges to implement the Code of Practice

Click to edit Master title style

• Initial draft based on Code of Practice

• DTS/CYBER-0039

• Six mandatory requirements, several recommendations

• How could the ETSI TS be useful for your organisation?

10

Development of an ETSI TS on consumer IoT security

June 2018:

• Work Item approved

3-5 October 2018:

• Discussion at TC Cyber#14

Present:

• Comments are being implemented

January 2019:

• Target date for adoption

Click to edit Master title styleGet in touch

• Jasper Pandza jasper.pandza@culture.gov.uk

• Programme website https://www.gov.uk/government/publications/secure-by-design

• Interactive mapping of the Code of Practicehttps://iotsecuritymapping.uk

• ETSI TS Cyber Security for Consumer Internet of Things (DTS/CYBER-0039)https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?wki_id=54761

• Secure by Design blog with detail and context https://dcmsblog.uk/category/digital/

11