improving consumer iot security: work by the uk government and … · 2018-10-22 · click to edit...
TRANSCRIPT
Click to edit Master title style
Improving consumer IoT security: work by the UK Government and ETSI
1
Jasper PandzaSecure by Design team
ETSI IoT Week22 October 2018
Click to edit Master title styleRationale for intervention
• 12.9 billion consumer IoT devices by 2020(Gartner 2017)
• Poorly secured IoT threatens people’s privacy, online security, and safety
• Poorly secured IoT can be misused for large-scale DDoS attacks
2
Click to edit Master title style
There is a need to move the security burden from consumers to IoT manufacturers and service providers.
Good security must be built in by design.
3
Click to edit Master title styleUK Government approach
• 2017 - 2018: • Cooperation with industry, academia,
consumer associations and international partners
• March 2018: • Policy report
• October 2018: • Code of Practice for Consumer IoT Security• Mapping of the Code to existing
recommendations• Consumer guidance
• https://www.gov.uk/government/publications/secure-by-design 4
Click to edit Master title style
5
Click to edit Master title style
6
Code of Practice for Consumer IoT Security
10) Monitor system
telemetry data
12) Make installation
and maintenance
easy
8) Ensure that
personal data is
protected
6) Minimise exposed
attack surfaces
13) Validate input data
5) Communicate
securely
7) Ensure software integrity
11) Make it easy to delete personal data
2) Implement a vulnerability
disclosure policy
4) Securely store
credentials and sensitive
data
3) Keep software updated
9) Make systems
resilient to outages
1) No default passwords
• 13 outcome-focused, high-level guidelines. Top 3 are prioritised.
• Brings together what is widely considered good practice.
• Focuses on what matters most. Not a silver bullet to all problems.
• Primary audience: device manufacturers.
• Helps ensure GDPR compliance.
• Published in 8 languages.
Click to edit Master title styleGuideline 1: No default passwords
All IoT device passwords shall be unique and not resettable to any universal factory default value.
Many IoT devices are being sold with universal default usernames and passwords (such as “admin, admin”) which are expected to be changed by the consumer. This has been the source of many security issues in IoT and the practice needs to be eliminated. Best practice on passwords and other authentication methods should be followed.
7
1) No default passwords
Click to edit Master title style
• Analysed 100+ sources from 50+ organisations
• Mapping for each CoP guideline• Guideline 1 - No default passwords:
39 recommendations mapped from 13 organisations
• Published as report, open data JSON, and as interactive content on iotsecuritymapping.uk
8
CoP mapped against existing standards and recommendations
Click to edit Master title style
• IoT manufactures that have made a public commitment to implement the Code of Practice:
9
Your organisation / customer
here?
Pledges to implement the Code of Practice
Click to edit Master title style
• Initial draft based on Code of Practice
• DTS/CYBER-0039
• Six mandatory requirements, several recommendations
• How could the ETSI TS be useful for your organisation?
10
Development of an ETSI TS on consumer IoT security
June 2018:
• Work Item approved
3-5 October 2018:
• Discussion at TC Cyber#14
Present:
• Comments are being implemented
January 2019:
• Target date for adoption
Click to edit Master title styleGet in touch
• Jasper Pandza [email protected]
• Programme website https://www.gov.uk/government/publications/secure-by-design
• Interactive mapping of the Code of Practicehttps://iotsecuritymapping.uk
• ETSI TS Cyber Security for Consumer Internet of Things (DTS/CYBER-0039)https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?wki_id=54761
• Secure by Design blog with detail and context https://dcmsblog.uk/category/digital/
11