In the short-term, companies can ensure that they get the basics of IoT cyber security correct.
In the long-term, to ensure companies maintain cyber security, foresighting is required to identify new and emerging threats and develop methods to mitigate against these.
This is being supported by governments, academic institutions, trade bodies and commercial organisations.
In addition to the published Code of Practice for Consumer IoT Security, several other industry and government organisations have published their own IoT security recommendations and guides. These guides serve to support the design, manufacturing and procurement processes of IoT components and systems.
While the majority of guides focus on the security of software and communications, physical security for IoT hardware is also of importance and covered in more detail in articles such as IoTSF’s physical security article.
Further sources for guides:
It is not enough to merely encourage the adoption of best practice in the design of new products or services; industry should also adopt common labelling that clearly shows consumers that best practice has been followed.
Not only would this provide comfort and peace of mind to buyers; it helps a manufacturer or service provider to stand out from the competition and enhances their reputation as a cyber security-focused company.
In a recent research paper by Harris Interactive, 73% of people interviewed felt it is important or very important to introduce labels that highlight the security features on consumer IoT devices. Respondents also said that they would pay up to 10% more for the product.
In May 2019, the UK Government launched a consultation on its regulatory proposals for consumer IoT security, stating its ambition for the first three points of its Code of Practice for Consumer IoT Security launched in October 2018 to become mandatory. These are:
The consultation explored various options for the mandatory labelling of IoT devices. It is expected that security labelling will initially be introduced on a voluntary basis.
Building on the 2018 UK Code of Practice, the European Telecommunications Standards Institute (ETSI) released the world’s first standard (ETSI TS 103 645) for consumer IoT security in February 2019. Designed with worldwide needs in mind, its purpose is to create a baseline for IoT security, and will be used as the baseline for future IoT certification schemes.
Other activities specifically focused on certification and labelling include the British Standards Institute (BSI) Kitemark for IoT devices, launched in 2018. Used for over 100 years, the Kitemark is a well-recognised logo, that indicates quality and safety in British products. Three different Kitemarks for IoT devices exist; residential, commercial and enhanced for residential or commercial products used in high risk or high value applications.
Unlike the proposed UK regulation, the BSI IoT assessment is not self-certification based.
It requires:
With our experience across a huge range of market sectors and our knowledge of enabling technologies, CENSIS has strong relationships with Scottish companies, public sector organisations, university research groups and hardware and software suppliers.
As part of our CENSIS community, you can join in with our regular IoT meetups to discuss ideas with like-minded people, take part in one of our hands-on technical workshops or come along to one of our Future Tech events to solve market sector problems in an open forum.
The highlight of our year is the annual CENSIS Technology Summit, where we hear from challenge providers, meet exhibitors who are showcasing new technologies, and network and connect with the sensors, imaging and IoT community.
If you would like to find out more about our work with businesses of all sizes, public sector bodies and universities, we have highlighted some of the challenges we have faced together with our clients.