The document discusses the UK's Code of Practice for Consumer IoT Security. It provides context on why the code was developed, including to address risks from poorly secured IoT devices. The code outlines 13 security practices for IoT manufacturers, including not using default passwords and keeping software updated. The document also discusses options for regulating adherence to the code and challenges in enforcing security standards.

1. The UK’s Code of Practice for Consumer IoT
Security
David Rogers, Copper Horse
@drogersuk
44CON, London
13th September 2018
Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved. 1

2. IoT Insecurity
2Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

3. IoT Insecurity
3Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

4. Secure by Design
 National Cyber Security Strategy:
“the UK is more secure as a result of technology, products
and services having cyber security designed into them by
default”
4Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

5. Review
 Review conducted primarily to address two key risks related
to consumer IoT:
– Poorly secured IoT devices and associated services increasingly
threaten consumers’ online security, privacy and even safety.
– Poorly secured devices are likely to be hijacked and can be used in
large-scale DDOS attacks (e.g. mirai botnet). The impact is felt by third
parties rather than the end user.
5Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

6. Report
 Secure by Design: Improving the cyber security of consumer
internet of things:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf
6Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

7. Code of Practice for Consumer IoT Security
1. No default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated
7Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

8. Code of Practice for Consumer IoT Security
1. No default passwords
2. Implement a vulnerability disclosure policy
3. Keep software updated
4. Securely store credentials and security-sensitive data
5. Communicate securely
6. Minimise exposed attack surfaces
7. Ensure software integrity
8. Ensure that personal data is protected
9. Make systems resilient to outages
10. Monitor system telemetry data
11. Make it easy for consumers to delete personal data
12. Make installation and maintenance of devices easy
13. Validate input data
8Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

9. Regulatory Options
 Further embed selected guidelines from the Code of Practice
on a regulatory footing.
 UK also monitoring regulatory action taken by other countries
9Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

10. Enforcement?
10Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

11. Communicating Security to Consumers
11Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

12. Mapping
 Exercise to map IoT security recommendations and standards to the
Code of Practice
 Intention for organisations to understand how the Code of Practice
sits within the existing recommendations and standards landscape
 Complex!
– Significantly fragmented
– Space is moving rapidly (cf. California IoT bill, CTIA compliance scheme)
– Organisational mergers, dead links, new versions
– Stuff we may have missed
12Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

13. Mapping guidance
and standards
• Show where guidance
aligns to the Code of
Practice
• Displays complexity of
ecosystem
• Shows where there is
harmonisation
Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved. 13
Visual layout: https://kumu.io

14. What’s Next?
14Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.

15. Thanks!
david.rogers@copperhorse.co.uk
15Copyright © 2018 Copper Horse Solutions Ltd. All rights reserved.
@drogersuk