UK Govt Code Of Practice For IoT

Following the news that a recent investigation has revealed that Ministry of Defence secrets were exposed in dozens of breaches of military cyber security policy last year, IT security experts commented below.

Edgard Capdevielle, CEO at Nozomi Networks:

“Due to the criticality of their services, government networks have become a key target for cyber criminals interested in cyber espionage, cyber warfare, hacktivism and cyber ransom attacks.

Any cyber attack targeting a government entity, especially one against the MoD, could have a serious impact on national security, and it is understandable that the government has declined to confirm or deny an attack, as this could also provide intelligence to attackers.

It is crucial that governments take steps to improve the security of their networks to prevent foreign attackers from gaining access to sensitive information, which could cause a country harm. The current threat landscape is quickly expanding as attackers with various levels of sophistication are more easily finding the tools and tactics needed to be successful and government organizations need to sit up and take action.”

Matt Walmsley, EMEA Director at Vectra:

“IoT is providing many wonderful ways of making our lives easier and more entertaining. However, as any legacy equipment manufacturers look to get their gear ‘IP enabled’ they don’t have the skills and knowledge in-house, so they outsource that element and then integrate the IP elements into their solution. This outsources the security capabilities and robustness to a third party, who are not always best placed to evaluate security elements. Detailed supply chain assurance and providence are risks that need managing within IoT design, manufacturing, and service delivery.

In the Government’s newly announced voluntary Code of Practice we see recognition of some of the key IoT risks and associated steps responsible IoT vendors and service providers might take. However, voluntary codes of practises will likely only attract organisations who are already proactive and bought into addressing the issues the CoP seeks to address. In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have vendors and supporting supply chains that simply don’t have the resources, skills, or even the will to meet the frame work’s recommendations.

Consumers can’t rely on such a Government initiative to alleviate IoT security concerns and risks. With consumers bringing more and more IoT devices into the home but not having the technical understanding to manage the security of these devices, they are also unknowingly putting their households at more risk.  As a starting point, consumers should, at the very least, change their IoT devices’ default passwords to a strong password string, and always ensure the latest firmware is running.”