Security by Design for Telecommunications Networks

David Rogers writes about future telecoms network security.

The UK5G Innovation Network recently published an article on the topic of Security by Design which I wrote a little while back, covering both IoT and managing risk in future networks. You can only fit so much into a couple of pages, so here’s a little bit more that I wrote on future telecommunications networks and the challenges of supply chain security.

An area that can’t have escaped anyone’s notice is the debate over what are now known as ‘High Risk Vendors’ in telecommunications networks. This mostly distils into a question over whether products and services are designed with security in mind. Risk can never be truly eliminated, but it can be reduced and managed. Equally, trust is something that needs to be gained and relied upon and is not simply about technology. Between businesses and governments, trust is about keeping promises and whether statements or actions are truthful and verifiable. Future networks in telecommunications both rely on secure technology and trust.

Food security could be significantly disrupted by attacks on connected agriculture

In general, it is often difficult to justify security measures to businesses as there is no obvious return on investment. Some companies have taken the attitude that they can weather any storm from a cyber attack because there is no real financial downside. This is beginning to change. Large businesses have been affected by ransomware attacks that have crippled their operations, in some cases taking them out of business, through to governments finally beginning to acknowledge and take cyber-crime seriously.

Increasing Resilience

As telecommunications networks have developed, we’ve slipped into a world where our reliance on them is such that we can’t afford for them to be disrupted.

The 5G vision is a collection of technologies, including different types of IoT radio and device types across multiple different sectors or ‘verticals’. This opens up a new set of issues around the ‘cyber-physical’ space – that is the attacks no longer just remain virtual. A cyber attack could potentially interact with a real-world object or system causing catastrophic consequences. In farming this could mean the loss of irrigation causing food security issues. In heavy industrial, this could mean the complete destruction of a blast furnace and in the automotive sector it could mean that cars could be stopped in the middle of the road, essentially halting the economy instantly.

Disruption to connected vehicles could cripple economies

Hostile nation states are already seeking to take advantage of the fact that the weakest links can be the most effective points of attack. Taking over a consumer or small business router can allow the attacker to create a bridgehead inside the UK, opening up all sorts of possibilities, including distribution of disinformation or ‘fake news’.

In addition, networks are shifting from a world where individual hardware boxes make up a network to one which those functions are ‘virtualised’; with all the functions now built into software. This means greater speed and reliability on the one hand, but also means that you’re really putting your eggs in one basket on the other.

Increasingly, there has been a drive to reduce costs and this has meant that in some cases security is at the end of a long list of requirements. This is where government has a role – to level the playing field such that everyone must provide an acceptable bar of security for entry into the market in the first place, thus affording every citizen in a country a certain guarantee of protection from the disruption of security compromise of a telecoms network or equipment vendor.

The supply chain that we’ve slipped into also means that companies are increasingly relying on open source software – that is, software that is developed by a community of individuals openly and collaboratively and released for anyone to use under a license. The challenge that has been faced for years is that companies are very happy to ‘take’ software for free, but rarely contribute back. This is a particular issue for security. While open source is openly visible for peer-review, attackers aren’t going to submit a fix for security flaws they find! This combined with many companies not keeping up-to-date with open source libraries in their products and services can be a real issue for security.

Addressing the Challenges of Supply Chain Security

These risks mean that extra attention has to be paid to the fundamentals of how networks are built from the ground up and how to make them more resilient. From a security design perspective, that means building defence-in-depth, mobile network operators not relying on single vendors in order to spread the risk more evenly, and validating that what is being built doesn’t contain known security vulnerabilities and flaws. It isn’t possible to create a flawless system and it isn’t possible to design software and hardware without the possibility of security vulnerabilities, however acknowledging this fact leads us to the necessity that companies need to stay on top of security research and have systems and processes in place to quickly deal with security vulnerabilities and exploitation as they arise. While the country-of-origin of a product or service is clearly a security consideration for both companies and governments, if it can be thoroughly validated and meets a good level of product security together with other cyber security measures, it matters much less. The overriding concern is that if a product or service supplied from anywhere in the world is fundamentally insecure, any country could theoretically attack it successfully; it doesn’t matter where the product originally came from.

There are many factors in the telecommunications supply chain to consider including hardware security, cryptographic key management, logistics, testing, auditing and working on security vulnerability management. From an industry perspective: for network operators – many of these are areas that have been opaque for some time, with vendors supplying products which have had little-to-no security and basic issues like default passwords. For vendors – operators have not been willing to pay more for security and have squeezed vendors for lower-priced products. They’re not really questioned when products are delivered with basic security flaws. For the entire world, there is a shortage of engineers who understand security; a failure by governments and the education system to understand that security must be a core component of modern engineering degrees and training. While some action has been taken, it cannot currently supply the demands needed now and in the future. Companies therefore need to step-up and ensure that as part of their efforts to increase security they must invest in their own existing staff to train them on product and cyber security.

Preventing Insecure Connected Products Being Sold

Work on improving security in the Internet of Things (IoT) continues apace! The UK government has reached another milestone in its mission to make the country one of the most secure places to do business and to live in, with the release of proposals for regulating the cyber security of smart products. They are well worth a read and provide a good steer as to what the future of insecure connected products will look like when we collectively say ‘Enough is enough’.

This Call for Views invites feedback until early September 2020 on a range of options as the government moves towards legislation based around the top 3 items in the UK’s Code of Practice for IoT Security:

1) To eliminate the problem of default passwords.
2) To ensure that companies in the IoT space have a way for security researchers to be able to contact them to report vulnerabilities in products.
3) To be transparent to consumers about how long software updates will be available.

These are anchored in the recently approved European standard for IoT security, ETSI EN 303 645 which has the support of industry and governments across the world, marking a significant harmonisation of views on how the problem should be approached.

The Call for Views outlines the aims of the government – to achieve an outcome where there are no products available on the UK market that are non-compliant with the above. In simple terms – you shouldn’t be able to buy a product that has not been designed securely.

This is of course just the start. The items above are fundamental, but there many different types of security that should be built into products, it’s just that some manufacturers of products and services choose not to do that. You wouldn’t allow a food manufacturer to supply to shops if they hadn’t taken basic sanitation measures so why should that be allowed in the smart product space?

Proposed Scope

The scope of products included is broader than IoT products and covers the scope of nearly all the connected products you could find in a home, including laptops and mobile phones. As PCs and mobile phones have been under attack for many years now, the product security in those industries is significantly mature and it really shouldn’t be an issue for those companies to conform to the basics because they’re already doing them.

The core scope is the connected products that everyone has concerns about – children’s toys, cameras, appliances such as fridges or washing machines, safety-relevant products such as connected door locks and so on as well as IoT ‘hubs’.

One area that has been a significant concern for many years is home routers. These rarely get updated and often stay in place in homes for many years without being touched. If they’re compromised, they can create a big issue to users because they’re the point of entry to the home and everything else that is connected, but equally, compromised routers and other equipment at scale can create harm to others across the world by being part of other types of attack.

The proposed scope also covers home workers by including things like printers and office equipment that you might find in both a home or office. This is particularly relevant as businesses have shifted their workforces to home during the Covid-19 crisis.

Things that are out-of-scope are because there is existing or forthcoming regulation in those domains – for example, smart Electric Vehicle (EV) Chargers, Smart Meters and medical devices.

Enforcement

The work laid out in the proposals sets out the obligations on Producers and Distributers, formalising the language that has been used thus far such that it forms the basis of a legislative and regulatory framework governing people who make products but also those that sell them into the UK. It also means that there must be a way to test and declare compliance of these products. This comes at a good time as the EU Cyber Security Act will also require such action to take place across lots of different types of networked products. The proposals also lay out when they expect companies to be compliant – it is proposed that everything must be in place by 9 months following Royal Assent of legislation. The implication is that companies have had long enough and enough warnings that these practices are simply not acceptable.

The list of proposed enforcement actions aligns with other existing ways of removing products from the market – i.e. issuing compliance notices, through to enforcement with real teeth: it is proposed that order breaches are contempt of court which carries a maximum penalty of a fine and two years’ imprisonment. Forfeiture and destruction of products are also on the table as well as financial penalties – the fine amounts are to be determined but a note states that other regulations consider fines of up to 4% of annual worldwide turnover (a clear reference to the EU data protection regulation GDPR). This alone shows that the intent is for the regulation to have real teeth and that the government means business. The ‘Avengers’ team of superheroes working on this project at DCMS and NCSC have done a fantastic job once again, supported by lots of other government departments. Especially now as well – ‘Quiet Batpeople’ is certainly not the right term, but these individuals have all also been volunteering to deal with various aspects of the Covid-19 response, so to deliver this work as well is a huge achievement!

Mapping the Global Direction and Understanding of IoT Security

Understanding where everyone stands on this from a technical perspective is a tough job. I am lucky to have a fantastic team who have been working on doing just that. We have continually been monitoring the progress of IoT security recommendations and standardisation and will continue to do so. Our work can be seen at https://iotsecuritymapping.uk. We recently added recommendations from Australia, Singapore, California’s new law on connected device security and the US National Institute of Standards and Technology (NIST)’s Device Cybersecurity Capability Core Baseline. There are more documents being mapped soon and we’re tracking work from Brazil, to India, to proposed legislation in the US State of Oregon.

We have noticed that there is defragmentation of ideas and recommendations happening across the world as there is a greater collective understanding of the problem domain and how to solve it. The mappings that we have recently created show strong alignment against the top 3 items listed above. We have also observed that whilst some countries are slightly less mature than the UK in tackling the issue, they can benefit from the international standardisation that has taken place and are starting to adopt and endorse this already. Truly we can adopt a global stance that it is unacceptable to provide connected products without even considering the basics of product security.

The Call for Views is open until the 6th of September 2020 and anyone can give feedback on the proposals to DCMS at: securebydesign@dcms.co.uk.

Here’s some more background material if you’re interested in further reading:

Legislating for Security in Consumer IoT

Copper Horse CEO, David Rogers discusses today’s UK government announcement on legislation for consumer IoT security.

Today marks another step along the road for IoT security – the teeth of legislation and regulation to deal with companies that do not implement security in their consumer IoT products. It is likely that the UK will become the first country in the world to legislate on IoT security.

In May 2019, the UK government launched a consultation into regulation for the security of consumer IoT. The consultation is now complete, with 49 responses and a decision to move ahead with legislating for the top 3 items from the Code of Practice for Consumer IoT Security and ETSI TS 103 645 (pdf). Work is ongoing to bring the ETSI TS to a full European Standard or EN – the draft EN is currently out for review (pdf) until the end of February with National Standards Organisations.

For everyone, the time to act is now

From a personal perspective, I really think this is a huge step. Over the past couple of years I’ve been privileged to work with a fantastic team at DCMS and the NCSC who have been really motivated to help people and understand the problem space. The consumer support for legislation is there and we know that security can be implemented by manufacturers because some companies are already doing it and the security technology is available to be used. We already knew what good looked like – we just wrote it down and prioritised it. What we’ve seen is support from a number of countries and organisations and a recognition that acting now to address the fundamental security concerns is the right way forward.

We also know to a certain extent what the real situation is like in the market. In 2018, we conducted research on behalf of the IoT Security Foundation which showed that fewer than 10% of the manufacturers we surveyed had any way for a security researcher to contact them. The results of our follow-up survey are out this quarter and will reflect a broadly similar situation. Security by design is a concept that some companies choose to ignore because they think that they can get away with it or it doesn’t matter. Well, if you want to ship products to the UK in the future, you had better get your act together pretty quickly.

Considerations

One of the things that I think we need to be aware of is the danger of penalising ‘good’ manufacturers, rather than the rogue ones. I’ve seen this before with work I’ve done against counterfeit and so-called ‘sub-standard’ electronic products. Some measures that are proposed against counterfeit only increase the cost for the ones who will abide by the rules anyway, while the rogue ones get away with continuing to do nothing. In this case, I think we have the balance right. The measures being put forward are a foundational baseline, these are things that are really fundamental, but if not implemented can cause huge consumer harm. Default passwords in consumer devices in this day and age are well, pretty stupid when there are better, safer alternatives for enrolling users to devices and for initiating products from factory defaults. What we’re also asking for is transparency:

  • in access – for security researchers who want to report vulnerabilities to manufacturers easily and;
  • about the minimum length of time that devices will get security updates.

Both of these areas will serve to demonstrate a responsible, public commitment by manufacturers to addressing and resolving discovered security issues. Primarily, manufacturers should be honest towards consumers.

Last year when we created our mapping website, https://iotsecuritymapping.uk , we set out to both help manufacturers to understand how the UK’s Code of Practice mapped to the existing body of work and guidance on IoT security and privacy but also to provide some reassurance that what we were saying was not unusual – in fact, there was a broad consensus on what we were recommending, the fragmentation was really just in the semantics of how documentation from across the world was written. We made that available as open data precisely to help in the process of defragmentation and facilitation of common understanding. The decision by DCMS to translate the Code of Practice into multiple languages reduced the barrier to entry and understanding and acknowledged the truly global nature of both the electronics and software supply chain as well as the designers, security experts and security researchers across the world.

Next steps

The next few months are going to be hard work. My own anxiety is that there will also always be edge cases – those points at which adjustments need to be made or possibly where we haven’t considered certain use cases. I’m certain that the team working on it are conscientious and will work to understand manufacturer concerns and the feedback from the public consultation. Ultimately in all of this, we have had a choice – sit on our hands and wait for things to get worse or get on do something and make the world a safer place. We chose action over procrastination.

More reading on this topic:

Copper Horse CEO David Rogers Receives MBE from the Queen at Windsor Castle

Mr. David Rogers is made an MBE (Member of the Order of the British Empire) by Queen Elizabeth II at Windsor Castle. This picture is not for use after 25 December 2019, without Buckingham Palace approval. PA Photo. Picture date: Friday October 25, 2019. See PA story ROYAL Investitures. Photo credit should read: Jonathan Brady/PA Wire

David Rogers, Copper Horse’s CEO was made a Member of the Order of the British Empire (MBE) for services to Cyber Security by Her Majesty the Queen on Friday the 25th of October 2019. The investiture took place at Windsor Castle.

After the ceremony, David said “It was a delight and honour to meet Her Majesty the Queen. I have accepted this award on behalf of everyone involved with securing connected products in the ‘Internet of Things’ and working to protecting people from online harms. This includes the security research and hacking community, government departments and academia. There is some truly great work going on and there are some fantastic, passionate individuals working on this all across the world.”

More details on David’s work can be found here. Copper Horse provides IoT security consultancy and engineering expertise worldwide from its home in Windsor, UK.

Mapping New IoT Security Recommendations

In late 2018, to coincide with the launch of the UK’s Code of Practice for Consumer IoT Security we launched a website: iotsecuritymapping.uk which mapped IoT recommendations and standards from around the world. Our previous blog explains more of the detail. Earlier this year, we updated the site to include the European Telecommunications Standards Institute (ETSI) Technical Specification, TS 103 645 (pdf) which originated from the Code of Practice.

Today we have launched an updated version of the mapping site which stretches the landscape further with a number of new recommendations from around the world. These have either been sent to us as a result of people hearing about the original mapping work or work that we’ve seen launched since then.

The Windsor landscape towards the Copper Horse

The following additional recommendations are added, from all over the globe including Japan, South Korea and the USA:

Some recommendations we looked at had been updated, but these were either minor editorial changes or had changes not relevant to mapping against the Code of Practice, in these cases, the mapping was not updated.

Updating the External References

One useful thing we created last time was a mapping of external references from the recommendations – it is quite useful to understand where things are happening, which bodies are at least judged to be the most relevant. We’ve further updated this and it is no surprise that organisations like the IETF with massive contribution from industry are the most referenced and essentially used while other organisations like the ITU who try and lay claim to IoT are hardly referenced. We believe this work is the first time that any organisation has attempted to lay out these relationships, to break open the marketing hyperbole with real, factual data.

What are we observing and what does it mean?

There is a broad consensus on what needs to be done in IoT security, which is quite nice to see. Pretty much everyone who is looking at the problem is saying the same thing in different ways. The consumer space seems to be a common starting point because that is where the problem is most visible, but clearly the majority of this work provides a common foundation which is applicable across all IoT ‘verticals’ from industrial IoT, to connected cars.

There are differences in the level of abstraction in recommendations – some are very detailed, others at a high level. This is not a massive problem, it is just that more detailed and specific recommendations can be a real barrier to adoption. It can also affect innovation because detailed specifications tend to deal with the status quo of what exists now. They fail to consider or accommodate the possibility that someone could create something securely without doing exactly what has been put into a bit-level recommendation or standard. It can also affect organisations implementing security in the first place because detailed specifications look daunting. A high level recommendation is easier to access and implement (within the spirit of what is being asked), however it suffers from the fact that people could pay lip service to it or that more detail may be necessary to stop people doing something insecure. We need to find a happy medium between the two approaches for real security success in such a varied market as IoT.

The gaps between the specifications are going to get interesting – where is there divergence and why is that? This looks to be a key piece of work for the future and we may explore that in the coming year.

Keeping the site updated

We’ll keep updating the mapping site until there is a natural end. There is work ongoing which will rationalise these efforts at an international standards level. Once that has happened and there is consensus, we’ll have hopefully achieved what we set out to do – unification and defragmentation of IoT security; at least for the fundamental foundations. We hope you find the latest update useful and do please keep sending your feedback to us.

David Rogers awarded MBE in the Queen’s Birthday Honours list 2019 for services to cyber security

London – Saturday 8th June 2019: Copper Horse, a mobile and IoT security company, today announced that its CEO David Rogers, has been awarded an MBE in recognition of his services to cyber security, in The Queen’s Birthday Honours List 2019.

David is the author of the UK’s Code of Practice for Consumer IoT Security. Published in October 2018 it provides invaluable guidance, for all parties involved in the development, manufacturing and retail of consumer Internet of Things (IoT). The Code was developed as part of the Secure by Design initiative, which was developed in response to the increasing importance of cyber security in the home brought about by the exponential growth of technologies related to the IoT.

David has worked closely with UK Government departments including the Department for Digital, Culture, Media & Sport (DCMS) and the National Cyber Security Centre (NCSC), as well as leading manufacturers, industry associations and the security research community to create the Code.

In addition to his work on the Code of Practice for Consumer IoT Security, David chairs the mobile industry’s GSMA Fraud and Security Group and sits on the Executive Board of the IoT Security Foundation. He teaches part-time at two universities, lecturing on Mobile System Security at the University of Oxford and as a Visiting Professor in Cyber Security and Digital Forensics at York St John University.

Over the course of his career David has been central to the development and execution of industry-level efforts to reduce handset theft, pioneered hardware security recommendations for mobile devices and software update security, as well as introducing vulnerability disclosure to the mobile and IoT industries.

David Rogers, CEO at Copper Horse explained: “There are many talented and passionate individuals involved in cyber security around the globe. From the security researcher community – the hackers of the world – to those in government departments, academia and my own company, Copper Horse. Much of this work goes unsung, yet it doesn’t go unnoticed. All these people are collectively working to highlight insecurity and trying to improve technology around IoT. By helping to secure future products and services, they are protecting the wider public, allowing consumers to reap all the benefits the Internet of Things can bring to their daily lives.

“My role in securing technology is only a tiny part of that overall effort. I am delighted and honoured to be awarded this MBE for services to cyber security.”

For further information, please contact Simpatico PR:

Niki Hutchinson, Director B2B Technology

Tel: +44 (0)7790 776128

Email: niki.hutchinson@simpaticopr.co.uk

About Copper Horse

Copper Horse is based in Windsor, UK and was established in 2011 by mobile security expert David Rogers. The company primarily focuses on mobile and IoT security topics. With a range of world-renowned experts on hand, Copper Horse works on interesting and challenging security and software projects. The company provides consultancy, development and training for subjects ranging from mobile devices and networks, to the connected home. More information can be found at: https://www.copperhorse.co.uk

ETSI publishes European Standard on Consumer IoT Security


David Rogers writes about the launch of the specification: ‘Cyber Security for Consumer Internet of Things’ from ETSI’s TC Cyber group.

Today the European Telecommunications Standards Institute (ETSI) announced the publication of their ETSI Technical Specification, TS 103 645 (pdf).

This work builds on the UK Code of Practice for IoT Security and has had input from experts around the world. It is great that this work has been elevated up to European level and published as a standard. This means a much wider technical audience and crucially, official endorsement at European level by companies and governments.

The discussions during the specification development were very rational and it also meant that some of the supporting text were promoted into provisions within the specification, making the overall work stronger. For example, wording that could be considered ambiguous from a technical standpoint has been clarified and considered at length by me and others. This means that whilst we still see this as a high level specification, we’ve also tried to further pin down what we’re trying to say, all whilst trying to ensure that we avoid unintended consequences and companies deliberately trying to avoid putting security into their products via loopholes.

These efforts will continue. During the specification process, there were some really good proposals brought forward on some deep technical aspects about IoT security and privacy that we see as being potential spin-off work items in ETSI – I’m keeping track of what those topics were. There are also things that some of us would like to bring into the Code of Practice for future revisions, such as consideration by manufacturers of issues such as coercive or controlling behaviour which can be compounded by IoT in the home. All these things are for the future, but the great thing is the enthusiasm is there from some brilliant minds both in government and industry, so watch this space!

The IoT Security Mapping site has also been updated to reflect how the ETSI specification maps to the UK Code of Practice in order to help implementers understand how it all fits together, including against other recommendations and specifications from around the world.

Investigating the State of Vulnerability Disclosure in Consumer IoT Products

 

In August 2018, we were asked by the IoT Security Foundation to look at companies across the world producing consumer focused Internet of Things products and see what the situation is for security researchers when they try to contact these businesses.

 

Security researchers often have problems when it comes to speaking to companies about their findings, but we wanted to gather some real data about the current market situation because no-one had done this before. In this process, we also tried to record what types of mechanism were in place – i.e. did the company follow best practice for vulnerability disclosure by having a webpage that researchers could report through? Was there an email address to contact the company and was there public key available to use to encrypt submitted reports? Did the company operate any kind of ‘bug bounty’ scheme?

IoT devices in the IoT Security Village at DEF CON#26

The IoT Security Foundation published our findings (pdf) today, including a full list of the companies we looked at. The data is also available on request from the Foundation in a machine-readable format (with some additional fields we didn’t include in the report).

 

Some high-level findings from the report include the following:

  • over 90% of consumer IoT product companies out of 331 companies researched, have no way for a security researcher to be able to contact them easily to report a vulnerability.
  • Of those companies which had a disclosure policy:
    • 41.9% with disclosure policies gave no indication of the expected disclosure timeline.
    • 0.9% of the companies operated with a hard deadline of 90 days for fixes to reported issues.
    • 46.9% of policies also had a bug bounty programme. Two of these programmes were however by invitation only, so were not open for general contribution.
    • 78.1% of companies with policies supplied researchers with a public key for encryption to protect their communications and report details.
    • 18.8% of companies with policies utilised a proxy disclosure service (1.8% of total companies examined).
  • 7.6% of the overall companies publicised a public PGP key for researchers to use to encrypt, protecting their communications and disclosure report details.
  • 0.9% of companies had forms for reporting vulnerabilities or contact points, but no published vulnerability disclosure policy.

 

Our CEO, David Rogers said: “The data doesn’t lie – connected product companies are woefully bad, when it comes to allowing security researchers to report issues to them. It is further evidence of the poor situation for product security in the Internet of Things. There is no need for this, there are recommendations and an international standard available for companies to adopt. There needs to be a shift of mind-set to take security seriously at the Boardroom level of connected product companies and for them to realise that regulators are starting to take action against the existing lax attitude towards product security.”

 

John Moor, the MD of the IoT Security Foundation said: “We conducted this research to better understand the contemporary status of vulnerability disclosure policy in practice,” says John Moor, Managing Director, IoTSF. “It’s part of our mission to raise awareness and help improve the situation and we hope that by highlighting this subject area, and identifying companies in the report, we can make positive progress in the future. For any company making connected products, it is fundamental to understand the importance of disclosure policy and leverage the research community to help make safer connected products.”

 

It is clear that things need to change and fast. Guidance on how to implement Coordinated Vulnerability Disclosure is available from the IoT Security Foundation (pdf).

 

Mapping IoT Security and Privacy Recommendations and Guidance

 

The UK’s work on consumer IoT security and privacy, led by the Department for Digital, Culture, Media & Sport (DCMS) has been continuing since the publication of its work on Secure by Design and the Code of Practice for Consumer IoT Security went out for public comment in March 2018. Our team has been working on mapping IoT security and privacy guidance to the Code of Practice and we’re now launching https://iotsecuritymapping.uk to support the initiative, including hosting open data files with all the various mappings contained within.

 

 

We believe this is going to be really helpful for so many companies and organisations involved in IoT. It will help to defragment the standards space and it will help companies to understand how to improve security by telling them which recommendations facilitate implementation of the UK’s Code of Practice.

 

You can read our CEO’s blog on this topic here.

Discussing the UK government’s Code of Practice for IoT Security and the Future

 

Copper Horse’s CEO, David Rogers had a chat with Rocco’s Jason Bryan for the Rocco Radio Newsdesk about the launch of the UK government’s Secure by Design report and the Code of Practice on IoT security. The government’s Secure by Design report is available here.

 

To listen, click the player below:


The podcast covers a range of topics including:

  • the UK government’s work to protect UK consumers:
    • how work from the mobile industry can be carried over into the IoT world.
    • what circumstances and threats led to the work being created?
    • the thinking behind the work
    • what other standards bodies and organisations are doing in the IoT security space
    • discussing the details of the Code of Practice including vulnerability disclosure, software updates and eliminating default passwords.
  • the implications of security attacks on network operators
  • machine-to-machine and IoT concerns
  • identifying insecure products and what “insecurity canaries” are
  • product labelling and future smart approaches to digital labelling
  • the use of digital certificates and the challenges of counterfeiting
  • certification of devices including those with embedded SIMs and how that might work
  • regulation and what might happen in the future
  • design approaches
  • safety in IoT and the future risks of death
  • signalling storms, resilience and future attacks on network operators
  • SLAs in business relationships between network operators to guarantee safety in IoT
  • Why smaller network operators need to pay attention to IoT security

If you’re interested in learning more about IoT security, we run an IoT security training programme which is led by David. Click on the link below for more details: