United Kingdom - Securing Internet of Things (IoT) with AWS

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

United Kingdom

The UK’s Department for Digital, Culture, Media and Sport (DCMS) published the final version of its Code of Practice for Consumer IoT Security in October 2018. This Code of Practice was jointly drafted with the National Cyber Security Centre and included input from consumer associations, industry, and academia. The document provides 13 guidelines on how to achieve a “secure by design” approach for all organizations involved in developing, manufacturing, and retailing consumer IoT products.

The Code of Practice emphasizes three leading practices for enabling users to achieve the greatest and most immediate security benefits, and urges IoT stakeholders to prioritize them:

  • No default passwords – Many users do not change the default password, which has been the source of many IoT security issues.

  • Implement a vulnerability disclosure policy – IoT device, service, and app developers should have a vulnerability disclosure policy and public point of contact to allow for the reporting (and remediation) of vulnerabilities in a timely manner.

  • Keep software updated – Software updates need to be timely, easy to implement, and not disruptive to the functioning of the device.

As evidenced by the approaches outlined by both the US and UK, the security of IoT will continue to be top of mind for governments. Efforts are also underway by national and international standards bodies to develop standards, guidelines, and best practices for securing IoT, including the International Organization for Standardization (ISO) IoT Reference Architecture and the International Telecommunication Union (ITU) study group on IoT and smart cities.

In the context of IoT, customers should have the flexibility of using existing, time-tested practices already in use in what’s considered more traditional network cybersecurity. For example, when trying to identify vulnerabilities, detect irregularities, respond to potential incidents, and recover from damage or disruption to IoT devices, customers can use the cybersecurity controls mapped against the NIST Cybersecurity Framework (CSF). This foundational set of cybersecurity disciplines is recognized globally and has been supported by governments and industries as a recommended baseline for use by any organization, regardless of its sector or size. The advantage of utilizing the NIST CSF is not just in its reputation, but also in the flexibility it allows for applying cybersecurity while keeping in mind its effect on physical, cyber, and people dimensions. Along with the human aspect, the framework applies to organizations relying on technology, whether the focus is primarily on information technology, ICS, cyber-physical systems, or IoT.