The number of IoT devices like smart TVs and home assistants getting connected over the internet is scaling by the day, and so are the potential threats and malicious cyber activity associated with them. Thus, to address these concerns, Australia has introduced the “Code of Practice,” which is a basic cybersecurity standard for all IoT devices in the country.
The Need for “Code of Practice” Cybersecurity Standard
In 2019, the number of active IoT devices connected to the internet globally was merely 7.6 billion. However, a research from Transforma Insights suggests that this number will stand tall at nearly 24.1 billion by 2030, thereby generating a revenue of more than $1.5 trillion, at 11% CAGR.
Australia has been counted as a digitally advanced country and its digital security standards have been regarded as few of the best. A testimony to this is the fact that a study on global comparison of cybersecurity defenses ranked Australia as the world’s 15th most secure country. It jumped 12 spots in this ranking from the previous year, which shows their continuous commitment towards raising the bar for cybersecurity standards.
However, until now there were no guidelines or security standards defined for the IoT devices in the country. Many of these devices are developed with functionality as a priority, and not security. Cybersecurity of these devices is often absent or an afterthought. Thus, to change this purview and improve the cybersecurity quotient of the IoT devices in Australia, the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), has developed and introduced the “Code of Practice.”
The 13 Principles of the “Code of Practice”
The ACSC has defined 13 cybersecurity principles for consumer IoT devices, as per the global industry standards, needs of Australian people, and other applicable compliances. They are:
- No duplicated default or weak passwords.
- Implement a vulnerability disclosure policy.
- Keep software securely updated.
- Securely store credentials.
- Ensure that personal data is protected.
- Minimize exposed attack surfaces.
- Ensure communication security.
- Ensure software integrity.
- Make systems resilient to outages.
- Monitor system telemetry data.
- Make it easy for consumers to delete personal data.
- Make installation and maintenance of devices easy.
- Validate input data.
In addition to this, the ACSC has also released tips for consumers to secure their personal IoT devices.
Europe was the First in Line
This is not the first time that a country has implemented cybersecurity standards for IoT devices. Earlier, in June 2020, the European Telecommunications Standards Institute (ETSI) launched a new cybersecurity standard – ETSI EN 303 645 – to establish a cybersecurity baseline for all consumer IoT devices. Apart from the 13 cybersecurity measures provided in this standard and already defined GDPR compliance policies for data protection, the ETSI EN 303 645 standard also provides five specific data protection provisions for consumer IoT devices.