Australia releases draft IoT cybersecurity code of practice

The government wants the tech industry to secure the Internet of Things through a voluntary code, and the states and territories to join it in 'an aligned and harmonious approach'.
Written by Stilgherrian , Contributor

The Australian government has released a draft code of practice for securing the Internet of Things (IoT), with a public consultation running until 1 March 2020.

The voluntary Code of Practice: Securing the Internet of Things for Consumers, published on Tuesday, is intended to provide industry with best-practice advice.

It will apply to all IoT devices available in Australia, including "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers".

The code is based on 13 principles, detailed over three pages.

The first three are the highest priority, the draft reads, and include: No duplicated default or weak passwords, implementing a vulnerability disclosure policy with device manufacturers, service providers and app developers to have a public point of contact, and to keep software securely updated, including firmware. 

Following on are calls to securely store credentials and security-sensitive data, ensure personal data is protected and that "adequate industry-standard" encryption is applied to data in transit and at rest, and to validate input data so that it "authorised and conforms to expectations".

The code also states that exposed attack surfaces be minimised and devices and services operate on the principle of least privilege with unused functionality disabled, have software verified with secure boot mechanisms, make systems resilient to outages, monitor telemetry data for cyber anomalies, have clear instructions for users to data personal data, and make installation and maintenance of devices easy.

"We're releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cybersecurity," said the Minister for Home Affairs, Peter Dutton.

"Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design."

The government said that it will also "work with states and territories to ensure an aligned and harmonious approach".

Australia is just one of the countries developing codes of practice and even enforceable laws for IoT security.

In July, Australia co-signed a Statement of Intent regarding the security of the Internet of Things with the Five Eyes nations in London. The draft code "aligns with and builds upon" the guidance provided by the UK earlier in the year.

A similar code [PDF] has also been developed by the European Union.

California has taken things a step further, passing an IoT security law in late 2018. It comes into force on 1 January 2020 when all IoT devices sold in California must be equipped with "reasonable security measures".

Related Cyber Coverage

Editorial standards