NCSC CEO Calls for International Standards on IoT Security

Connected devices must be made secure by design to realise the enormous potential of smart cities, said NCSC CEO Lindy Cameron in a speech on October 20, 2022.

Cameron delivered the talk at Singapore International Cyber Week, in a country that has taken major strides in the use of connected devices to manage vital services, such as transport, waste, CCTV, streetlights, traffic lights, parking and emergency services.

“At every level, individual households, businesses, cities and local governments are keen to reap the benefits of ‘smart devices.’ The benefits are obviously compelling. They provide a range of critical functions and services to us all. This should be an opportunity, not a threat,” outlined Cameron.

However, she noted that as these technologies are increasingly used to exchange, process and store sensitive data, as well as control critical operational technology, they are becoming “an attractive target for a range of threat actors.” She added: “The threat posed by nation states is particularly acute.”

To counter this danger, IoT devices must be built with security built in from the design stage. Cameron highlighted a number of recent standards and legislation adopted in the UK to ensure smart device manufacturers are implementing security-by-design principles into their products. This began with a 13-point Code of Practice that the NCSC developed for the IoT industry in 2018, which was updated in May 2022.

In 2020, an ETSI Standard on Connected Product Security, EN 303 645, was created and adopted by the UK government. These standards are now being incorporated into law in the UK, with the Product Security and Telecommunications Infrastructure (PSTI) Bill currently going through Parliament. This will place requirements on smart device manufacturers such as banning universal default passwords, forcing firms to be transparent about actions they are taking to fix security flaws in their products and creating a better public reporting system for any vulnerabilities discovered.

Cameron also highlighted UK government-backed Digital Security by Design (DSbD) initiative, which is working to secure underlying computer hardware, preventing most vulnerabilities from occurring.

She said that countries across the world need to work together to implement these approaches to be effective. “If they are going to have an effect then we need the commitment of governments and manufacturers around the world to enforce these standards, she stated, adding: “We believe this approach is foundational to the security of future IoT.”

Summing up, Cameron called for the introduction of “clear workable international standards which shepherd technology towards a safer and secure future so that we can fully grasp the incredible advantages which these emerging technologies promise.” She argued that if this didn’t happen, smart cities will offer “an ever-increasing attack surface and proliferation of vulnerabilities for our adversaries – both states and criminals – to exploit.”

What’s Hot on Infosecurity Magazine?