Internet of Things Alliance Australia (IoTAA) is looking to develop an IoT product security certification program that will help consumers identify devices that do not meet the government’s new voluntary guidelines.
The government yesterday released a voluntary code of practice for suppliers of consumer IoT devices designed to keep insecure devices off the market.
The chair of IoTAA’s cyber security workstream, Matt Tett, said developing of compliance incentives for vendors and manufacturers would be a challenge for the government.
“The most compelling incentive comes from consumers who insist on compliance with the code; but how will consumers know which devices comply? What criteria can consumers use to ensure that compliance statements are true and accurate?”
In 2017, IoTAA released its Strategy for Strengthening IoT Security in Australia, a key element of which was a recommendation to develop, implement and promote an IoT product security certification program.
“A program such as this, which enables consumers to readily identify devices that have been independently tested against their claimed security features and capabilities will enable consumers to have confidence that the devices they’re purchasing meet the criteria of the code of practice.” Tett said.
IoTAA CEO Frank Zeichner said IoTAA was considering providing consumers with simple ways to identify and choose secure IoT devices and services. “[This would be] an important next step and one that will drive industry behaviour,” he said.
“We look forward to the Australian Government collaborating with us to develop these procedures and methodologies for enhancing IoT security to protect our consumers and businesses.”
IoTAA has already proposed a security trust mark (STM) scheme. However, it is primarily aimed at high-impact industrial and commercial IoT “for purchase by central government and the wider public sector, particularly in the areas of transport, health, agricultural, industrial control systems, and smart cities.”
IoTAA says the scheme should ultimately be self-funding but financial assistance will be required to launch, administer and market the scheme, and update it as IoT and technologies evolve.
The UK Government, on whose consumer IoT security guidelines the Australian guidelines are based, has proposed a voluntary labelling scheme. This and other schemes were discussed in an October 2018 paper Rapid evidence assessment on labelling schemes and implications for consumer IoT securityproduced by the PETRAS IoT Research Hub, formed by a consortium of nine UK universities.
