Cybersecurity is a tricky area and several government bodies are trying their best to put together standards for a changing industry. Stuart Corner looks at what it means for integrators.

In 2021 UK consumer organisation, Which, set up a smart home to test the vulnerability of smart home devices, and the frequency of cyber attacks. It found 12,000 scanning or hacking attempts in a single week.

Most devices were able to fend off the attacks, but according to Which, an iGeek wireless camera bought from Amazon was hacked, had its settings changed and was used to try and spy on the home’s occupants. It had been labelled an ‘Amazon Choice’ and had more than 8,500 reviews including 68% giving it the full five stars.

Clearly, peer review is not a reliable way to assess the security of smart home devices. Nor should it be. Around the world, including in Australia, governments are recognising the need for voluntary or mandatory standards covering the security of consumer IoT devices and/or for some means assuring customers the smart home devices they are about to buy come with robust security: a labelling or ‘trust mark’ scheme.

Back in 2019, the governments of the ‘Five Eyes’ group — Australia, Canada, New Zealand, UK and the US — issued a joint statement of intent on the security of the Internet of Things (IoT), saying the lack of security in loT devices was a global issue and that they needed to work together to address the problem with common and consistent messaging.

At the time, the UK Government said that more than 90% of 331 manufacturers supplying IoT devices to the UK market did not possess a comprehensive vulnerability disclosure programme up to the level it would expect: “Breaches involving connected devices are increasingly becoming common, simply because manufacturers had not built important security requirements, such as using unique credentials, into their products.”

Voluntary codes and labelling

Australia’s then Coalition Government acted promptly following the Five Eyes statement, seeking community and industry input on ways to improve the security of the IoT for consumers. It led to publication in September 2020 of a voluntary code of practice Securing the Internet of Things for Consumers, which remains in force today.

However, the code lacked any mechanism through which vendors could indicate conformance on their products. Since then, in Australia and elsewhere, problems with voluntary codes or standards, and a lack of any indication of conformance, have prompted moves to introduce both mandatory standards and some kind of trust mark.

Most recently, the US Government announced in July a cybersecurity labelling program for smart devices designed to protect consumers. Under the proposed scheme consumers would see a distinct US ‘Cyber Trust Mark’ applied to products meeting established cybersecurity criteria.

The scheme will be voluntary, but the government announcement said consumers would be educated to look for the new label when making purchasing decisions and major retailers would be encouraged to prioritise labelled products in stores and online.

The US is several years behind other major economies such as the EU, the UK, Singapore and India in moves to beef up the security of smart home devices.

Singapore claims to have been the first country in the Asia Pacific to introduce such a scheme. Its voluntary Cybersecurity Labelling Scheme for consumer IoT devices covers “categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers.”

India has had a mandatory code of practice for securing consumer IoT devices since 2021.

Moves to make security mandatory

Both the UK and the EU are moving to make conformance to security standards for consumer IoT devices mandatory. In June 2022 the EU unveiled its Cyber Resilience Act “to protect consumers and businesses from products with inadequate security features.”

Billed as “the first ever EU-wide legislation of its kind,” it will impose mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle. The EU describes the act as “disruptive legislation”. It has yet to come into force: as of July 2023, member states had reached a common position on the proposed legislation.

The UK Government introduced a voluntary Code of Practice for Consumer IoT Security in 2018 and will make device security mandatory with the Product Security and Telecommunications Infrastructure Act 2022, which comes into force in April 2024.

Neither the UK nor the Australian codes of practice contain provisions for any kind of labelling scheme or ‘trust mark’ to indicate compliance and give no indication as to a how compliance should be communicated to potential purchasers.

Six months after Australia’s voluntary code of practice was introduced the government conducted research to see how well it had been received. A web page on the code of practice states: “Major manufacturers we interviewed told us that they were aware of the code of practice but found it difficult to implement voluntary, principles-based guidance.”

However, the government has done little to help promote the code. The page notes that the Australian Cyber Security Centre (ACSC) has developed a complementary Internet of Things guide “to help individuals, families and small and medium businesses buy, use and dispose of smart devices securely.” Its advice on what consumers should do before purchasing an IoT device makes no mention of checking if a product conforms to the code of practice!

And just as in the UK, Australia’s voluntary code of practice is proving less than effective. In 2021 a process was set in train to develop a mandatory code and/or for some kind of labelling scheme to indicate conformance, but progress appears to have stalled with the change of government.

Australia contemplates mandatory standards

In 2021, the Coalition Government issued a discussion paper, Strengthening Australia’s Cyber Security Regulations and Incentives, calling for submissions on many proposed initiatives. Among these initiatives were options for mandatory standards for the security of consumer IoT devices and a voluntary labelling scheme.

It made a strong case for the voluntary labelling scheme, saying consumers lacked clear, accessible information on smart devices, many of which had poor cyber security and that labelling schemes had proved effective for other product attributes such as nutritional value and energy, water and fuel efficiency.

“There is evidence that consumers think that cyber security is an important buying consideration and worth paying for. For these reasons, we think that a cyber security labelling scheme could be successful in Australia,” it concluded.

The discussion paper noted that a mandatory standard would face significant hurdles. It would require legislation and the appointment of an existing body as regulator to be responsible for educating manufacturers about the standard and taking enforcement action if needed. It said mandatory standards could also reduce product choice and increase product cost, citing estimates from the IoT Alliance Australia (IoTAA) that certification through independent testing facilities would cost manufacturers between $7,000 to $12,000 for most products.

The web page for the review, last updated on 23 May 2023 gives no indication of progress and an email the enquiry address received no response.

Meanwhile, an independent organisation is well-advanced with plans for a global voluntary labelling scheme, or trust mark for the security of IoT products, and it is an Australian initiative.

A global ‘trust mark’ scheme

The IoT Security Cyber Trust Mark organisation is the brainchild of Melbourne-based Enex Pty Ltd (a company providing testing services for IT equipment) but is now an independent organisation that is seeking to trademark its IoT trust mark around the world, and to accredit labs to test devices for conformance to the standards underpinning it.

The trust mark takes the form of a QR code: anyone contemplating purchasing a product will be able to scan the code and view the current status of certification (in particular to see if it has been suspended as a result of a vulnerability being discovered).

Enex founder and chief executive, Matt Tett, tells Connected magazine that the organisation planned to create a global program for vendors in which participation would be voluntary, and in which their security claims would be independently tested and assessed to provide assurance for customers — governments, businesses and consumers — that products met certain levels of security attributes.

“In each jurisdiction we will have a host country association, a body that represents, preferably, consumers rather than industry. They will lobby the government and raise the awareness of the scheme. Then there will be a decision authority, the technical authority, which will work closely with the host country associations,” Matt says.

“There could be one decision authority for the world, or it could be ten decision authorities. It just has to scale and has to be federated. The decision authority will be the one that reviews and approves the accredited test facilities.”

He says the scheme, which originated in 2006, was still in startup mode with the biggest hurdle being the need to trademark the trust mark in multiple jurisdictions: “We’ve got trademarks in Europe, the UK and Australia. The US, Singapore, Canada and New Zealand at different stages of the process.”

He adds that a pilot, proof of concept, trial certifying about 100 products and been run over three years ago and that conformance criteria were being developed to ensure any product receiving the trust mark would conform to any national or regional requirements for certification.

Whatever policies and systems emerge to give consumers confidence in the security of smart home devices, they cannot come soon enough in the face of a surging uptake of these devices. Market research company, Telsyte, has estimated Australian households will have, on average, 33 connected devices by the end of 2026. It said one of the main benefits they expect to gain is increased security. Without confidence in the security of individual devices such expectations are unlikely to be achieved.