Guidelines for strengthening cyber security - IoT devices
On 3 March 2023, the Department of Telecommunications (DoT) issued a set of advisory guidelines to machine-to-machine (M2M) / internet of things (IoT) stakeholders for securing consumer IoT (Guidelines). These Guidelines have been issued pursuant to a technical report released by the Telecommunication Engineering Centre titled “Code of Practice for securing Internet of Things (IoT)” (CoP). The CoP inter alia aimed at protecting the users and the networks that connect IoT devices.
Background
IoT is indisputably one of the fastest emerging technologies across the globe and has cut across various industries including healthcare, communications, energy, automobile, public safety, agriculture etc. In view of the extensive application and growing dependency of smart infrastructure, it is crucial to ensure end-to-end security of smart devices. Pertinently, the level of security required for each of such products vary across applications and associated services. In this light, the CoP was issued by TEC for securing consumer IoT products that are connected to the internet and/or home network and associated services such as inter alia connected wearable health devices, smart cameras, TVs, speakers, connected home automation and alarm systems etc.
The CoP, which postulates the concept of ‘Security by Design’ and implementation of the ‘National Trust Centre’, also sets out guidelines for securing such consumer IoT products which include setting unique passwords for IoT devices, implementing a responsible vulnerability disclosure program, securely updating software components, securely storing sensitive security parameters, ensuring protection of personal data, etc. The Guidelines issued by DoT are focused on these aspects and are issued for all stakeholders in this ecosystem, namely M2M service providers, telecom service providers, etc.
Broad guidelines for M2M / IOT stakeholders
Ø |
No universal default passwords: |
|
Many consumer M2M / IoT devices are sold with default pre-set passwords. This has been noted as one of the major reasons for security concerns. Thus, it is advised that all consumer M2M / IoT device must have unique passwords per device. Alternatively, users may also be required to choose a password based on the prevailing best practices while obtaining such device. The passwords must not be resettable to any universal default value. As a matter of best practice, the strongest possible password must be used, as appropriate depending on the context of usage of the device. It has also been recommended that for associated web services, multi-factor authentication must be enabled, and any unnecessary user information must not be disclosed prior to authentication. |
Ø |
Implement means to manage reports of vulnerabilities: |
|
M2M / IoT stakeholders have also been advised to designate a dedicated public ‘point of contact’ as a part of its vulnerability disclosure policy for reporting security related concerns and issues by security researchers and others. M2M / IoT stakeholders have also been recommended to action upon disclosed vulnerabilities in a timely manner to avoid the risk of any significant harm. In order to facilitate responsible and coordinated disclosure and remediation of vulnerabilities, it has also been suggested that the cyber security community must be encouraged and rewarded for identifying and reporting vulnerabilities in the security systems of these devices. |
Ø |
Keep the software updated: |
|
The Guidelines also shed light on the importance of securely updating software in the devices and the steps to be followed in this regard. Updates should be easy to implement, made available in a timely manner, and should not adversely impact the functioning of the device. M2M IoT stakeholders must also publish an ‘end-of-life’ policy for end-point devices which expressly sets out the assured duration for which a device will receive software updates. For devices that cannot be physically updated, they should be isolatable and replaceable. Notably, an obligation is also placed on retailers and manufacturers to inform consumers in a timely manner whenever an update is required and to also elucidate the need for an update to such consumers. |
Comment
From wrist watches that track your heart rate to factories that can be remotely controlled from a central location, IoT has penetrated numerous households and businesses today. With the remarkable features that these smart devices bring to the table, also comes the high risk of security and privacy concerns. It is now more imperative than ever to take active steps towards minimizing the threat of security attacks and system failures. In the past, the Joint Parliamentary Committee, while commenting on the previous iteration of the data protection bill, also advocated for a mechanism for formal certification process for all digital and IoT devices.
Measures such as mandatory testing and certification of telecommunication equipment (MTCTE) are also, inter alia, aimed at ensuring integrity and strengthening data security of such devices. While the data protection bill is round the corner, the Guidelines issued by the DoT serve as a timely and important piece of advisory to all industry stakeholders engaged in the M2M / IoT business to gear up their cyber security measures to eliminate the production of devices with weak / sub-standard security systems.
- Harsh Walia (Partner), Shobhit Chandra (Counsel) & Sanjuktha A. Yermal (Associate)
For any queries please contact: editors@khaitanco.com
We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.
For private circulation only
The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.
© 2024 Khaitan & Co. All rights reserved.
Mumbai
One World Centre
10th, 13th & 14th Floor, Tower 1C
841 Senapati Bapat Marg
Mumbai 400 013, India
Mumbai
One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001
Delhi NCR (New Delhi)
Ashoka Estate
11th Floor, 1105 & 1106,
24 Barakhamba Road,
New Delhi 110 001, India
Kolkata
Emerald House
1B Old Post Office Street
Kolkata 700 001, India
Bengaluru
Embassy Quest
3rd Floor
45/1 Magrath Road
Bengaluru 560 025, India
Delhi NCR (Noida)
Max Towers,
7th & 8th Floors,
Sector 16B, Noida
Uttar Pradesh 201 301, India
Chennai
8th Floor,
Briley One No.30
Ethiraj Salai
Egmore
Chennai 600 008, India
Singapore
Singapore Land Tower
50 Raffles Place, #34-02A
Singapore 048623
Pune
Raheja Woods
03-108-111, 3 Floor
8, Central Avenue, Kalyani Nagar
Pune - 411 006, India
Gurugram (Satellite Office)
Suite No. 660
Level 6, Wing B,
Two Horizon Center
Golf Course Road, DLF 5
Sector 43, Gurugram
Haryana 122 002, India
Ahmedabad
1506 - 1508, B-Blockr
Navratna Corporate Parkr
Iscon Ambli Road, Ahmedabadr
Gujarat - 380058