The Code of Practice, consisting of 13 principles, was developed drawing on the technical expertise of the Australian Cyber Security Centre (ACSC), with the Code created to align with guidance provided by the United Kingdom. The voluntary code, aimed at industry, outlines 13 security principles which represent the "standard for IoT devices" for device manufacturers, IoT service providers, and application developers.
The voluntary Code of Follow: Securing the Web of Issues for Customers, printed on Tuesday, is meant to deliver sector with ideal-apply suggestions.
The government has released a draft voluntary code of practice that is meant to help address the parlous state of security among Internet of Things (IoT) devices. They can also delete the data stored in associated backend/cloud accounts and mobile applications as well.
Public consultation on the draft code will run until 1 March 2020. The final code will be reviewed iteratively, according to the departments overseeing it: the Department of Home Affairs and the Australian Signals Directorate.
"It is essential that these devices have cyber security provisions to defend against potential threats".
It will apply to all IoT devices available in Australia, including "everyday smart devices that connect to the internet, such as smart TVs, watches, and home speakers".
He quoted, "we're releasing the Code of Practice for public consultation because we want to ensure that the expectations of all Australians are met regarding cybersecurity".
"Along with our Five Eyes partners we share the expectation that manufacturers should develop connected devices with security built in by design", Dutton said.
The govt claimed that it will also "function with states and territories to ensure an aligned and harmonious strategy".
It has certain limitations for an IoT industry with a supply chain with varying security resources. "In reality, the vast majority of IoT devices, particularly those aimed at consumer use, will have some vendors and supporting supply chains that simply don't have the resources, skills, or even the will to meet the framework's recommendations".
Vanhaelen said consumers cannot rely on government initiatives such as the code of practice for their IoT security and urged them to conduct their own password changes and firmware updates.
The code also states that exposed attack surfaces be minimised and devices and services operate on the principle of least privilege with unused functionality disabled, have software verified with secure boot mechanisms, make systems resilient to outages, monitor telemetry data for cyber anomalies, have clear instructions for users to data personal data, and make installation and maintenance of devices easy. These three are on the highest priority and it has been recommended to be prioritized by the IoT industry.
The full list of principles can be found in the Draft Code of Practice: Securing the Internet of Things for Consumers [PDF], on which the government has called for feedback from industry and other stakeholders.