Communications Alliance has released a for-comment draft of an IoT security guideline, developed by the security working group of IoT Alliance Australia (IoTAA). The move marks the start of a formal consultation process flagged in February when the guideline first appeared.
IoTAA and Communications Alliance released the document in February with Communications Alliance CEO, John Stanton, saying a public consultation process would be set in train to give a wider range of stakeholders the opportunity to review and add value to the document before it was published by Comms Alliance as an industry guideline.
That first guideline carried the imprimatur of IoTAA. The new document has been published by Communications Alliance.
Communications Alliance says the guideline is designed for the IoT industry and digital service providers that use or provide support services for IoT deployments. It aims to provide them with comprehensive, top-level guidance that will: promote a ‘security by design’ approach to IoT; assist them to understand the practical application of security and privacy for IoT device use; assist them to understand the relevant legislation around privacy and security.
The guideline itself lists its objectives as being to:
– assist industry in their understanding of the practical application of security and privacy for IoT device use;
– be utilised by the IoT industry, carriers, and carriage service providers that use or provide support services for IoT deployments;
– assist industry in understanding the application of relevant legislation.
However the guideline also says it “brings together sources of information relating to the security, privacy, and resilience of IoT to assist the IoT industry in delivering quality products and services [but] does not endorse any specific technology or approach for use in Australia.”
The draft guideline lists a number of initiatives applicable to IoT security, including the Open Web Application Security Project (OWASP), the Internet of Things Security Foundation, the Industrial Internet Consortium and others.
It notes that the design and implementation of security controls can be time consuming and costly, requiring a high level of effort in the design and testing phases, and “Where similar products are being developed, their security solutions are likely to be substantively similar, and the re-use of an existing design can often provide an effective solution requiring little more than design integration and testing.”
It says IoTAA intends to progressively develop and publish IoT security design patterns to support the guideline.
Communications Alliance is a founding member of IoTAA and says that, as the primary telecommunications industry body in Australia with established structures for public consultation and document revision processes, it has agreed to review the guideline and to seek feedback from a variety of stakeholders through a process of public consultation.
Once finalised, the guideline wil be published as Communications Alliance Industry Guideline G654:2017 Internet of Things Security.
Submissions to the draft are due by 7 July.