WEF lists five security requirements for IoT

  • February 23, 2022
  • Steve Rogerson

The World Economic Forum’s Council on the Connected World has mobilised a multistakeholder coalition of business leaders, government officials and technology experts to build a consensus on baseline security protections for the IoT.

Reflecting the interests of industry, consumers, white hat hackers and governments, the stakeholders agreed on five security requirements for consumer-facing IoT devices in what is the first international consensus of this type.

“As we look to new technologies to help address pressing global challenges – from climate change to rapid urbanisation – we must ensure this progress does not come at a cost to individual safety and privacy,” said Jeff Merritt, the WEF’s head of urban transformation. “This announcement is an important step towards a more secure digital future and is testament to the critical role of multistakeholder collaboration in promoting the responsible development and use of technology.”

Cybersecurity Tech Accord, Consumers International, and I Am the Cavalry, representing more than 400 member organisations globally, developed a statement based on research and dialogue, which has already been endorsed by more than 100 organisations and major tech companies, including Microsoft and NTT. This statement calls on device manufacturers and vendors to take immediate action.

“Microsoft is excited to support this effort to raise awareness and advance best practices throughout the industry, as well as to encourage cooperation across stakeholder groups to advance the security of consumer products including the services and platforms they are built on,” said Rob Spiger, principal security strategist at Microsoft.

Helena Leurent, director-general of Consumers International, added: “Connected devices are in consumers’ homes in increasing numbers, but many are poorly secured and lack basic protections. Consumers face serious risks and may not even be aware. It is encouraging to see support for a much overdue change. Consumer advocates everywhere look forward to seeing active adoption and enforcement of strong standards.”

The five security requirements are:

  • Must not have universal default passwords
  • Must keep software updated
  • Must have secure communication
  • Must ensure personal data are secure
  • Must implement a vulnerability disclosure policy

“By endorsing these five key responsibilities, the organisations that have signed on are sending a clear message about minimum acceptable standards,” said white hat hacker Marc Rogers, vice-president for cyber security at Okta. “Most importantly it is setting a baseline that I hope will unify the industry approach leading to better security for all consumers worldwide.”

Shahid Ahmed, group executive vice-president at NTT, added: “Building a secure and trusted connected world is important to all of us. NTT is excited to participate in this global collaboration between industry, consumer groups and governments to accelerate better security measures for IoT, using these five provisions as a starting point.”

And Annalaura Gallo, head of secretariat at the Cybersecurity Tech Accord, said: “The Cybersecurity Tech Accord is proud to be joining consumer advocates and security activists in an initiative that will help secure the next generation of connected consumer products. Connected devices can bring incredible benefits to consumers but they also come with new cyber risks. We endorse five key security baseline requirements for these devices, hoping they will be promoted and adopted more broadly by governments and businesses worldwide.”

IAR Systems and its subsidiary Secure Thingz announced their active support for the statement.

“The efforts of the World Economic Forum, in addition to the growing national and international standards, are very welcome,” said Haydn Povey, CEO of Secure Thingz. “From Secure Thingz’s side, we are ideally placed to support the improvement of security across all connected devices. It is only by elevating these requirements to the boardrooms of the Fortune 500 companies, and the corridors of power, that we will see the changes in purchasing habits and empowerment of systems, unleashing the radical benefits of the connected world.”