The National Cyber Security Centre, along with its Five Eyes cyber security agency partners in Australia, Canada, New Zealand and the US, has issued new guidance designed to help counter sophisticated malicious attacks targeting edge devices.

The guidelines aim to encourage device manufacturers to include and enable standard logging and forensic features that ensure robust security by default, and simplify post-breach investigations.

Routers, smart appliances, IoT devices, sensors, cameras and other edge devices are particularly vulnerable to hackers as they often handle important data and connect directly to external networks.

Commenting on the announcement, NCSC technical director, Ollie Whitehouse, said that “in the face of a relentless wave of intrusions” the guidance sets what the Five Eyes partners collectively consider as the minimum standard required to meet the contemporary threat.

“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyber attacks but also provide investigative capabilities [required] post intrusion,” he added. “Alongside our international partners, we are focused on nurturing a tech culture that bakes security and accountability into every device, while enabling manufacturers and their customers to detect and investigate sophisticated intrusions.”

Commenting on the publication of the new guidelines, Juliette Hudson, CTO of cyber security management platform provider, CybaVerse, said that today “all businesses are digital businesses” expanding the enterprise attack surface.

“Having good visibility across network assets and running proactive monitoring for threats are essential, but device manufacturers also have a key role to play and it is essential they practice good security hygiene in the development process,” she added. “Device manufacturers must ensure their tools are manufactured with unique passwords and they should also offer users the ability to apply security patches to mitigate vulnerabilities.

“No products are ever made perfectly, so developers must take into account that vulnerabilities in their products could surface in the future, so customers must have the ability to apply timely patches when required.”

---