View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NCSC and CISA release device security guidelines for manufacturers

The guidelines have been released in a report along with security divisions in six other countries. Without teeth, however, the suggestions are unlikely to be implemented.

By Claudia Glover

The UK’s National Cybersecurity Centre (NCSC) has released a set of device security guidelines to encourage security by design in the manufacture of internet-facing products.

The recommendations have been outlined in a report, released jointly with the US cybersecurity department CISA and other national watchdogs. As the advice has no teeth, however, the guide is not likely to be followed by the bulk of product manufacturers, researchers warned.

The NCSC has released joint guidelines to urge IoT manufacturers to be more conscious of security in their product design. (Photo by Postmodern Studio/Shutterstock)

The guidelines have been released as part of a report entitled ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default’, in a joint endeavour by the UK, the US, Germany, the Netherlands, Canada, New Zealand and Australia. 

NCSC and CISA release device security guidelines for manufacturers

The NCSC has released recommendations for manufacturers of internet-facing products, such as Internet of Things devices, to encourage them to place security at the centre of product design. Treating security as an afterthought for vulnerable devices “can leave customers open to malicious cyber intrusions and safety risks”, says the security centre in a release. 

The guidelines are broken down into two sections: Secure-by-Design and Secure-by-Default. Secure-by-Design means that technology products are built in a way that reasonably protects against cybercriminals. Secure-by-Default helps products to be resilient against prevalent exploitation techniques out of the box, without additional charge.

The recommendations outlined in the report are written to take the burden of optimising device security off the shoulders of the customer. “The authoring agencies recommend software manufacturers implement the strategies outlined in the sections to take ownership of the security outcomes of their customers through Secure-by-Design and Default principles,” explains the NCSC in the report.

To do this, a manufacturer should “embrace radical transparency and accountability” by taking up strong authentication mechanisms by default or making sure CVEs are complete and accurate. The report also encourages Secure-by-Design tactics, such as the use of memory-safe programming languages, secure software components and vulnerability disclosure programmes, among others.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“As our lives become increasingly digital, it is vital technology products are being designed and developed in a way that holds security as a core requirement,” explains Lindy Cameron, the CEO of the NCSC. “Our new joint guide aims to drive the conversation around security standards and help turn the dial so that the burden of cyber risk is no longer carried largely by the consumer,” she says. 

“We call on technology manufacturers to familiarise themselves with the advice in this guide and implement Secure-by-Design and by-Default practices into their products to help ensure our society is secure and resilient online.”

How effective will these recommendations actually be?

However, calling on manufacturers to implement costly changes in their design processes will probably not herald much valuable change, explains Bharat Mistry, technical director UK and Ireland at security company Trend Micro, to Tech Monitor. “Unless a manufacturer has got some serious intent behind them and they want to become a proper player in the market, I don’t think these standards or guidelines will be enforced,” he says. 

The bulk of manufacturers will not impose costly changes unless they are forced to via legislation, he continues. “I can’t see that mindset changing of the people in the market who want to make a buck quickly, because ultimately, it means that their costs are going to go up. It needs to be legislation and it needs to have some kind of certification around it,” says Mistry, who warned it was particularly true for start-ups building these devices.

“If you look at everything from small things like light bulbs to things in fridges, these products are not made by big manufacturers. They’re made by really small companies that can get something out to the market very quickly,” and they’re not long-term manufacturers. “They may not be around in a year’s time, they might be looking to be acquired,” he said. “But certainly, they’ll be looking to make a fast buck rather than do anything long term.”

He said the fact so many companies came together to create a set of guidelines “is a good first step” in getting agreement as it shows some intent, “maybe not enforced intent, but intent is there” Mistry added.

Read more: Untitled Goose Tool: CISA releases security tool for Microsoft Azure

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.