TRC Introduces a Security Baseline for IoT Devices
A security baseline for IoT devices addressed default password practices, update mechanisms, communication security and end-of-life disclosure.
Development
The 2024 baseline for the security of internet-of-things (IoT) devices addresses a rapidly growing category of connected equipment used across Cambodian consumer, enterprise and public sector environments. Cameras, sensors, smart-home devices, industrial monitors, connected vehicles and building management systems are all examples of IoT devices that use Cambodian telecommunications networks to send and receive data.
The baseline responds to security incidents involving poorly configured or unpatched IoT devices, which have been used to launch distributed attacks, to compromise sensitive environments and to expose personal data. It draws on internationally recognised guidance and articulates a set of minimum expectations for devices sold in or connected to networks in Cambodia.
Scope of the baseline
The baseline applies to consumer and enterprise IoT devices that are capable of connecting to a communications network and that are made available on the Cambodian market. It does not attempt to address every category of connected device but focuses on general-purpose IoT products where security failures can affect the users of the device, other users of the network or third parties.
The baseline is intended to complement, not replace, sector-specific rules that may apply to particular categories of device, including medical devices, vehicles or industrial control systems. It also complements type approval, where applicable, and other rules relating to the placing of equipment on the market.
Security requirements
The baseline identifies a set of security requirements that IoT devices are expected to meet, drawing on internationally accepted principles. These include the absence of universal default passwords, the availability and delivery of security updates for a defined support period, secure communication of sensitive data, minimisation of exposed attack surfaces, protection of stored credentials and appropriate handling of personal data collected by the device.
The baseline also expects that devices provide clear information to users about their security features, about the mechanism for applying updates, about the arrangements for reporting vulnerabilities and about the point at which the manufacturer will cease to support the device. Users are entitled to make informed decisions on the basis of this information.
Manufacturer and importer responsibilities
Manufacturers of IoT devices intended for the Cambodian market are expected to design their products in accordance with the baseline, to provide documentation demonstrating conformity and to make appropriate declarations to importers and distributors. Importers and distributors are expected to place on the market only devices that satisfy the baseline and to keep records that support their claims of conformity.
Where devices are found not to comply with the baseline, remedial action may be required, including software updates, replacement of components, provision of clearer user information or, in serious cases, withdrawal of the device from the market. Enforcement is expected to be proportionate and to focus on cases where non-compliance creates material risks.
Network operator considerations
Mobile operators and internet service providers are affected by IoT security in two ways. First, insecure IoT devices connected to their networks can be used to launch attacks, to consume network resources and to generate abnormal traffic patterns that affect other customers. Second, operators frequently offer IoT connectivity products to enterprise customers, in which case they may be expected to provide security guidance and to support customers in managing risks.
Operators are encouraged to monitor traffic patterns for signs of IoT-related abuse, to develop procedures for identifying and isolating compromised devices and to cooperate with the authorities in coordinated responses to significant incidents. Operator-provided IoT platforms should be designed with appropriate security controls and should support customer visibility and management.
Enterprise deployments
Enterprise deployments of IoT often involve large numbers of devices, potentially over long periods and in locations that are difficult to access physically. The baseline is particularly important in such deployments, where security failures can be difficult to detect and expensive to remedy at scale. Enterprises should choose devices that meet the baseline, should require security assurances from suppliers and should design their deployments with monitoring and update mechanisms that support security over the lifetime of the equipment.
Where enterprises operate their own IoT platforms, they should apply general information security principles to those platforms, including access control, encryption, monitoring and incident response. Third-party platforms should be evaluated for security and contractual protections should reflect the enterprise's own requirements.
Consumer information and support
Consumers are increasingly exposed to IoT devices in everyday life. The baseline aims to provide a level of protection that does not depend on the technical sophistication of the individual user. Clear information at the point of purchase, easy update mechanisms, sensible default configurations and simple reporting channels for problems all contribute to consumer confidence and to effective security in practice.
Where consumers become aware of security issues, they should be able to seek support from the manufacturer or authorised distributor, to obtain updates where available and, where necessary, to raise concerns with the authorities. Awareness campaigns can help consumers understand the basic steps they can take to secure their own devices.
Ongoing evolution
The IoT security baseline is expected to evolve as technology and threats change. The authorities may update the baseline periodically to reflect new international guidance, emerging attack patterns and lessons learned from incidents in Cambodia and elsewhere. Stakeholders are encouraged to engage in consultation processes and to share information about security issues in a way that supports collective improvement.
Coordination with international frameworks, standards bodies and other national authorities is important to ensure that the Cambodian baseline remains aligned with global practice and to reduce the cost and complexity of compliance for manufacturers that operate across multiple markets.
Practical implications and next steps
For manufacturers and importers of IoT devices, the baseline calls for a review of product design, of supporting documentation and of arrangements for security updates and user information. Products intended for the Cambodian market should be assessed against the baseline, and evidence of conformity should be maintained in a form suitable for regulator engagement.
For operators and enterprise customers, the baseline provides a useful reference for procurement decisions and for the design of IoT deployments. Contractual arrangements with suppliers should reflect the baseline, and internal controls should be designed to detect and respond to security issues that arise despite these arrangements.
Lex Civora advises manufacturers, importers, operators and enterprise customers on the interpretation and application of the IoT security baseline, on the negotiation of supply and platform arrangements, on the response to security incidents and on engagement with the authorities on IoT-related matters.
This article is provided for general information only and does not constitute legal advice. Regulatory positions may change; readers should verify obligations against the current official publication or seek professional advice before acting.
