IoT Security Compliance Framework
IoT Security ComplianceFrameworkRelease 1.0 2016 IoT Security Foundation
Notices, Disclaimer, Terms of Use,Copyright and Trade Marks andLicensingNoticesDocuments published by the IoT SecurityFoundation (“IoTSF”) are subject to regular reviewand may be updated or subject to change at anytime. The current status of IoTSF publications,including this document, can be seen on thepublic website at: https://iotsecurityfoundation.org/The contents of this document are provided forgeneral information only and do not purport tobe comprehensive. No representation, warranty,assurance or undertaking (whether express orimplied) is or will be made, and no responsibilityor liability to a recipient or user of this documentor to any third party is or will be accepted by IoTSFor any of its members (or any of their respectiveofficers, employees or agents), in connectionwith this document or any use of it, including inrelation to the adequacy, accuracy, completenessor timeliness of this document or its contents.Any such responsibility or liability is expresslydisclaimed.Terms of UseNothing in this document excludes any liability for:The role of IoTSF in providing this document is (i) death or personal injury caused by negligence;to promote contemporary best practices in IoT or (ii) fraud or fraudulent misrepresentation.security for the benefit of society. In providing By accepting or using this document, the recipientthis document, IoTSF does not certify, endorse or or user agrees to be bound by this disclaimer. Thisaffirm any third parties based upon using content disclaimer is governed by English law.provided by those third parties and does notverify any declarations made by users.Copyright, Trade Marks and LicensingIn making this document available, no provision All product names are trade marks, registeredof service is constituted or rendered by IoTSF to trade marks, or service marks of their respectiveany recipient or user of this document or to any owners.third party.Copyright 2016, IoTSF. All rights reserved.DisclaimerThis work is licensed under the Creative CommonsIoT security (like any aspect of information Attribution-NoDerivatives 4.0 Internationalsecurity) is not absolute and can never be License. To view a copy of this license, visitguaranteed. New vulnerabilities are constantly Creative Commons Attribution-NoDerivativesbeing discovered, which means there is a need 4.0 International License.to monitor, maintain and review both policy andpractice as they relate to specific use cases andoperating environments on a regular basis.IoTSF is a non-profit organisation whichpublishes IoT security best practice guidancematerials. Materials published by IoTSF includecontributions from security practitioners,researchers, industrially experienced staff andother relevant sources from IoTSF’s membershipand partners. IoTSF has a multi-stage processdesigned to develop contemporary best practicewith a quality assurance peer review prior topublication. While IoTSF provides informationin good faith and makes every effort to supplycorrect, current and high quality guidance, IoTSFprovides all materials (including this document)solely on an ‘as is’ basis without any express orimplied warranties, undertakings or guarantees.IoT Security Compliance FrameworkRelease 1.0-2- 2016 IoT Security Foundation
AcknowledgementsWe wish to acknowledge significant contributionsfrom IoTSF members and external reviewers. Roland Atoui, Red Alert LabsJeremy Bennett, Embecosm LtdSimon Cook, Embecosm LtdPaul Galwas, Digital Catapult LtdPamela Gupta, Outsecure IncJohn Haine, University of BristolTrevor Hall, DisplayLink LtdChris Hills, Phaedrus Systems LtdRichard Marshall, Xitex LtdJohn Moor, IoT Security FoundationKen Munro, Pen Test Partners LLPIan Phillips, Roke Manor Research LtdDuncan Purves, Connect2 Systems LtdColin Robbins, Nexor LtdDavid Rogers, Copper Horse Solutions LtdCarl Shaw, MathEmbedded LtdRoger Shepherd, Lujam Security LtdChris Shire, Infineon Technologies Ltd Colin BlanchardJohn CowburnThomas DetertIoT Security Compliance FrameworkRelease 1.0-3- 2016 IoT Security Foundation
Contents1INTENT AND PURPOSE.51.1 OVERVIEW.51.2 ABOUT THE FRAMEWORK.61.3 INTENDED AUDIENCE.61.4 SCOPE.61.4.1Open Items and Release Status.71.4.2Application/Domain/Product Categorisation.71.5 ROLES AND RESPONSIBILITIES.82USING THE CHECKLIST.82.1 THE PROCESS.82.2 COMPLIANCE CLASS.82.3 CATEGORY COMPLIANCE APPLICABILITY.92.3.1Compliance Applicability - Business Security Processes and Responsibility.102.3.2Compliance Applicability - Device Hardware & Physical Security.112.3.3Compliance Applicability - Device Application.112.3.4Compliance Applicability - Device Operating System.132.3.5Compliance Applicability - Device Wired and Wireless Interfaces.142.3.6Compliance Applicability - Authentication and Authorisation.152.3.7Compliance Applicability - Encryption and Key Management for Hardware.172.3.8Compliance Applicability - Web User Interface.172.3.9Compliance Applicability - Mobile Application.182.3.10 Compliance Applicability – Privacy.192.3.11 Compliance Applicability – Cloud and Network Elements.212.3.12 Compliance Applicability – Secure Supply Chain and Production.222.3.13 Compliance Applicability – Configuration.223CERTIFICATION QUESTIONNAIRE.223.1 BUSINESS SECURITY PROCESSES AND RESPONSIBILITY.223.2 DEVICE HARDWARE & PHYSICAL SECURITY.233.3 DEVICE SOFTWARE.243.3.1Device Application.243.3.2Device Operating System.263.4 DEVICE WIRED & WIRELESS NETWORK INTERFACES.273.5 AUTHENTICATION AND AUTHORISATION.283.6 ENCRYPTION AND KEY MANAGEMENT FOR HARDWARE.293.7 WEB USER INTERFACE.303.8 MOBILE APPLICATION.313.9 PRIVACY.323.10CLOUD AND NETWORK ELEMENTS.343.11SECURE SUPPLY CHAIN AND PRODUCTION.353.12CONFIGURATION.364REFERENCES AND ABBREVIATIONS.364.1 REFERENCES & STANDARDS.364.2 DEFINITIONS AND ons.37IoT Security Compliance FrameworkRelease 1.0-4- 2016 IoT Security Foundation
1Intent and PurposeIn a hyper-connected digital world, insecurity is not an option. There is a wide spectrum of known andunknown consequences of poor security including personal inconvenience, financial fraud, industrialespionage and sabotage, national and physical security.The mission of the IoT Security Foundation (IoTSF) “is to help secure the Internet of Things, in order toaid its adoption and maximise its benefits. To do this we will promote knowledge and clear best practicein appropriate security to those who specify, make and use IoT products and systems.” The IoTSF isproviding the tools for the industry to build an “a supply chain of trust”.IoTSF advocates the core security values of security first, fitness of purpose and resilience to meet andmaintain the necessary levels of trust for IoT system adoption and use.The Executive Steering Board of IoTSF determined that the consumer and domestic IoT applicationdomains presented acute security concerns, and there is a pressing and immediate need for bestpractice guidance – this is the sector targeted by “Release 1” of this document. This need is especiallyimportant for companies new to the connected product and service markets as they perceive a needto move quickly to gain market share. This is often accompanied with limited experience or awarenessof the wider implications of weak security.The IoT Security Compliance Framework is intended to help companies make high-quality, informedsecurity choices by guiding users through a robust checklist and evidence gathering process. Theevidence gathered during the process can be used to demonstrate conformance with best practiceto customers and other organisations. Each use-case and intended operating environment will bedifferent and so it is the responsibility of the company to determine the level of security measuresapplied to make their products fit-for-purpose.Organisations that follow this process are exercising and demonstrating a duty of care towards theircustomers and other stakeholders in the IoT eco-system. It is generally agreed that by encouragingmore organisations to adopt security best practices, a higher level of assurance and integrity benefitswill be accrued. IoTSF therefore also advocates that customers of connected products, technologiesand/or services specify security requirements consistent with contemporary best practice.1.1OverviewIn this first release, The Internet of Things Security Foundation provides pragmatic guidance tobusinesses that are moving from standalone products, goods, and services; to devices and servicesthat have network connectivity to enhance their functionality.Businesses making the transition from standalone, self-contained devices and services to those thatare network aware and network connected need to consider many technical and business processchallenges. One of the imperatives is to make sure that their and their customer’s security and privacyare not compromised.Security best practice requires choices in design, features, implementation, testing, configurationand maintenance. There are a great many considerations including protocols, encryption, technology,software, API’s, platforms and more. IoTSF is supplier and technology neutral; it provides guidance builtupon security principles and the significant body of knowledge and standards that either already existor are emerging. This Framework therefore guides the user by referencing existing materials wherepossible to accelerate the user’s progress and understanding and to avoid unnecessary duplication.This Framework takes users through a structured line of question and evidence gathering to ensurethe user derives suitable security mechanisms and practices which are appropriate for their businessand/or application domain.IoT Security Compliance FrameworkRelease 1.0-5- 2016 IoT Security Foundation
1.2About the FrameworkThe Foundation provides a number of resources: This document is a checklist to guide an organisation through the assurance process andgather structured evidence to demonstrate conformance with best practice.Additional Best Practice Guidelines are provided by the Foundation to help understanding.Further background information is contained in linked reference documents on the IoTSFwebsite.The Framework has utility in a number of scenarios including:1.2.3.4.1.3Within a single organisation it can be used to plan, manage, review and document securitypractice during the development of products, systems or services. An organisation which usesthe Framework may elect to declare so in its marketing to signal professional integrity and a“duty of care” to customers. IoTSF provides a user mark for organisations which follow itsguidelines which can be used without cost at their discretion.As part of the product/technology/service development process, an organisation may alsoapply the framework to assess the security posture of its own suppliers.An organisation procuring products, systems and services from a supplier which declares it hasused the Framework may audit the evidence assembled, using either internal resources ora Trusted Third Party (“T3P”). A T3P might be used in situations where the documentedevidence would expose sensitive information such as intellectual property or commercialaspects.In future, it is also envisaged that an audit process could lead to the Framework-user beingpermitted to use a “Trust Mark” as a qualified public symbol of conformance to best practice.Intended audienceMost functions in a company making, producing and supplying IoT products or services play a role inand have a measure of responsibility for security. An executive board member, for example the CISOif there is one, should have overall authority for establishing and maintaining security.This document is aimed at the following readers: 1.4For Managers in organisations that provide IoT products, technology and or services; it gives acomprehensive overview of the management process needed to follow best practice. Assuch it will be useful for executive, programme and project managers, enabling them to ask theright questions and judge the answers.For Developers and Engineers, Logistics and Manufacturing Staff, it provides a detailedchecklist to use in their daily work and in project reviews to validate the use of best practiceby different functions (e.g. hardware and software development, logistics etc.). In completingthe checklist, documentary evidence will be compiled that can be used to demonstratecompliance both at product gates and with third parties such as customers.For Supply Chain Managers, the structure can be used to guide the auditing of securitypractices. It may therefore be applied within the producer organisation (as described above);by a customer of the producer; or a Trusted Third Party auditor.ScopeSecurity in IoT is constantly changing. To accommodate changes and additions to the Framework,IoTSF operates a system based on releases to meet evolving application needs.The compliance scheme is based on risk profiles [ref 12], and these will vary by system and intendedoperational environment. The most stringent risk profile should be adopted wherever possible,considering not just the immediate context of the product but extend to the use of the data that thedevice generates and to other system(s) the product may eventually be connected to.IoT Security Compliance FrameworkRelease 1.0-6- 2016 IoT Security Foundation
The scope of this document includes (but is not limited to): Business processesDevices and aggregation points such as related gateways/hubs that form part of the connectivityNetworking including wired, and radio connections using both short-range, LPWA and cellularCloud and server elements as specific to IoT.1.4.1 Open Items and Release StatusThis “Release 1” of the Framework is limited to commercial products intended to be owned/used/operated by the consumer in a domestic setting. This release is the first public release and whilstintended for adoption, feedback is welcome on this Framework as part of its evolution and dealingwith new security threats. Future releases will to cover additional product categories, with the nextrelease is expected to be made during the 1st half of 2017.Open Items for this release: Testing – future releases will cover penetration testingTransfer of ownership for IoT devices and sensitive data lifecycle managementReporting in the event of the detection of any hacking attempts being made on a device andany resultant management actionsExpansion of the sections on web user interfaces and mobile applications to includerequirements for such attacks as cross site scripting and SQL injection etc.1.4.2 Application/Domain/Product CategorisationThe security requirements may vary according to the context in which a given product is used.Products and services are typically designed for a primary application use and intended market andoperating environment. However, products and services may, intentionally or unintentionally, getused in different application environments by their users. When used outside the expected context,the security may not be adequate. This challenges the notion of best practice as the intended usecase influences the appropriate security mechanisms1.The following application and product categories and their compliance requirements are currentlydefined.ABCDEFGConsumer lic AgencyCritical National InfrastructureRelease 1 of this document is limited to Category A.1To illustrate this point, a connected thermostat designed for use in a domestic dwelling may end up being used to monitorand control temperature in a horticultural glasshouse where the economic consequences of a security breach to the grower may besignificantly more adverse.IoT Security Compliance FrameworkRelease 1.0
unknown consequences of poor security including personal inconvenience, financial fraud, industrial espionage and sabotage, national and physical security. The mission of the IoT Security Foundation (IoTSF) “is to help secure the Internet of Things, in order to aid its adoption and maximise its benefits.
SAP Cloud Platform Internet of Things Device Management Your Gateway System Environment Cloud Platform PaaSeg., HANA, Kafka, PostgreSQL App User Admin IoT Core Service IoT Message Management Service Your IoT Data IoT service IoT Gateway Edge Devices Device 1 Device 2 Device 3 IoT Gateway Cloud IoT Service Cockpit Send and receive
MINOR DEGREE IN INTERNET OF THINGS (IoT) (DRAFT SYLLABUS) Course Structure Sr. No. Semester Temp. Course Code Course Title L T P Credits 1. 3 IoT-1 Introduction to Internet of Things 3 0 2 4 2. 4 IoT-2 IoT Protocols 3 0 2 4 3. 5 IoT-3 IoT System Design 3 0 2 4 4. 6 IoT-4 Industry 4.0 and IIoT 3 0 2 4 5.
Open Data Application Programming Interface (API) for IoT Data in Smart Cities and Communities Y.FW.IC.MDSC Framework of identification and connectivity of Moving Devices in Smart City Y.IoT-DA-Counterfeit Information Management Digital Architecture to combat counterfeiting in IoT Y.IoT-Interop An architecture for IoT interoperability Y.IoT-IoD-PT
HPE Secure IoT Application Lifecycle IoT Endpoints Connectivity Edge Computing Visualization IoT Cloud / Platform HPE Security ArcSight (Security Intelligence)HPE Security Fortify (Application Security)HPE Security -Data Security (Voltage/Atalla) HPE Aruba (Communication Security)HPE ADM (Application Delivery Management)HPE ITOM (IT Operations Management)
IoT, discuss how IoT operations can be governed and what is needed, including the roles and responsibilities involved in IoT governance, and describe a proposed governance framework implementation as well as the future challenges facing IoT governance. This paper is intended to showcase how IoT governance can be implemented.
the challenges and risks of cyber security in emerging markets based on hyper-connected technologies. Thus, IoT security was high on the agenda for discussion at WEF 2017 in Davos, Switzerland in January. It comes as no surprise that IoT Security is the top concern across industries highlighted by numerous IoT surveys.
Essentials WS IoT 2019 Datacenter WS IoT 2019 Storage Standard WS IoT 2019 Storage Workgroup WS IoT 2019 . product key like Windows 10 IoT Enterprise? No. It does have Product Key Entry Activation (PKEA) but all Windows Server editions since 2008 use OEM Activ
Oracle IoT Cloud Service . IoT Cloud Service delivers solid foundation to quickly build IoT solutions . that integrates with your enterprise applications . and extend the reach of the IoT and business applications to your physical devices . and sensors . Devices . Business Applications . IoT Cloud Service Platform . Connect . Analyze .
