IoT Security Standards and Codes

Baseline IoT Security Requirements

To ensure global conformance and applicability the established IoT Security Standards, Recommendations, Guidelines and Codes, (referenced below), that are published and maintained by international Standards Bodies, Industry Consortia and Government Departments and Agencies from time to time, are adopted by the IoT Security Trust Mark™ (STM) scheme technical Decision Authority (DA) to establish the STM IoT Security Baseline Requirements (BRs) which, in turn, are utilised by scheme Accredited Test Facilities (ATFs) as a minimum level that participating vendors products are required to achieve, in conjunction with verifying their stated security claims.

Delivering value, flexibility and adoption as good IoT Security practice evolves over the years, ensuring currency of the scheme as new IoT Security Principles, Recommendations, Guidelines, Codes and Standards are developed and released. The IoT STM framework has been developed to ensure applicability globally for participants which is made possible via harmonisation through mechanisms such as mutual recognition, conformance with standards, codes and other programs of work.

Aside from the specific list below, useful reference resources in this sector are the panorama of IoT cyber security regulations across the world by Cetome and those compiled by Copper Horse at iotsecuritymapping.com displaying a comprehensive mapping from a number of IoT Security sources, including individual academic papers through to standards from Standards Developing Organisations (SDOs) and recommendations from think tanks, individual companies and industry organisations.  

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: Baseline Requirements

ETSI EN 303 645 V2.1.1 (2020-06)

The present document provides a set of baseline provisions applicable to all consumer IoT devices. It is intended to be complemented by other standards defining more specific provisions and fully testable and/or verifiable requirements for specific devices which, together with the present document, will facilitate the development of assurance schemes. 

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: 

Conformance Assessment of Baseline Requirements 

ETSI TS 103 701 V1.1.1 (2021-08)

The present document specifies a conformance assessment methodology for consumer IoT devices, their relation to associated services and corresponding relevant processes against ETSI TS 103 645/ETSI EN 303 645, addressing the mandatory and recommended provisions as well as conditions and complements of ETSI TS 103 645/ETSI EN 303 645 by defining test cases and assessment criteria for each provision.

European Network and Information Security Agency

Baseline Security Recommendations for IoT

ISBN: 978-92-9204-236-3, doi: 10.2824/03228 

ENISA identified and analysed existing IoT security practices, security guidelines, relevant industry standards and research initiatives in the area of IoT security for Critical Information Infrastructures (e.g. Industry 4.0, Machine-to-Machine (M2M) communications, IoT updatability). Having reviewed and thoroughly analysed existing work and ongoing activities, ENISA compared these practices and standards and developed baseline security measures to be adopted by relevant stakeholders. 

National Institute of Standards and Technology

US Department of Commerce

Foundational Cybersecurity Activities
for IoT Device Manufacturers

NISTIR 8259 (DOI)

This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. Performing all six activities can help manufacturers provide IoT devices that better support the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices. These activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.

National Institute of Standards and Technology

US Department of Commerce

IoT Device Cybersecurity Capability Core Baseline 

NISTIR 8259A (DOI)

Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This publication can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. 

National Institute of Standards and Technology

US Department of Commerce

IoT Non-Technical Supporting Capability Core Baseline 

NISTIR 8259B (DOI)

Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.

National Institute of Standards and Technology

US Department of Commerce

DRAFT Baseline Security Criteria for Consumer IoT Devices

August 31, 2021

Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of- Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. This white paper proposes baseline security criteria for consumer IoT devices. This is one of three dimensions of a consumer Internet of Things (IoT) cybersecurity labeling program that would be responsive to Sections 4 (s) and (t) of the EO. The other dimensions are criteria for conformity assessment and the label. In addition to the feedback sought on this white paper, NIST will also consult with stakeholders on those additional considerations. 

National Institute of Standards and Technology

US Department of Commerce

Considerations for Managing IoT Cybersecurity and Privacy Risks 

NISTIR 8228

The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles. This publication is the introductory document providing the foundation for a planned series of publications on more specific aspects of this topic.

Singapore Standards Council

Cybersecurity labelling for consumer IoT

TR 91 : 2021

This standard introduces a multi-levelled and cost-effective cybersecurity labelling for consumer IoT. It aims to raise the cybersecurity hygiene of the IoT ecosystem by improving the transparency of cybersecurity provisions. Cybersecurity labelling for consumer IoT provides a basic level of security assurance through the elimination of common vulnerabilities using a simple, tiered, and progressive assessment model for IoT devices that avoids resource-intensive security evaluations.

It also provides a basic level of security hygiene which is typically expected for consumer IoT, i.e. to be able to deter casual adversaries utilising common attack vectors such as default factory credentials or the exploitation of vulnerable protocols. It does not offer formal security assurance. Given sufficient time, determined adversaries who possess advanced skillsets and tools can be capable of compromising such IoT devices, regardless of whether it is labelled. Users seeking higher security assurance – e.g. enterprise, manufacturing, industrial applications and healthcare – are strongly recommended to consider devices certified under formal evaluation and certification schemes

International Standards Organisation
International Electrotechnical Commission

Cybersecurity – IoT Security and Privacy – Guidelines

ISO/IEC DIS 27400

Information security is a major concern of any information and communication technology (ICT) system and Internet of Things (IoT) systems are no exception. IoT systems present particular challenges for information security in that they are highly distributed and involve a large number of diverse entities. This implies that there are a very large attack surface and a significant challenge for the information security management system (ISMS) to apply and maintain appropriate security controls across the whole system.

Security and privacy controls in this standard are developed for stakeholders in an IoT system environment, so as to be utilized by each IoT stakeholder, throughout the IoT system life cycle.

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT) solutions.

International Standards Organisation
Society of Automotive Engineers

Road Vehicles – Cybersecurity Engineering

ISO/SAE 21434:2021

This document specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.

A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

This document is applicable to series production road vehicle E/E systems, including their components and interfaces, whose development or modification began after the publication of this document.

This document does not prescribe specific technology or solutions related to cybersecurity.

UK Government

Department for Digital, Culture, Media & Sport

Code of Practice for Consumer IoT Security

The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.

The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia.

Legislation

The Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to UK Parliament on November 24th 2021, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.

The security requirements, to be set out in regulations, will:

  • Ban default passwords. Products that come with default passwords are an easy target for cyber criminals.
  •  
  • Require products to have a vulnerability disclosure policy. Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged.
  •  
  • Require transparency about the length of time for which the product will receive important security updates. Consumers should know if their product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue.

 

Security requirements set out under this regime must be complied with by the manufacturers, importers and distributors of consumer connectable products. The Bill will also place duties on these persons to ensure a product is accompanied by a statement of compliance and to take action where there has been a compliance failure.

Australian Government

Department of Home Affairs

Code of Practice
Securing the Internet of Things for Consumers

The Code of Practice was developed by the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, and follows nation-wide engagement with industry and the Australian public. The Code of Practice was recognised as a necessary step to lifting the cyber security of internet-connected devices domestically.

In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.

Government of India

Department of Telecommunications

Code of Practice for
Securing Consumer Internet of Things

TEC 31318:2021

As per the National Digital Communication Policy (NDCP) 2018 released by Department of Telecommunications (DoT), an eco-system is to be created for 5 billion connected devices by 2022. Therefore, it is expected that around 60% of 5 billion i.e. 3 billion connected devices may exist in India by 2022. 

In view of the anticipated growth of IoT devices, it is important to ensure that the IoT end points comply to the safety and security standards and guidelines in order to protect the users and the networks that connect these IoT devices. The IoT devices must undergo mandatory testing & certification prior to sale, import or use in India, in compliance to the MTCTE guidelines issued by Department of Telecommunications (DoT), Government of India under the Indian Telegraph (Amendment) Rules, 2017.

This document on Code of Practice for consumer IoT security provides baseline requirements as a basis for the implementation of the above referred recommendations. Substantial input has been taken from the ETSI TS 103 645 and ETSI EN 303 645. It is expected that the ETSI TS 103 701 (Cybersecurity assessment for consumer IoT products) will help in the implementation of the provisions available in these guidelines. 

Singapore Government

Cyber Security Agency of Singapore (CSA)

Cybersecurity Labelling Scheme

CLS

The Cyber Security Agency of Singapore (CSA) has launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices, as part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace.

The CLS is the first of its kind in the Asia-Pacific region. Under the scheme, smart devices will be rated according to their levels of cybersecurity provisions. This will enable consumers to identify products with better cybersecurity provisions and make informed decisions.

The CLS also aims to help manufacturers stand out from their competitors and be incentivised to develop more secure products. Currently, consumer smart devices are often designed to optimise functionality and cost. They also have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning.

The CLS was first introduced to cover Wi-Fi routers and smart home hubs. These products were prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users. It has since been extended to include all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers. 

Government of Finland

Transport and Communications Agency of Finland (Traficom)

National Cyber Security Centre Finland (NCSC-FI)

Cybersecurity Label

The Finnish Transport and Communications Agency Traficom has created the Cybersecurity Label to help consumers make safe choices when purchasing smart devices and services, and companies communicate the responsibility of their designs. The label is granted to connected smart devices or services and that meet the information security requirements set by the National Cyber Security Centre Finland (NCSC-FI) at Traficom. The Cybersecurity Label is mainly intended for consumer smart devices. These include smart TVs, smart bracelets and home routers.

The labelled product or service is designed to be secure, and its information security is maintained for the duration of the label’s validity. The purpose of the Cybersecurity Label is to respond to the most common information security threats arising from the Internet which target consumer use, and to support consumers in the secure use of smart devices.

IoXt Alliance

IoT Industry First Party Self Attestation

IoXt Security Pledge

The ioXt Security Pledge is the result of industry working together to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.