IoT Security Standards and Codes

Baseline Cybersecurity Requirements

To ensure global conformance and applicability the established OT/IoT smart device Cybersecurity Standards, Guidelines, Recommendations, Criteria, Pledges and Codes, (referenced below), that are published and maintained by International Standards Bodies, Industry Consortia and Government Departments and Agencies from time to time. Where relevant these are adopted by the Security Trust Mark™ (STM) scheme technical Decision Authority (DA) to establish the STM IoT Cybersecurity Baseline Requirements (BRs) which, in turn, are utilised by scheme Accredited Test Facilities (ATFs) as a minimum level that participating vendors of smart device products are required to achieve, in conjunction with verifying their stated cyber security claims.

Delivering value, flexibility and adoption as good connected device cyber security practice evolves over the years, ensuring currency of the scheme as new Cybersecurity Principles, Recommendations, Guidelines, Codes and Standards are developed and released. The STM framework has been developed to ensure applicability globally for participants which is made possible via harmonisation through mechanisms such as mutual recognition, conformance with standards, codes and other related programs of work.

The peer reviewed comprehensive academic (University College London and Australian National University) research referenced in the journal publication titled: The impact of IoT security labelling on consumer product choice and willingness to pay (citation), has informed in-part the development of the base STM (voluntary, for certified product vendors to display) live label (STM Quick Response (QR) code). This supports the STM “Traffic light” system for consumers to verify certification currency, and leads to the STM “nutrition” at-a-glance baseline requirements conformance information providing more explanation about the label to inform consumers about that products compliance and then for the consumer wishing to have all the information a link to the  STM Test Report Summary (TRS) for that product. Ensuring a straight forward four step process for information ~ from the label on product, to certification currency, to list of compliance, and to detailed information.

Aside from the specific list below, useful reference resources in this sector are the panorama of IoT cyber security regulations across the world by Cetome and those compiled by Copper Horse at iotsecuritymapping.com displaying a comprehensive mapping from a number of IoT Security sources, including individual academic papers through to standards from Standards Developing Organisations (SDOs) and recommendations from think tanks, individual companies and industry organisations.  

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: Baseline Requirements

ETSI EN 303 645 V2.1.1 (2020-06)

The present document provides a set of baseline provisions applicable to all consumer IoT devices. It is intended to be complemented by other standards defining more specific provisions and fully testable and/or verifiable requirements for specific devices which, together with the present document, will facilitate the development of assurance schemes. 

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: 

Conformance Assessment of Baseline Requirements 

ETSI TS 103 701 V1.1.1 (2021-08)

Technical Report: Guide to Coordinated Vulnerability Disclosure

ETSI TR 103 838 V1.1.1 (2022-01)

Conformance Assessment of Baseline Requirements:

The present document specifies a conformance assessment methodology for consumer IoT devices, their relation to associated services and corresponding relevant processes against ETSI TS 103 645/ETSI EN 303 645, addressing the mandatory and recommended provisions as well as conditions and complements of ETSI TS 103 645/ETSI EN 303 645 by defining test cases and assessment criteria for each provision.

Guide to Coordinated Vulnerability Disclosure:

The present document is for companies and organizations of all sizes who want to implement a vulnerability disclosure process. It is not intended to be a comprehensive guide to creating and implementing a vulnerability disclosure process, but instead focuses on the essential steps.

The present document contains generic advice on how to respond to and manage a vulnerability disclosure, a defined triage process, advice on managing vulnerabilities in third party products or suppliers, and an example vulnerability disclosure policy.

European Network and Information Security Agency

Baseline Security Recommendations for IoT

ISBN: 978-92-9204-236-3, doi: 10.2824/03228 

ENISA identified and analysed existing IoT security practices, security guidelines, relevant industry standards and research initiatives in the area of IoT security for Critical Information Infrastructures (e.g. Industry 4.0, Machine-to-Machine (M2M) communications, IoT updatability). Having reviewed and thoroughly analysed existing work and ongoing activities, ENISA compared these practices and standards and developed baseline security measures to be adopted by relevant stakeholders. 

National Institute of Standards and Technology

US Department of Commerce

Foundational Cybersecurity Activities
for IoT Device Manufacturers

NISTIR 8259 (DOI)

This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. Performing all six activities can help manufacturers provide IoT devices that better support the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices. These activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.

National Institute of Standards and Technology

US Department of Commerce

IoT Device Cybersecurity Capability Core Baseline 

NISTIR 8259A (DOI)

Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This publication can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. 

National Institute of Standards and Technology

US Department of Commerce

IoT Non-Technical Supporting Capability Core Baseline 

NISTIR 8259B (DOI)

Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.

National Institute of Standards and Technology

US Department of Commerce

August 31, 2021 (DRAFT: Baseline Security Criteria for Consumer IoT Devices)

December 3, 2021 (Cybersecurity Labelling Discussion Draft)

February 4, 2022 (Whitepaper: Recommended Criteria for Cybersecurity Labelling for Consumer IoT Products)

Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of- Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. This white paper proposes baseline security criteria for consumer IoT devices. This is one of three dimensions of a consumer Internet of Things (IoT) cybersecurity labeling program that would be responsive to Sections 4 (s) and (t) of the EO. The other dimensions are criteria for conformity assessment and the label. In addition to the feedback sought on this white paper, NIST will also consult with stakeholders on those additional considerations. 

National Institute of Standards and Technology

US Department of Commerce

Considerations for Managing IoT Cybersecurity and Privacy Risks 

NISTIR 8228

The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles. This publication is the introductory document providing the foundation for a planned series of publications on more specific aspects of this topic.

Singapore Standards Council

Cybersecurity labelling for consumer IoT

TR 91 : 2021

This standard introduces a multi-levelled and cost-effective cybersecurity labelling for consumer IoT. It aims to raise the cybersecurity hygiene of the IoT ecosystem by improving the transparency of cybersecurity provisions. Cybersecurity labelling for consumer IoT provides a basic level of security assurance through the elimination of common vulnerabilities using a simple, tiered, and progressive assessment model for IoT devices that avoids resource-intensive security evaluations.

It also provides a basic level of security hygiene which is typically expected for consumer IoT, i.e. to be able to deter casual adversaries utilising common attack vectors such as default factory credentials or the exploitation of vulnerable protocols. It does not offer formal security assurance. Given sufficient time, determined adversaries who possess advanced skillsets and tools can be capable of compromising such IoT devices, regardless of whether it is labelled. Users seeking higher security assurance – e.g. enterprise, manufacturing, industrial applications and healthcare – are strongly recommended to consider devices certified under formal evaluation and certification schemes

International Electrotechnical Commission (IEC)

    Security for industrial automation and control systems

IEC 62443 (2021)

The IEC 62443 series was developed to secure industrial automation and control systems (IACS) throughout their lifecycle. It currently includes nine standards, technical reports, and technical specifications.

IEC 62443 is a horizontal standard, which reflects the fact that IACS are found in an ever-expanding range of domains and industries. They include, for example, the power grid, hospitals, and transport.

The standard was developed because IT cyber security measures are not always appropriate for IACS, which must run continuously to check that each component in an operational system is functioning correctly. Compared to IT systems, they have different performance and availability requirements and equipment lifetime.

Cyber-attacks on IT and OT systems often have different consequences. The effects of cyber-attacks on IT are generally economic, while cyber-attacks on OT systems, including critical infrastructure, can impact the environment or even threaten public health and lives.

International Standards Organisation (ISO)
Society of Automotive Engineers (SAE)

Road Vehicles – Cybersecurity Engineering

ISO/SAE 21434:2021

This document specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.

A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

This document is applicable to series production road vehicle E/E systems, including their components and interfaces, whose development or modification began after the publication of this document.

This document does not prescribe specific technology or solutions related to cybersecurity.

UK Government

Department for Digital, Culture, Media & Sport

Code of Practice for Consumer IoT Security

The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.

The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia.

Legislation

The Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to UK Parliament on November 24th 2021, will allow the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.

The security requirements, to be set out in regulations, will:

  • Ban default passwords. Products that come with default passwords are an easy target for cyber criminals.
  •  
  • Require products to have a vulnerability disclosure policy. Security researchers regularly identify security flaws in products, but need a way to give notice to manufacturers of the risk they have identified, so that they can enable the manufacturer to act before criminals can take advantage. The Bill will provide measures to help ensure any vulnerabilities in a product are identified and flagged.
  •  
  • Require transparency about the length of time for which the product will receive important security updates. Consumers should know if their product will be supported with security updates, and if so, what the minimum length of time is that they can expect that support to continue.

 

Security requirements set out under this regime must be complied with by the manufacturers, importers and distributors of consumer connectable products. The Bill will also place duties on these persons to ensure a product is accompanied by a statement of compliance and to take action where there has been a compliance failure.

Australian Government

Department of Home Affairs

Code of Practice
Securing the Internet of Things for Consumers

The Code of Practice was developed by the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, and follows nation-wide engagement with industry and the Australian public. The Code of Practice was recognised as a necessary step to lifting the cyber security of internet-connected devices domestically.

In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.

Government of India

Department of Telecommunications

Code of Practice for
Securing Consumer Internet of Things

TEC 31318:2021

As per the National Digital Communication Policy (NDCP) 2018 released by Department of Telecommunications (DoT), an eco-system is to be created for 5 billion connected devices by 2022. Therefore, it is expected that around 60% of 5 billion i.e. 3 billion connected devices may exist in India by 2022. 

In view of the anticipated growth of IoT devices, it is important to ensure that the IoT end points comply to the safety and security standards and guidelines in order to protect the users and the networks that connect these IoT devices. The IoT devices must undergo mandatory testing & certification prior to sale, import or use in India, in compliance to the MTCTE guidelines issued by Department of Telecommunications (DoT), Government of India under the Indian Telegraph (Amendment) Rules, 2017.

This document on Code of Practice for consumer IoT security provides baseline requirements as a basis for the implementation of the above referred recommendations. Substantial input has been taken from the ETSI TS 103 645 and ETSI EN 303 645. It is expected that the ETSI TS 103 701 (Cybersecurity assessment for consumer IoT products) will help in the implementation of the provisions available in these guidelines. 

Singapore Government

Cyber Security Agency of Singapore (CSA)

Cybersecurity Labelling Scheme

CLS

The Cyber Security Agency of Singapore (CSA) has launched the Cybersecurity Labelling Scheme (CLS) for consumer smart devices, as part of efforts to improve Internet of Things (IoT) security, raise overall cyber hygiene levels and better secure Singapore’s cyberspace.

The CLS is the first of its kind in the Asia-Pacific region. Under the scheme, smart devices will be rated according to their levels of cybersecurity provisions. This will enable consumers to identify products with better cybersecurity provisions and make informed decisions.

The CLS also aims to help manufacturers stand out from their competitors and be incentivised to develop more secure products. Currently, consumer smart devices are often designed to optimise functionality and cost. They also have a short time-to-market cycle, where there is less scope for cybersecurity to be incorporated into product design from the beginning.

The CLS was first introduced to cover Wi-Fi routers and smart home hubs. These products were prioritised because of their wider usage, as well as the impact that a compromise of the products could have on users. It has since been extended to include all categories of consumer IoT devices, such as IP cameras, smart door locks, smart lights and smart printers. 

Government of Finland

Transport and Communications Agency of Finland (Traficom)

National Cyber Security Centre Finland (NCSC-FI)

Cybersecurity Label

The Finnish Transport and Communications Agency Traficom has created the Cybersecurity Label to help consumers make safe choices when purchasing smart devices and services, and companies communicate the responsibility of their designs. The label is granted to connected smart devices or services and that meet the information security requirements set by the National Cyber Security Centre Finland (NCSC-FI) at Traficom. The Cybersecurity Label is mainly intended for consumer smart devices. These include smart TVs, smart bracelets and home routers.

The labelled product or service is designed to be secure, and its information security is maintained for the duration of the label’s validity. The purpose of the Cybersecurity Label is to respond to the most common information security threats arising from the Internet which target consumer use, and to support consumers in the secure use of smart devices.

US Government

U.S. Food & Drug Administration (FDA)

Draft Guidance: Cybersecurity in Medical Devices

With the increasing integration of wireless, Internet- and network- connected capabilities, portable media (e.g., USB or CD), and the frequent electronic exchange of medical devicerelated health information, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important.

World Economic Forum

Council of the Connected World

Baseline cyber security provisions for consumer IoT devices

A global consensus for consumer IoT security

We welcome the global consensus forming around three key capabilities that can begin setting a clear baseline for consumer IoT security – (1) No universal default passwords; (2) Implement a vulnerability disclosure policy; and (3) Keep software updated– and support these as an immediate priority for respective manufacturers and vendors to implement in order to improve consumer IoT device security. In addition, our community recognizes the importance of two other capabilities related to securing data – (4) Secure communications; and (5) Ensuring that personal data is secure. Taken together, these five device capabilities are found in over 100 standards, specifications and guidelines across the world and establish a minimum level of security which should form the basis of all consumer IoT cyber security standards, specifications and guidelines.

IoT STM are a signatory to the World Economic Forum call for a global consensus on IoT Security Standards.

Open Connectivity Foundation (OCF)

Whitepaper: Open Connectivity Security Specification

The OCF Core Framework, created with the expertise of OCF’s extensive membership base, provides a complete foundation for an IoT solution. Compliant with most of the prominent security baseline guidelines, this framework ensures that security is not an afterthought – and is instead a fundamental part of the development process.

Internet Society (ISOC)

Internet of Things (IoT) Trust Framework® v2.5

The IoT Trust Framework® includes a set of strategic principles necessary to help secure IoT devices and their data when shipped and throughout their entire life-cycle. Through a consensus driven multi-stakeholder process, criteria have been identified for connected home, office and wearable technologies including toys, activity trackers and fitness devices. The Framework outlines the need for comprehensive disclosures which need to be provided prior to product purchase, policies regarding data collection, usage and sharing, as well as the terms and conditions of security patching post-warranty. Security updates are essential to maximize the protection of IoT devices when vulnerabilities are discovered and attacks evolve. In addition, the Framework provides recommendations for manufacturers to enhance transparency and communication regarding devices’ ability to be updated and a range of data privacy related issues.

Global System for Mobile Communications Association (GSMA)

GSMA IoT Security Guidelines and Assessment

Promoting best practice for the secure design, development and deployment of IoT services, and providing a mechanism to evaluate security measures, the GSMA IoT Security Guidelines and IoT Security Assessment help create a secure IoT market with trusted, reliable services that can scale as the market grows.

 

The GSMA IoT Security Guidelines:

  • Include 85 detailed recommendations for the secure design, development and deployment of IoT services
  •  
  • Cover networks as well as service and endpoint ecosystems
  •  
  • Address security challenges, attack models and risk assessments
  •  
  • Provide several worked examples

 

The GSMA IoT Security Assessment:

  • Is based on a structured approach and concise security controls
  •  
  • Covers the whole ecosystem
  •  
  • Can fit into a supply chain model
  •  
  • Provides a flexible framework that addresses the diversity of the IoT market

US Consumer Technology Association (CTA)

Council to Secure the Digital Economy (CSDE) 

The C2 Consensus on IoT Device Security Baseline Capabilities

“Convene the Conveners” (CTA-C2) consensus on IoT device security is designed to bring together many vertical interests within the IoT market. It consists of ten baseline device capabilities, three baseline device lifecycle capabilities and several additional requirements to be phased in over time.

IoXt Alliance

IoT Industry First Party Self Attestation

IoXt Security Pledge

The ioXt Security Pledge is the result of industry working together to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.