0% found this document useful (0 votes)

193 views226 pages

Mapping of IoT Security Recommendations Guidance and Standards To CoP Oct 2018 PDF

Uploaded by

Iman Magzoub

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

193 views226 pages

Mapping of IoT Security Recommendations Guidance and Standards To CoP Oct 2018 PDF

Uploaded by

Iman Magzoub

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 226

Mapping of IoT Security Recommendations,

Guidance and Standards to the UK's Code of

Practice for Consumer IoT Security

October 2018
Department for Digital, Culture, Media and Sport 2
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Contents

Executive summary 3

Mapping the landscape of IoT security and privacy recommendations 4

Summary and methodology of mapping 5

Mapping statistics 6

Mapping of external references within recommendations, guidelines and standards 9

Mapping of Code of Practice guidelines 9

Code of Practice: 1 - No default passwords 10
Code of Practice: 2 - Implement a vulnerability disclosure policy 20
Code of Practice: 3 - Keep software updated 38
Code of Practice: 4 - Securely store credentials and security-sensitive data 65
Code of Practice: 5 - Communicate securely 81
Code of Practice: 6 - Minimise exposed attack surfaces 117
Code of Practice: 7 - Ensure software integrity 152
Code of Practice: 8 - Ensure that personal data is protected 164
Code of Practice: 9 - Make systems resilient to outages 189
Code of Practice: 10 - Monitor system telemetry data 199
Code of Practice: 11 - Make it easy for customers to delete personal data 212
Code of Practice: 12 - Make installation and maintenance of IoT devices easy 216
Code of Practice: 13 - Validate input data 220

Disclaimer and copyright 226

Department for Digital, Culture, Media and Sport 3
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Executive summary
This document maps the Code of Practice for Consumer IoT Security against published
standards, recommendations and guidance on IoT security and privacy from around the
world.1 Around 100 documents were reviewed from nearly 50 organisations. Whilst not
exhaustive, it represents one of the largest collections of guidance available to date in this
area.

The purpose of the mapping is to serve as a reference and tool for users of the Code of
Practice. Manufacturers and other organisations are already implementing a range of
standards, recommendations and guidance and will seek to understand the relationship
between the Code of Practice and existing material from industry and other interested
parties. The mapping makes that exercise easier and, therefore, implementation of the Code
of Practice more straightforward.

The mapping represents a snapshot in time. Security guidance across the IoT is rapidly
evolving. Whilst gathering the information, it was observed that some organisations have
merged and others are developing their work further, issuing updated versions regularly.

The intention was not to map the entire global technical standards and recommendations
space. The mapping was limited in scope to the documentation that claims to be IoT security
and privacy related. This means that the mapping does not include those standards and
regulations which might be classified as foundational or which underpin the IoT standards,
such as the General Data Protection Regulation (GDPR). Also, due to the variance in styles
between recommendations, functional equivalence is not possible and so the mappings
should be read as indicative only.

A separate mapping also identifies the relationships between organisations and material
based on common external references that have been used in their documentation. This
also gives an indication of references in specifications and guidance which may not be
specific to IoT.

The raw data of both the Code of Practice and the reference material mappings are also
available as open data in JavaScript Object Notation (JSON) format.2 This enables
organisations to use it within their own development processes.

1 DCMS, October 2018, ‘Code of Practice for Consumer IoT Security’,

https://www.gov.uk/government/publications/secure-by-design
2 Available via the above link and on https://iotsecuritymapping.uk
Department for Digital, Culture, Media and Sport 4
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Mapping the landscape of IoT security and privacy

recommendations
The IoT industry, associated recommendations and security/privacy standards are
continually developing. The mapping within this document is correct as at July 2018 and
represents a snapshot of retrieved material at that time.3

The scope of the exercise was primarily contained to consumer-focused IoT, but there is a
large amount of crossover with other IoT domains such as automotive and medical
recommendations. This demonstrates that there is significant alignment for security and
privacy across different IoT domains of interest. Guidance, such as ‘I Am The Cavalry’s’
Hippocratic Oath for Connected Medical Devices, contain many recommendations which
would be regarded as relevant to consumer devices and services too.4 Where these
recommendations do not directly refer to medical devices, they have been included in the
mapping.

During the course of this mapping exercise, it was noted that some organisations had
already merged and some standards or recommendations were not accessible due to them
not being public documents. For example, the Online Trust Alliance (OTA) has merged with
the Internet Society (ISOC) and the AllSeen Alliance has merged with the Open Connectivity
Foundation (OCF). Some of the lists and documents that were investigated contained
broken links and older versions of material.

3 Material published after this date was not included, notably the ‘IoT Cybersecurity Certification
Program’ which was announced by CTIA, a US wireless industry association, in August 2018,
https://www.ctia.org/news/wireless-industry-announces-internet-of-things-cybersecurity-certification-
program
4 I Am The Cavalry, 2016, ‘Hippocratic Oath for Connected Medial Devices’,

https://www.iamthecavalry.org/domains/medical/oath/
Department for Digital, Culture, Media and Sport 5
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Summary and methodology of mapping

The mapping of the recommendations and guidance was based on online searches as well
as public listings of IoT security and privacy guidance. Sources included:

 The living list of IoT Security and Privacy resources, maintained by David Rogers and
Copper Horse Solutions Ltd,5
 Bruce Schneier’s Security and Privacy Guidelines for the Internet of Things,6
 NTIA’s IoT security standards catalogue,7
 W3C’s Web of Things project’s reference to existing best practices in related fields.8

Some of the documentation and guidance was judged to be out-of-scope, for example
recommendations that focused on the automotive sector. This data is retained for reference
in the mapping JSON file. The material that is referenced is largely at the same ‘level’ as the
Code of Practice - that is, requirements and guidance rather than bit-level specifications.
This avoided creating dependencies on other aspects as well as technology specific
references. Also included are other commonly referenced documents such as the US
Senate Bill: S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and
industry whitepapers.9

It is important to note that the mapping is intended to signpost organisations to

recommendations where there is broad equivalence to the intent of the guideline. In some
cases external recommendations may exceed the guideline. It is not a compliance
document. Implementation of all guidance mapped to a Code of Practice guideline does not
guarantee compliance with the guideline. Conversely it may not be necessary to implement
all mapped guidance to be considered compliant. Whether a device or service can be
considered compliant depends on the implementation specifics.

Recommendations were mapped against the 13 guidelines in the Code of Practice. This
means that recommendations outside of that are deemed beyond the scope of this mapping.
Implementing a secure development lifecycle is seen as fundamental to meeting the Code of
Practice. Examples of documentation that can assist in this domain include the Fundamental
Practices for Secure Software Development developed by the SAFECode Forum,10 and
ISO/IEC 29147 for Coordinated Vulnerability Disclosure which is referenced in the Code of
Practice.

Also fundamental to meeting the Code of Practice are the already existing laws and
regulation related to data protection, security and consumer safety.

5 David Rogers, 2018, ‘IoT Security Resources’, https://blog.mobilephonesecurity.org/2016/11/iot-

security-resources.html
6 Bruce Schneier, 2017, ‘Security and Privacy Guidelines for the Internet of Things’,

https://www.schneier.com/blog/archives/2017/02/security_and_pr.html
7 NTIA, 2017, ‘Multistakeholder Process; Internet of Things (IoT) Security Upgradability and Patching’,

https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security
8 W3C, 2017, ‘Web of Things (WoT) Security and Privacy Considerations’,

https://www.w3.org/TR/wot-security/#existing-security-best-practices-in-related-fields
9 US Congress, 2017, ‘Internet of Things (IoT) Cybersecurity Improvement Act of 2017’,

https://www.congress.gov/bill/115th-congress/senate-bill/1691
10 SAFECode Forum, 2011, ‘Fundamental Practices for Secure Software Development’,

http://safecode.org/wp-content/uploads/2014/09/SAFECode_Dev_Practices0211.pdf
Department for Digital, Culture, Media and Sport 6
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Mapping statistics
Across the entire Code of Practice, the following organisations and standards map to the
CoP guidance. The consolidated mapping data is available within the open data JSON file.

The most closely mapped recommendation across the Code of Practice was the IoT Security
Foundation’s IoT Security Compliance Framework 1.1. Also, a wide-range of
recommendations were mapped from the European Union Agency for Network and
Information Security (ENISA), GSMA, the Industrial Internet Consortium (IIC) and the Open
Web Application Security Project (OWASP). Some organisations split their
recommendations across a number of documents, which are also listed below.

Summary Table of recommendations that map to the Code of Practice

Total number of
recommendations
mapped Organisation Standard / recommendation name
IoT Security Compliance Framework
159 IoT Security Foundation 1.1
European Union Agency for Network Baseline Security Recommendations
66 and Information Security (ENISA) for IoT
Industrial Internet of Things
55 Industrial Internet Consortium (IIC) Volume G4: Security Framework v1.0
IoT Security Guidelines Endpoint
39 GSMA Ecosystem
Open Web Application Security Project
37 (OWASP) IoT Security Guidance
33 IoT Security Initiative Security Design Best Practices
IoT Security & Privacy Trust
32 Online Trust Alliance (OTA) Framework v2.5
IoT Security Guidelines for Service
29 GSMA Ecosystems
Broadband Internet Technical Advisory Internet of Things (IoT) Security and
20 Group (BITAG) Privacy Recommendations
Security Guidance for Early Adopters
19 Cloud Security Alliance (CSA) of the Internet of Things (IoT)
Best Current Practices (BCP) for IoT
19 Internet Engineering Task Force (IETF) Devices
TR-0008-V2.0.1 Security (Technical
19 oneM2M Report)
US National Institute of Standards and NIST SP.800-160 Systems Security
17 Technology (NIST) Engineering
European Union Agency for Network Security and Resilience of Smart Home
16 and Information Security (ENISA) Environments
S.1691 - Internet of Things (IoT)
Cybersecurity Improvement Act of
14 US Senate 2017 (Bill)
13 IoT Security Initiative CyberSecurity Principles of IoT
Department for Digital, Culture, Media and Sport 7
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Total number of
recommendations
mapped Organisation Standard / recommendation name
Multistakeholder Process; Internet of
US National Telecommunications and Things (IoT) Security Upgradability and
13 Information Administration (NTIA) Patching
12 Microsoft IoT Security Best Practices
Strategic Principles for Securing The
12 U.S. Department of Homeland Security Internet of Things (IoT)
11 CableLabs A Vision for Secure IoT
11 Open Connectivity Foundation (OCF) OIC Security Specification v1.1.1
Future-proofing the connected world:
10 Cloud Security Alliance (CSA) 13 steps to Developing Secure IoT
Vulnerability Disclosure Best Practice
10 IoT Security Foundation Guidelines
Internet Research Task Force (IRTF)
Thing-to-Thing Research Group State-of-the-Art and Challenges for the
9 (T2TRG) Internet of Things Security
The CEO’s Guide to Securing the
8 AT&T Internet of Things
IoT Security Principles and Best
8 IEEE Practices
Alliance for Internet of Things Workshop on Security and Privacy in
6 Innovation (AIOTI) the Hyper connected World
International Electrotechnical IoT 2020: Smart and secure IoT
6 Commission (IEC) platform
Object Management Group (OMG)
Cloud Standards Customer Council
6 (CSCC) Cloud Customer Architecture for IoT
City of New York (NYC) Guidelines for
5 the Internet of Things Privacy + Transparency
5 GSMA GSMA IoT Security Assessment
Hippocratic Oath for Connected
5 I am the Cavalry Medical Devices
The Internet of Things: An Internet
5 Internet Society (ISOC) Society Public Policy Briefing
An Internet of Things Security
5 Symantec Reference Architecture
Atlantic Council Scowcroft Center for Smart Homes and the Internet of
4 Strategy and Security Things
City of New York (NYC) Guidelines for
4 the Internet of Things Security
Report on Workshop on Security &
4 European Commission and AIOTI Privacy in IoT
Policy Framework for the Internet of
4 Intel Things (IoT)
Department for Digital, Culture, Media and Sport 8
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Total number of
recommendations
mapped Organisation Standard / recommendation name
Open Web Application Security Project OWASP Secure Coding Practices
4 (OWASP) Quick Reference Guide
IERC-European Research Cluster on IoT Governance, Privacy and Security
3 the Internet of Things (IERC) Issues - IERC Position Paper
Dos and Don’ts of Client Authentication
3 MIT Laboratory for Computer Science on the Web
Alliance for Internet of Things AIOTI Digitisation of Industry Policy
2 Innovation (AIOTI) Recommendations
Alliance for Internet of Things Digitisation of Industry Policy
2 Innovation (AIOTI) Recommendations
IoT Security Guidelines for Network
2 GSMA Operators
Software and Information Industry Empowering the Internet of Things:
2 Association (SIIA) Benefits
Web of Things (WoT) Security and
2 W3C Privacy Considerations
Atlantic Council Scowcroft Center for Smart Homes and the Internet of
1 Strategy and Security Things (issue brief)
Future-proofing the connected world:
1 Cloud Security Alliance (CSA) 13 steps to Developing Secure IoT
1 GSMA Analytics-based Security
GSMA Coordinated Vulnerability
1 GSMA Disclosure Programme (CVD)
Connected Consumer Secure Design
1 IoT Security Foundation Best Practice Guidelines
Realizing the Potential of the Internet of
Telecommunications Industry Things: Recommendations to Policy
1 Association (TIA) Makers
Web of Things (WoT) Security and Minimize Network Interface
1 Privacy Considerations Functionality
Department for Digital, Culture, Media and Sport 9
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for
Consumer IoT Security

Mapping of external references within

recommendations, guidelines and standards
The mapping has identified the relationships between organisations and material within the
IoT security and privacy space. This is solely based on the external references provided
within documents covered by the mapping. This also gives an indication of references in
specifications and guidance which may not be specific to IoT.

The data of this reference mapping is available in an open data JSON file which can be used
for further study. It is available on https://iotsecuritymapping.uk, which also hosts a
visualisation of this mapping.

Mapping of Code of Practice guidelines

The recommendations set out in the following tables map to the thirteen guidelines of the
Code of Practice. This is not considered to be holistic, but represents the output of a review
of nearly 4000 pages of material from a large array of organisations and parties interested in
the topic. This data is also available in the open data JSON files and viewable at
https://iotsecuritymapping.uk.

The copyright of the original material quoted in the mapping remains that of the original
authors.
Department for Digital, Culture, Media and Sport 10
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 1 - No default passwords

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The CEO’s Guide Rather than permitting an easy-to-hack default password, each
to Securing the No default device should require the user to define a unique and reasonably https://www.business.att.com/cybersec
AT&T Internet of Things password secure password for access from a network interface. urity/docs/exploringiotsecurity.pdf

Future-proofing the IoT products can

connected world: lend their https://downloads.cloudsecurityalliance
13 steps to computing power to .org/assets/research/internet-of-
Cloud Security Developing Secure launch DDoS things/future-proofing-the-connected-
Alliance (CSA) IoT Attacks - 2 Never ship IoT products without password protections world.pdf

Security Guidance If your organization is writing your own applications, use appropriate https://downloads.cloudsecurityalliance
for Early Adopters authentication and authorization mechanisms. Scan for any .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of 5.3.2 first bullet passwords left in the clear in the application code (e.g. hardcoded or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) point telnet logins or passwords that were left behind during testing). _Things.pdf
European
Union Agency
for Network
and Authentication mechanisms must use strong passwords or
Information Baseline Security personal identification numbers (PINs), and should consider using https://www.ENISA.europa.eu/publicati
Security Recommendations two-factor authentication (2FA) or multi-factor authentication (MFA) ons/baseline-security-
(ENISA) for IoT GP-TM-23 like Smartphones, Biometrics, etc., and certificates. recommendations-for-iot

European
Union Agency Ensure password recovery or reset mechanism is robust
for Network Baseline Security and does not supply an attacker with information indicating a valid https://www.ENISA.europa.eu/publicati
and Recommendations account. The same applies to key update and recovery ons/baseline-security-
Information for IoT GP-TM-26 mechanisms. recommendations-for-iot
Department for Digital, Culture, Media and Sport 11
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Security
(ENISA)

European
Union Agency
for Network
and
Information Baseline Security Avoid provisioning the same secret key in an entire https://www.ENISA.europa.eu/publicati
Security Recommendations product family, since compromising a single device would be ons/baseline-security-
(ENISA) for IoT GP-TM-49 enough to expose the rest of the product family. recommendations-for-iot
European
Union Agency
for Network
and Security and
Information Resilience of Smart Identification, authentication, authorization: strong authentication
Security Home methods must be used, as well as access control mechanisms. https://www.ENISA.europa.eu/publicati
(ENISA) Environments 5.2, fifth bullet point Passwords and sessions should be managed accordingly. ons/security-resilience-good-practices

IoT Security
Guidelines for Enforce Strong Password Policy. It is imperative that all https://www.gsma.com/iot/wp-
Service authentication systems enforce strong passwords where passwords content/uploads/2017/10/CLP.12-
GSMA Ecosystems CLP12_6.11 are required for user authentication. v2.0.pdf

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.9 Endpoint Password Management v2.0.pdf
Department for Digital, Culture, Media and Sport 12
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT Security
Guidelines Where passwords are used, enforce the use of passwords that https://www.gsma.com/iot/wp-
Endpoint conform to best practices regarding password complexity and content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.12 length v2.0.pdf
IoT devices should not use easy-to-guess username/password
credentials, such as admin/admin. Devices should not use default
credentials that are invariant across multiple devices and should not
include back doors and debug-mode settings (secret credentials
established by the device's programmer) because, once guessed,
they can be used to hack many devices.

Each device should have a unique default username/password,

IoT Security perhaps printed on its casing, and preferably resettable by the user. https://internetinitiative.ieee.org/images
Principles and Best Passwords should be sophisticated enough to resist educated /files/resources/white_papers/internet_
IEEE Practices 5 guessing and so-called brute force methods. of_things_feb2017.pdf
The vast majority of Internet-connected devices will require
authentication for some purposes, whether to protect the device
from
unauthorized use or reconfiguration, and to protect information
stored within the device from disclosure or modification. This
Internet section details authentication requirements for devices that require
Engineering Best Current authentication.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.2 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 13
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
A device that supports authentication SHOULD NOT be shipped in
a
condition that allows an unauthenticated client to use any function
of the device that requires authentication, or to change that
device's authentication credentials.

Explanation: Most devices that can be used in an unauthenticated

state will never be configured to require authentication. These
devices are attractive targets for attack and compromise, especially
Internet by botnets. This is very similar to the problems caused by shipping
Engineering Best Current devices with default passwords.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.2.4 iot-security-bcp-01
Many devices that require authentication will be shipped with
default
authentication credentials, so that the customer can authenticate to
the device using those credentials until they are changed. Each
device that requires authentication SHOULD be instantiated either
prior to shipping, or on initial configuration by the user, with
credentials unique to that device. If a device is not instantiated
with device-unique credentials, that device MUST NOT permit
normal operation until those credentials have been changed to
something other than the default credentials.

Explanation: devices that were shipped with default passwords

Internet have been implicated in several serious denial-of-service attacks on
Engineering Best Current widely-used Internet services.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.2.5 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 14
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Internet
Research
Task Force
(IRTF) Thing-
to-Thing State-of-the-Art and Flaws in the design and implementation of IoT devices and
Research Challenges for the networks can lead to security vulnerabilities. A common flaw is the
Group Internet of Things use of well-known or easy-to-guess passwords for configuration of https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Security 5.11 IoT devices. t2trg-iot-seccons/

If a connection requires a password or passcode or passkey for https://www.iotsecurityfoundation.org/w

https://www.iotsecurityfoundation.org/w
IoT Security Where a wireless interface has an initial pairing process, the p-content/uploads/2017/12/IoT-
IoT Security Compliance passkeys are changed from the factory issued or reset password Security-Compliance-
Foundation Framework 1.1 2.4.7.9 prior to providing normal service. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Where WPA2 WPS is used it has a unique, random key per device Security-Compliance-
Foundation Framework 1.1 2.4.7.11 and enforces exponentially increasing retry attempt delays. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 15
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security Where a user interface password is used for login authentication, p-content/uploads/2017/12/IoT-
IoT Security Compliance the factory issued or reset password is unique to each device in the Security-Compliance-
Foundation Framework 1.1 2.4.8.3 product family. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product will not allow new passwords containing the user Security-Compliance-
Foundation Framework 1.1 2.4.8.5 account name with which the user account is associated. Framework_WG1_2017.pdf

The product/system enforces passwords to be compliant as NIST https://www.iotsecurityfoundation.org/w

IoT Security SP800-63b [Section 5.1.1.2] or similar recommendations on: p-content/uploads/2017/12/IoT-
IoT Security Compliance password length; characters from the groupings and special Security-Compliance-
Foundation Framework 1.1 2.4.8.6 characters. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 16
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The product allows the factory issued or OEM login accounts to be

disabled, erased or renamed. This is to avoid the type of attacks https://www.iotsecurityfoundation.org/w
IoT Security where factory default logins and passwords are published on the p-content/uploads/2017/12/IoT-
IoT Security Compliance web, which allows attackers to mount very simple scanning and Security-Compliance-
Foundation Framework 1.1 2.4.8.12 dictionary attacks on devices. Framework_WG1_2017.pdf

The product supports having any or all of the factory default user
login passwords, altered prior to normal service. This is to avoid the https://www.iotsecurityfoundation.org/w
IoT Security type of attacks where factory default logins and passwords are p-content/uploads/2017/12/IoT-
IoT Security Compliance published on the web, which allows attackers to mount very simple Security-Compliance-
Foundation Framework 1.1 2.4.8.13 scanning and dictionary attacks on devices. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where a web user interface password is used for login p-content/uploads/2017/12/IoT-
IoT Security Compliance authentication, the initial password or factory reset password is Security-Compliance-
Foundation Framework 1.1 2.4.10.4 unique to each device in the product family. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where an application’s user interface password is used for login p-content/uploads/2017/12/IoT-
IoT Security Compliance authentication, the initial password or factory reset password is Security-Compliance-
Foundation Framework 1.1 2.4.11.1 unique to each device in the product family. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 17
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT Security Security Design Do not code in "secret” login bypasses/access methods – even if https://www.iotsi.org/security-best-
Initiative Best Practices just for seemingly temporary Dev/Test purposes. practices

IoT Security Security Design If creating default credentials, create quality randomized and unique https://www.iotsi.org/security-best-
Initiative Best Practices passwords/symmetric-keys. practices
Include strong authentication by default, including providing unique,
system-generated or single use passwords; or alternatively use
IoT Security & secure certificate credentials. As necessary, require use of unique https://otalliance.org/system/files/files/i
Online Trust Privacy Trust passwords for administrative access, delineating between devices nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 13 and services and the respective impact of factory resets. k6-22.pdf

Provide generally accepted recovery mechanisms for IoT

IoT Security & application(s) and support passwords and/or mechanisms for https://otalliance.org/system/files/files/i
Online Trust Privacy Trust credential reset using multi-factor verification and authentication nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 14 (email and phone, etc.) where no user password exists. k6-22.pdf

Take steps to protect against ‘brute force’ and/or other abusive

IoT Security & login attempts (such as automated login bots, etc.) by locking or https://otalliance.org/system/files/files/i
Online Trust Privacy Trust disabling user and device support account(s) after a reasonable nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 15 number of invalid login attempts k6-22.pdf
Open Web
Application
Security
Project IoT Security I1: Insecure Web Ensure that any web interface in the product disallows weak https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface passwords Security_Guidance
Open Web
Application
Security
Project IoT Security I6: Insecure Cloud Ensure that any cloud-based web interface disallows weak https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface passwords Security_Guidance
Department for Digital, Culture, Media and Sport 18
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security
Project IoT Security I6: Insecure Cloud https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface Ensure that users have the option to require strong passwords Security_Guidance
Open Web
Application
Security
Project IoT Security I7: Insecure Mobile https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface Ensure that any mobile application disallows weak passwords Security_Guidance
Open Web
Application
Security
Project IoT Security I7: Insecure Mobile https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface Ensure that users have the option to require strong passwords Security_Guidance
Open Web
Application
Security I8: Insufficient Ensure password security options are made available (e.g.
Project IoT Security Security Enabling 20 character passwords or enabling two-factor https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Configurability authentication) Security_Guidance
Enable security by default through unique, hard to crack default
user names and passwords. User names and passwords for IoT
devices supplied by the manufacturer are often never changed by
the user and are easily cracked. Botnets operate by continuously
U.S. Strategic Principles scanning for IoT devices that are protected by known factory default https://www.dhs.gov/sites/default/files/
Department of for Securing The user names and passwords. Strong security controls should be publications/Strategic_Principles_for_S
Homeland Internet of Things something the industrial consumer has to deliberately disable rather ecuring_the_Internet_of_Things-2016-
Security (IoT) than deliberately enable. 1115-FINAL....pdf
Department for Digital, Culture, Media and Sport 19
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
IN GENERAL.—A clause that requires the contractor providing the
Internet-connected device to provide written certification that the
S.1691 - Internet of device
Things (IoT)
Cybersecurity https://www.congress.gov/bill/115th-
Improvement Act of SEC.3 (a) (1) (A) (i) (IV) does not include any fixed or hard-coded credentials used for congress/senate-
US Senate 2017 (Bill) (IV) remote administration, the delivery of updates, or communication. bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 20
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 2 - Implement a vulnerability disclosure policy

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Report on
Alliance for Workshop on https://aioti-space.org/wp-
Internet of Security and Accountability & Any data controller and processor to be accountable for regulatory, content/uploads/2017/03/AIOTI-
Things Privacy in the Risk Impact contractual and ethical compliance. If data is compromised, Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected Assessment by disclosed, accessed or lost, clear statement by vendors, data the-Hyper-connected-World-Report-
(AIOTI) World Design controllers and data processors on impact is another prerequisite. 20160616_vFinal.pdf

Report on
Alliance for Workshop on Basic https://aioti-space.org/wp-
Internet of Security and Requirements on content/uploads/2017/03/AIOTI-
Things Privacy in the IoT HARDWARE Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected AND Sharing information about incidents/potential vulnerabilities the-Hyper-connected-World-Report-
(AIOTI) World COMPONENTS between manufacturers 20160616_vFinal.pdf

Report on
Alliance for Workshop on https://aioti-space.org/wp-
Internet of Security and content/uploads/2017/03/AIOTI-
Things Privacy in the Basic Data should be encrypted on the application layer. End-to-End Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected Requirements on Security, cryptographic principles and key management are the-Hyper-connected-World-Report-
(AIOTI) World APPLICATIONS extremely important and should be carefully described. 20160616_vFinal.pdf
Department for Digital, Culture, Media and Sport 21
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Atlantic
Council
Scowcroft
Center for Smart Homes and A published policy accepting help from willing allies acting in good http://www.atlanticcouncil.org/images/p
Strategy and the Internet of faith, such as customers and security researchers, who find and ublications/Smart_Homes_0317_web.
Security Things report flaws. pdf

Broadband
Internet
Technical Internet of Things http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and Bug reporting system. Manufacturers should provide a bug _Report_-
Group Privacy reporting system with a well-defined bug submission mechanisms _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.1 and documented response policy. nd_Privacy_Recommendations.pdf

Broadband
Internet
Technical Internet of Things http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and Report discovery and remediation of software vulnerabilities. _Report_-
Group Privacy Manufacturers should report discovery and remediation of software _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.10 vulnerabilities that pose security or privacy threats to consumers. nd_Privacy_Recommendations.pdf

Broadband
Internet Vulnerability reporting process. Manufacturers should provide a
Technical Internet of Things vulnerability reporting process with a welldefined, easy-to-locate, http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and and secure vulnerability reporting form, as well as a documented _Report_-
Group Privacy response policy. Manufacturers should consider compliance with _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.10 ISO 30111 [108], a standard for vulnerability report handling. nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 22
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Cable operators have widely deployed and continue to improve
systems that are designed to detect compromised customer-owned
devices controlled by botnets. These systems rely on (i) high-
quality, third-party data feeds that identify sources of malicious
traffic on the operator’s network, (ii) DNS based anomaly detection
systems, (iii) NetFlow detection systems that seek to identify
Detection and devices communicating with known command and control servers,
A Vision for Secure Identification and (iv) email metadata to identify compromised customer devices https://www.cablelabs.com/insights/visi
CableLabs IoT Systems originating SPAM on-secure-iot/
An IoT provider should have a well-defined procedure for receiving
reports of security issues for their devices. The procedure should
include status reporting and a timeline to address the problem that
is provided to the individual or entity that submitted the security
vulnerability. At a minimum, the IoT provider should publicly and
prominently disclose an email address, a telephone number, and a
website where security issues can be submitted to the company.
Once there is a remedy to the vulnerability, the IoT provider should
A Vision for Secure Vulnerability have a mechanism to publicly disclose the vulnerability and https://www.cablelabs.com/insights/visi
CableLabs IoT Management associated remedy. on-secure-iot/
Establish procedures for analysing and handling security incidents.
For any incident there should be a response to:
a) confirm the nature and extent of the incident;
European b) take control of the situation;
Union Agency c) contain the incident; and
for Network d) communicate with stakeholders
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations Establish management procedures in order to ensure a quick, ons/baseline-security-
(ENISA) for IoT GP-OP-05 effective and orderly response to information security incidents recommendations-for-iot
Department for Digital, Culture, Media and Sport 23
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European Coordinated disclosure of vulnerabilities, including
Union Agency associated security practices to address identified vulnerabilities. A
for Network coordinated disclosure policy should involve developers,
and manufacturers, and service providers, and include information
Information Baseline Security regarding any vulnerabilities reported to a computer security https://www.ENISA.europa.eu/publicati
Security Recommendations incident ons/baseline-security-
(ENISA) for IoT GP-OP-06 response team (CSIRT). recommendations-for-iot
European
Union Agency
for Network Participate in information sharing platforms to report
and vulnerabilities and receive timely and critical information about
Information Baseline Security current cyber threats and vulnerabilities from public and private https://www.ENISA.europa.eu/publicati
Security Recommendations partners. Information sharing is a critical tool in ensuring ons/baseline-security-
(ENISA) for IoT GP-OP-07 stakeholders are aware of threats as they arise. recommendations-for-iot
European
Union Agency
for Network
and Create a publicly disclosed mechanism for vulnerability
Information Baseline Security reports. Bug Bounty programs, for example, rely on crowdsourcing https://www.ENISA.europa.eu/publicati
Security Recommendations methods to identify vulnerabilities that companies’ own internal ons/baseline-security-
(ENISA) for IoT GP-OP-08 security teams may not catch. recommendations-for-iot
Vendors’ awareness
IoT vendors shall keep track of vulnerabilities in other IoT products,
especially in the context of Smart Home Environments. For that
purpose, vendors can hire or train security experts to understand
European security vulnerabilities in IoT, as they can only get worse with a
Union Agency wider adoption of the products. It is also important to consider early
for Network warnings on security issues provided by users and researchers, as
and Security and they contribute to reducing the attack surface on devices and
Information Resilience of Smart services.
Security Home By raising the awareness level of IoT companies to security, https://www.ENISA.europa.eu/publicati
(ENISA) Environments 8.3 product security will be improved and vendors will reduce the ons/security-resilience-good-practices
Department for Digital, Culture, Media and Sport 24
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
threats they face and associated reputation issues. It is particularly
true for vendors with limited experience in security.

GSMA Coordinated
Vulnerability
Disclosure
GSMA Programme (CVD) See GSMA Coordinated Vulnerability Disclosure Programme https://www.gsma.com/security
I acknowledge that vulnerabilities will persist, despite best efforts. I
will invite disclosure of potential safety or security issues, reported
in good faith.

Software flaws identified before they become

safety issues give defenders an advantage.
Manufacturers with the capability to receive and
investigate flaws quickly increase this advantage.
Those who encourage and act on reporting from
independent sources can also reduce cost and
exposure beyond what is possible with internal
review alone. Value from researcher-manufacturer https://www.iamthecavalry.org/wp-
Hippocratic Oath collaborations has led to manufacturers content/uploads/2016/01/I-Am-The-
I am the for Connected Third-Party incentivizing research via recognition and reward Cavalry-Hippocratic-Oath-for-
Cavalry Medical Devices Collaboration programs. Connected-Medical-Devices.pdf
Department for Digital, Culture, Media and Sport 25
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Communication to stakeholders should be prompt, transparent, and

forthright. Manufacturers should notify relevant stakeholders when
and where flaws exist, their severity, contents of the update, and https://www.iamthecavalry.org/wp-
Hippocratic Oath instructions for each role. Updates may be exclusively content/uploads/2016/01/I-Am-The-
I am the for Connected Stakeholder communication about workarounds, warnings, unsafe conditions, Cavalry-Hippocratic-Oath-for-
Cavalry Medical Devices communication labeling, instructions for use, or other relevant information. Connected-Medical-Devices.pdf
Recently a bill was drafted for the Senate of the State of Michigan
which would punish automobile hacking with a sentence of life in
prison. One of the authors contacted one of the senators proposing
the legislation and that senator agreed to modify the bill to allow
hacking for beneficial research purposes. Researchers who
discover serious vulnerabilities and report them responsibly provide
a service to the industry similar to people who discover safety flaws
in automobiles and other safety-critical machinery. Legitimate
security research may be hindered by excessive legislation. One
way to differentiate between research and unethical hacking is to
mandate responsible disclosure of discovered vulnerabilities.
Responsible disclosure requires the researcher to first notify the
manufacturer or governing authorities and allow reasonable time for
the vulnerability to be independently verified and fixed before going
IoT Security public with a system hack. Another, less desirable, approach might https://internetinitiative.ieee.org/images
Principles and Best be to require researchers to first register with a government office or /files/resources/white_papers/internet_
IEEE Practices 10 the manufacturer before attempting to break into a device. of_things_feb2017.pdf
Internet Vendors MUST provide an easy to find way for reporting of security
Engineering Best Current bugs, which is free of charge.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 5.2 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 26
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance A policy has been established for dealing with both internal and Security-Compliance-
Foundation Framework 1.1 2.4.3.5 third party security researcher(s) on the products or services Framework_WG1_2017.pdf

A security policy has been established for addressing changes, https://www.iotsecurityfoundation.org/w

IoT Security such as vulnerabilities, that could impact security and affect or p-content/uploads/2017/12/IoT-
IoT Security Compliance involve technology or components incorporated into the product or Security-Compliance-
Foundation Framework 1.1 2.4.3.6 service provided. Framework_WG1_2017.pdf

Processes and plans are in place based upon the IoTSF https://www.iotsecurityfoundation.org/w
IoT Security “Vulnerability Disclosure Guidelines” or a similar recognised p-content/uploads/2017/12/IoT-
IoT Security Compliance process to deal with the identification of a security vulnerability or Security-Compliance-
Foundation Framework 1.1 2.4.3.7 compromise when they occur. Framework_WG1_2017.pdf

A process is in place for consistent briefing of senior executives in

the event of the identification of a vulnerability or a security breach,
especially those who may deal with the media or make public https://www.iotsecurityfoundation.org/w
IoT Security announcements. In particular, that any public statements made in p-content/uploads/2017/12/IoT-
IoT Security Compliance the event of a security breach should give as full and accurate an Security-Compliance-
Foundation Framework 1.1 2.4.3.8 account of the facts as possible. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 27
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security There is a secure notification process based upon the IoTSF p-content/uploads/2017/12/IoT-
IoT Security Compliance “Vulnerability Disclosure Guidelines” or a similar recognised Security-Compliance-
Foundation Framework 1.1 2.4.3.9 process, for notifying partners/users of any security updates. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security As part of the Security Policy provide a dedicated security email p-content/uploads/2017/12/IoT-
IoT Security Compliance address and/or secure webform for Vulnerability Disclosure Security-Compliance-
Foundation Framework 1.1 2.4.3.12 communications. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance As part of the Security Policy develop a conflict resolution process Security-Compliance-
Foundation Framework 1.1 2.4.3.13 for Vulnerability Disclosures. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 28
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The Security Policy shall be compliant with ISO 30111 or similar Security-Compliance-
Foundation Framework 1.1 2.4.3.16 standard. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 29
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
The following is some proposed text for inclusion on a Vulnerability
Disclosure page on a company website, to be approved by the
company’s legal team. Some companies also choose to specify
what they consider to be unacceptable security research (such as
that which would lead to the disclosure of customer data):

“[Company Name] takes security issues extremely seriously and

welcomes feedback from security researchers in order to improve
the security of its products and services. We operate a policy of
coordinated disclosure for dealing with reports of security
vulnerabilities and issues.

To privately report a suspected security issue to us, please send an

email to security alert@<companydomain>, giving as much detail
as you can. We will respond to you as soon as possible. If the
suspected security issue is confirmed, we will then come back to
you with an estimate of how long the issue will take to fix. Once the
fix is available, we will notify you and recognise your efforts on this
page.

Thank You

Thanks to the following people who have helped make our products https://www.iotsecurityfoundation.org/w
Vulnerability and services more secure by making a coordinated disclosure with p-
IoT Security Disclosure Best us: content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.2 [Name/alias, Twitter handle]” Disclosure_WG4_2017.pdf
Department for Digital, Culture, Media and Sport 30
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
The email address
securityalert@<companydomain>
or security@<companydomain>
is a de facto standard for researchers who disclose vulnerabilities to
organisations. We recommend that organisations create and
monitor both of these email addresses where possible.

It is important to provide a secure mechanism for communication

about security issues, to avoid any risk of the communication being
intercepted and the information being used maliciously.

It is recommended that organisations provide a secured web form

for the initial contact message, as this does not require the reporting
party to install email encryption software and the necessary https://www.iotsecurityfoundation.org/w
Vulnerability encryption keys, which can be prone to error. Nevertheless, p-
IoT Security Disclosure Best organisations should consider also publishing a public key with content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.3 which emails can be encrypted for confidentiality. Disclosure_WG4_2017.pdf
Security researchers may have a wide variety of backgrounds and
expectations; they may be, for example, hobbyists unused to
business processes, academics who desire the freedom to publish
research, or professional consultants building a reputation for
expertise in finding security problems. It is important, in
communication with researchers, that due consideration and
recognition is given to the effort that they have made into
researching the particular security problem. Their motivation and
expectations may well differ from yours, so it is imperative that they https://www.iotsecurityfoundation.org/w
Vulnerability are given enough room to work with you and that a constructive, p-
IoT Security Disclosure Best understanding tone is adopted at all times even if their actions may content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.4 seem inappropriate in your business context. Disclosure_WG4_2017.pdf
Department for Digital, Culture, Media and Sport 31
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
It is likely that at some point, there are going to be issues where
both parties disagree. The Organisation for Internet Safety
guidelines [OIS] included recommendations on how to resolve such
conflicts in the context of an organisation’s published vulnerability
disclosure process. In summary:
• Leave the process only after exhausting reasonable efforts to https://www.iotsecurityfoundation.org/w
Vulnerability resolve the disagreement; p-
IoT Security Disclosure Best • Leave the process only after providing notice to the other party; content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.5 • Resume the process once the disagreement is resolved. Disclosure_WG4_2017.pdf
The text on your security contact web page should state in what
time frame the security researcher can expect a response; this will
typically be a few days, perhaps up to a week. It is good practice to
send an automatic acknowledgement for email sent to the contact
email address including the same details on the expected response
time. The following response should then further clarify https://www.iotsecurityfoundation.org/w
Vulnerability expectations regarding the timing of further communications and, p-
IoT Security Disclosure Best once a problem has been confirmed, in what time frame a patch, fix content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.6 or other remediation is expected to be made available. Disclosure_WG4_2017.pdf

The organisation should have a mechanism via which security

advisories can be issued, so that users can be informed once a
problem is fixed. This should be done via a secure webpage to https://www.iotsecurityfoundation.org/w
Vulnerability authenticate the information. Some organisations also use security p-
IoT Security Disclosure Best announcement mailing lists; it is good practice to digitally sign the content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.7 advisory email text so that it can be authenticated. Disclosure_WG4_2017.pdf
It is standard practice as a gesture of goodwill and recognition of
security researchers’ efforts to name security researchers who have
cooperated in a vulnerability disclosure, although it is important to
confirm their consent to this before publicly identifying them. The https://www.iotsecurityfoundation.org/w
Vulnerability acknowledgement is often done on the same web page as the p-
IoT Security Disclosure Best vulnerability disclosure policy. It is generally expected that a content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.8 researcher’s Twitter handle (if available) will also be included. Disclosure_WG4_2017.pdf
Department for Digital, Culture, Media and Sport 32
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Crediting a security researcher does not necessarily indicate that

they are financially compensated and such compensation is not
generally expected. Companies may wish to introduce “bug bounty” https://www.iotsecurityfoundation.org/w
Vulnerability programmes or work with intermediaries who manage such p-
IoT Security Disclosure Best programmes on behalf of companies, but this topic is out of the content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.9 scope of these recommendations. Disclosure_WG4_2017.pdf
It can be argued that, by publishing a Vulnerability Disclosure
policy, organisations could be encouraging hackers in the name of
security research. This is a misleading argument as, without a
published policy, the organisation is turning a blind eye to research
that would otherwise go on without its knowledge.Companies can
fall into the trap of “shooting the messenger” when it comes to the
disclosure of a vulnerability. This is why some people are
suspicious of approaching a company when they discover a
security issue.

A company should, however, not encourage damaging activity.

Some security pages explicitly exclude certain types of research –
for example Denial of Service attacks on a site or the hacking into
systems in order to expose customer data. An example of this can https://www.iotsecurityfoundation.org/w
Vulnerability be found in the IoT Security Foundation’s own vulnerability p-
IoT Security Disclosure Best disclosure policy: content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 2.10 http://www.iotsecurityfoundation.org/security. Disclosure_WG4_2017.pdf
Department for Digital, Culture, Media and Sport 33
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Successful vulnerability disclosure management must involve a
nominated responsible person. It is suggested that this should be
the CISO, or a Head of Security Response if one is appointed. In
addition to this, it is recommended that confirmed disclosure emails
sent to the disclosure email address are distributed to a list of
senior staff that should be aware of disclosures that are underway.
The remaining steps should continue as per the standard internal
security incident handling processes of the organisation, with the
added aspects of communicating with the security researcher on a
regular basis to update and possibly asking for additional https://www.iotsecurityfoundation.org/w
Vulnerability information or assistance. The final step is the creation of the p-
IoT Security Disclosure Best security advisory and agreeing the “go public” date with the content/uploads/2017/12/Vulnerability-
Foundation Practice Guidelines 3 researcher. Disclosure_WG4_2017.pdf

The public vulnerability disclosure contact details are clearly

IoT Security CyberSecurity identified on both the manufacturers Device Security Level https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 8 Agreement (DSLA) page and any solution web sites. principles
Establish coordinated vulnerability disclosure including processes
and systems to receive, track and promptly respond to external
vulnerability reports from third parties, including but not limited to
customers, consumers, academia and the research community.
Remediate post product release design vulnerabilities and threats in
a publicly responsible manner either through remote updates and/or
IoT Security & through actionable consumer notifications or other effective https://otalliance.org/system/files/files/i
Online Trust Privacy Trust mechanism(s). Developers should consider “bug bounty” programs nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 5 and crowdsourcing methods to help identify vulnerabilities. k6-22.pdf

Develop a policy regarding the coordinated disclosure of

vulnerabilities, including associated security practices to address
identified vulnerabilities. A coordinated disclosure policy should
U.S. Strategic Principles involve developers, manufacturers, and service providers, and https://www.dhs.gov/sites/default/files/
Department of for Securing The include information regarding any vulnerabilities reported to a publications/Strategic_Principles_for_S
Homeland Internet of Things computer security incident response team (CSIRT). The US ecuring_the_Internet_of_Things-2016-
Security (IoT) Computer Emergency Readiness Team (US-CERT), Industrial 1115-FINAL....pdf
Department for Digital, Culture, Media and Sport 34
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Control Systems (ICS)-CERT, and other CSIRTs provide regular
technical alerts, including after major incidents, which provide
information about vulnerabilities and mitigation.

U.S. Strategic Principles Consider creating a publicly disclosed mechanism for using https://www.dhs.gov/sites/default/files/
Department of for Securing The vulnerability reports. Bug Bounty programs, for example, rely on publications/Strategic_Principles_for_S
Homeland Internet of Things crowdsourcing methods to identify vulnerabilities that companies’ ecuring_the_Internet_of_Things-2016-
Security (IoT) own internal security teams may not catch. 1115-FINAL....pdf

S.1691 - Internet of (I) APPLICATION FOR WAIVER.—At the time of submitting a

Things (IoT) proposal to an executive agency, a contractor may submit a written
Cybersecurity application for a waiver from the requirement under clause (i)(I) for https://www.congress.gov/bill/115th-
Improvement Act of SEC.3 (a) (1) (A) the purpose of disclosing a known vulnerability to the executive congress/senate-
US Senate 2017 (Bill) (ii) (I) agency. bill/1691/text?format=txt
(II) CONTENTS.—An application submitted under subclause (I)
shall—

(aa) identify the specific known vulnerability;

S.1691 - Internet of
Things (IoT) (bb) include any mitigation actions that may limit or eliminate the
Cybersecurity ability for an adversary to exploit the vulnerability; and https://www.congress.gov/bill/115th-
Improvement Act of SEC.3 (a) (1) (A) congress/senate-
US Senate 2017 (Bill) (ii) (II) bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 35
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
(cc) include a justification for secure use of the device
notwithstanding the persisting vulnerability.

S.1691 - Internet of (III) APPROVAL.—If the head of the purchasing executive agency
Things (IoT) approves the waiver, the head of the purchasing executive agency
Cybersecurity shall provide the contractor a written statement that the executive https://www.congress.gov/bill/115th-
Improvement Act of SEC.3 (a) (1) (A) agency accepts such risks resulting from use of the device with the congress/senate-
US Senate 2017 (Bill) (ii) (III) known vulnerability as represented by the contractor. bill/1691/text?format=txt
B) NOTIFICATION REQUIRED.—A clause that requires the
S.1691 - Internet of contractor providing the Internet-connected device software or
Things (IoT) firmware component to notify the purchasing agency of any known
Cybersecurity security vulnerabilities or defects subsequently disclosed to the https://www.congress.gov/bill/115th-
Improvement Act of vendor by a security researcher or of which the vendor otherwise congress/senate-
US Senate 2017 (Bill) SEC.3 (a) (1) (B) becomes aware for the duration of the contract. bill/1691/text?format=txt
(1) IN GENERAL.—Not later than 60 days after the date of the
enactment of this Act, the National Protection and Programs
Directorate, in consultation with cybersecurity researchers and
S.1691 - Internet of private-sector industry experts, shall issue guidelines for each
Things (IoT) agency with respect to any Internet-connected device in use by the
Cybersecurity United States Government regarding cybersecurity coordinated https://www.congress.gov/bill/115th-
Improvement Act of disclosure requirements that shall be required of contractors congress/senate-
US Senate 2017 (Bill) SEC.3 (b) (1) providing such software devices to the United States Government. bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 36
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
(2) CONTENTS.—The guidelines required to be issued under
paragraph (1) shall—

(A) include policies and procedures for conducting research on the

cybersecurity of an Internet-connected device, which shall be
based, in part, on Standard 29147 of the International Standards
Organization, or any successor standard, relating to the processing
and resolving of potential vulnerability information in a product or
online service, such as—

(i) procedures for a contractor providing an Internet-connected

device to the United States Government on how to—

(I) receive information about potential vulnerabilities in the product

or online service of the contractor; and

(II) disseminate resolution information about vulnerabilities in the

product or online service of the contractor; and
S.1691 - Internet of
Things (IoT)
Cybersecurity (ii) guidance, including example content, on the information items https://www.congress.gov/bill/115th-
Improvement Act of that should be produced through the implementation of the congress/senate-
US Senate 2017 (Bill) SEC.3 (b) (2) (A) vulnerability disclosure process of the contractor; and bill/1691/text?format=txt

S.1691 - Internet of (B) require that research on the cybersecurity of an Internet-

Things (IoT) connected device provided by a contractor to the United States
Cybersecurity Government shall be conducted on the same class, model, or type https://www.congress.gov/bill/115th-
Improvement Act of of the device provided to the United States Government and not on congress/senate-
US Senate 2017 (Bill) SEC.3 (b) (2) (B) the actual device provided to the United States Government. bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 37
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

S.1691 - Internet of
Things (IoT) The Director of NIST shall ensure that NIST establishes, maintains,
Cybersecurity and uses best practices in the identification and tracking of https://www.congress.gov/bill/115th-
Improvement Act of vulnerabilities for purposes of the National Vulnerability Database of congress/senate-
US Senate 2017 (Bill) SEC.4 NIST. bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 38
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 3 - Keep software updated

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for
Internet of https://aioti.eu/wp-
Things Digitisation of Promote that over the life cycle of any products and services there content/uploads/2017/03/AIOTI-
Innovation Industry Policy 3.32 (i) Third bullet is regular updating of security measures, including to address Digitisation-of-Ind-policy-doc-Nov-
(AIOTI) Recommendations point emerging threats. 2016.pdf
Every network-connected device should have a means for
authorized operators to update the device’s software and firmware
(e.g. softwareover- the-air/SOTA and firmware-over-the air/FOTA).
The CEO’s Guide Ideally, the updating process will be highly automated while still
to Securing the Software/firmware providing cryptographic checks to allow updates from an authorized https://www.business.att.com/cybersec
AT&T Internet of Things update capability source. urity/docs/exploringiotsecurity.pdf
Atlantic
Council
Scowcroft
Center for Smart Homes and A secure, prompt, and agile response to security or other flaws http://www.atlanticcouncil.org/images/p
Strategy and the Internet of greatly reduces support costs, increases consistency of experience, ublications/Smart_Homes_0317_web.
Security Things and allows feature improvements over time. pdf
IoT Devices Should Ship with Reasonably Current Software.
BITAG recommends that IoT devices should ship to customers or
retail outlets with reasonably current software that does not contain
Broadband severe, known vulnerabilities. However, software bugs are
Internet Internet of Things somewhat of a “fact of life” and it is not uncommon for new http://www.bitag.org/documents/BITAG
Technical (IoT) Security and vulnerabilities to be discovered while devices are on the shelf. _Report_-
Advisory Privacy Hence it is critical for an IoT device to have a mechanism by which _Internet_of_Things_(IoT)_Security_a
Group (BITAG) Recommendations devices receive automatic, secure software updates nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 39
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
IoT Devices Should Have a Mechanism for Automated, Secure
Software Updates. BITAG recommends that manufacturers of IoT
devices or IoT service providers should therefore design their
Broadband devices and systems based on the assumption that new bugs and
Internet Internet of Things vulnerabilities will be discovered over time. They should design http://www.bitag.org/documents/BITAG
Technical (IoT) Security and systems and processes to ensure the automatic update of IoT _Report_-
Advisory Privacy device software, without requiring or expecting any type of user _Internet_of_Things_(IoT)_Security_a
Group (BITAG) Recommendations 7.1 action or even user opt-in. nd_Privacy_Recommendations.pdf
Use Libraries That Are Actively Maintained and Supported.
Many of the recommendations in this report require implementing
secure communications channels. Yet, home-grown
Broadband implementations of cryptographic protocols and secure
Internet Internet of Things communications channels can themselves introduce vulnerabilities. http://www.bitag.org/documents/BITAG
Technical (IoT) Security and BITAG recommends that, when implementing the recommendations _Report_-
Advisory Privacy in this report, device manufacturers use libraries and frameworks _Internet_of_Things_(IoT)_Security_a
Group (BITAG) Recommendations 7.2 that are actively supported and maintained whenever possible. nd_Privacy_Recommendations.pdf
IoT security requires vigilance throughout the life of the device –
vulnerabilities will be discovered and new threats will emerge after
the consumer purchases the device. IoT providers must make
lifecycle management a central consideration in the design of every
connected device and clearly disclose the key considerations to
consumers prior to sale. Specifically, IoT providers must, with
limited exception for ephemeral devices, provide secure,
automated, software updates during the disclosed security support
period. In addition, IoT providers must publicly disclose vulnerability
A Vision for Secure Lifecycle remedies and changes to functionality at end-of-life (EOL)/end-of- https://www.cablelabs.com/insights/visi
CableLabs IoT Management support (EOS). on-secure-iot/

IoT providers must provide secure, automated software updates

throughout a clearly defined and disclosed security support period.
By default, the software update mechanism should not require or
A Vision for Secure rely on any consumer action. IoT providers incorporating a secure, https://www.cablelabs.com/insights/visi
CableLabs IoT Software Updates automated software update mechanism into their devices recognize on-secure-iot/
Department for Digital, Culture, Media and Sport 40
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
the reality that vulnerabilities are discovered in devices after they
are deployed and that software updates can mitigate the risks
associated with these vulnerabilities

To protect end-users and third-parties, IoT providers should

consider limiting device functionality after the security support
period ends. Prior to sale, IoT providers should clearly disclose
whether and to what extent device functionality will be limited due to
an increased risk of vulnerability after the security support period
ends
To set consumer expectations, the disclosure should describe
exactly what, if any, functionality will be limited at the end of the
End-of-Life (EOL) / support period – whether only the “smart” functions and features
A Vision for Secure End-of-Support (e.g., connectivity and control remotely through an app) will become https://www.cablelabs.com/insights/visi
CableLabs IoT (EOS) Functionality inoperable, or whether core device functionality will be lost as well. on-secure-iot/
IoT providers should consider and design into their products the
ability to have strong security controls including secure
cryptographic algorithms/cipher suites for the entire intended and
expected life of the device. A device with a short lifespan (e.g., less
than one year) may not require the capability to upgrade. In
comparison, providers of connected, durable home appliances
Future (e.g., expected service life of 10 or more years) should consider
A Vision for Secure (Upgradable) how the security controls will need to evolve over the life of the https://www.cablelabs.com/insights/visi
CableLabs IoT Security device. on-secure-iot/

Future-proofing the Medical Devices

connected world: and Medical https://downloads.cloudsecurityalliance
13 steps to Standard Protocols .org/assets/research/internet-of-
Cloud Security Developing Secure are Vulnerable to Provide an ability for customers to easily keep software things/future-proofing-the-connected-
Alliance (CSA) IoT Attack - 4 components (e.g., web servers on the device patched) world.pdf
Department for Digital, Culture, Media and Sport 41
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Future-proofing the IoT products may

connected world: be deployed in https://downloads.cloudsecurityalliance
13 steps to insecure or .org/assets/research/internet-of-
Cloud Security Developing Secure physically exposed Apply policy based security to force IoT products to update latest things/future-proofing-the-connected-
Alliance (CSA) IoT environments - 1 security critical fw/sw world.pdf

Making sure that these updates are legitimate and haven’t been
tampered with is just as important as with traditional computing
Security Guidance technology. System Administrators should outline a process for https://downloads.cloudsecurityalliance
for Early Adopters validating the authenticity and integrity of all updates, and ensure .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of that the end-to-end process for retrieving, storing and then updating or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.5.3.1 IoT devices is secured. _Things.pdf
If the organization is using any third party or open source libraries,
then it is recommended to maintain an inventory of those libraries
and keep them updated. Also, check the version and the
Security Guidance corresponding vulnerabilities in those versions so that you can https://downloads.cloudsecurityalliance
for Early Adopters avoid using those vulnerable versions. This will ensure that security .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of 5.3.2 first bullet patches can be applied to the third party or open source libraries or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) point used. _Things.pdf
Department for Digital, Culture, Media and Sport 42
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Take care regarding the sources of the update files and how they
were transported. Make sure you scan the files or check for its
integrity prior to installing them into your device. Check the
“reputation” of a file, which can be done in a number of ways. Every
computer file has a unique checksum—a relatively short
Security Guidance mathematical value for the file. Another reputational characteristic https://downloads.cloudsecurityalliance
for Early Adopters of a file is how widely it has been used. Such assessments create a .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of 5.3.3 first bullet context for the file, indicating whether it is known to be good or bad or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) point or whether it is an unknown risk that should be monitored closely. _Things.pdf

http://ec.europa.eu/information_society
Report on /newsroom/image/document/2017-
European Workshop on 15/final_report_20170113_v0_1_clean
Commission Security & Privacy Updatability – trusted and transparent updates only by authorised _778231E0-BC8E-B21F-
and AIOTI in IoT 1) 6) parties, not by malicious actors 18089F746A650D4D_44113.pdf
Department for Digital, Culture, Media and Sport 43
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European Control the installation of software on operational
Union Agency systems, to prevent unauthenticated software and files being
for Network loaded
and onto it. In the event that the product is intended to allow
Information Baseline Security unauthenticated https://www.ENISA.europa.eu/publicati
Security Recommendations software, such software should only be run with ons/baseline-security-
(ENISA) for IoT GP-TM-05 limited permissions and/or sandbox. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security GP-TM-06: Restore Secure State - Enable a system to return to a https://www.ENISA.europa.eu/publicati
Security Recommendations state that was known to be secure, after a security breach has ons/baseline-security-
(ENISA) for IoT GP-TM-06 occured or if an upgrade has not been successful. recommendations-for-iot
Ensure the device software/firmware, its configuration
and its applications have the ability to update Over-The-Air (OTA),
that the update server is secure, that the update file is transmitted
via a secure connection, that it does not contain sensitive data (e.g.
hardcoded credentials), and that it is signed by an authorised trust
entity and encrypted using accepted encryption methods, and that
the update package has its digital signature, signing certificate and
European signing certificate chain, verified by the device before the update
Union Agency process begins.
for Network
and
Information Baseline Security Failing to build in OTA update capabilities will leave devices https://www.ENISA.europa.eu/publicati
Security Recommendations exposed ons/baseline-security-
(ENISA) for IoT GP-TM-18 to threats and vulnerabilities for the entirety of their lifetimes recommendations-for-iot
Department for Digital, Culture, Media and Sport 44
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency Offer an automatic firmware update mechanism. Devices
for Network should be configured to check for the existence of firmware updates
and at frequent intervals. Automatic firmware updates should be
Information Baseline Security enabled https://www.ENISA.europa.eu/publicati
Security Recommendations by default. A device may offer an option to disable automatic ons/baseline-security-
(ENISA) for IoT GP-TM-19 firmware updates and require authentication for it. recommendations-for-iot
European
Union Agency Backward compatibility of firmware updates. Automatic
for Network firmware updates should not change network protocol interfaces in
and any way that is incompatible with previous versions. Updates and
Information Baseline Security patches should not modify user-configured preferences, security, https://www.ENISA.europa.eu/publicati
Security Recommendations and/or privacy settings without user notification. Users should have ons/baseline-security-
(ENISA) for IoT GP-TM-20 the ability to approve, authorise or reject updates. recommendations-for-iot
European
Union Agency Develop an end-of-life strategy for IoT products. Security
for Network patches and updates will eventually be discontinued for some IoT
and devices. Therefore, developers should prepare and communicate a
Information Baseline Security product sunset plan from the initial stages to ensure that https://www.ENISA.europa.eu/publicati
Security Recommendations manufacturers and consumers are aware of the risks posed to a ons/baseline-security-
(ENISA) for IoT GP-OP-01 device beyond its expected expiry date recommendations-for-iot
European
Union Agency
for Network
and Disclose the duration and end-of-life security and patch
Information Baseline Security support (beyond product warranty). Such disclosures should be https://www.ENISA.europa.eu/publicati
Security Recommendations aligned to the expected lifespan of the device and communicated to ons/baseline-security-
(ENISA) for IoT GP-OP-02 the consumer prior to purchase. recommendations-for-iot
Department for Digital, Culture, Media and Sport 45
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency Monitor the performance and patch known vulnerabilities
for Network up until the “end-of-support|” period of of a product’s lifecycle. Due
and to the limited life cycle of many IoT devices, critical, publicly known
Information Baseline Security security or privacy bugs will pose a risk to consumers using https://www.ENISA.europa.eu/publicati
Security Recommendations outdated ons/baseline-security-
(ENISA) for IoT GP-OP-03 devices. recommendations-for-iot
Security updates provide protection against vulnerabilities found
during the life of a device or application. However this comes at a
cost, since support of this functionality also provides an entry point
for an attacker. In particular vendors should:
• Provide automatic and timely security updates.
European • Protect the updates (typically via encryption and digital
Union Agency signature). The update files must not contain sensitive data. The
for Network signature must be verified before the update is applied.
and Security and • Protect the application of an update on the device. An
Information Resilience of Smart attacker should not be able to trigger a firmware installation without
Security Home an authorization. https://www.ENISA.europa.eu/publicati
(ENISA) Environments 7.2.2 • Protect the security update interface against attacks. ons/security-resilience-good-practices

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.4 Over The Air Application Updates v2.0.pdf
Every system that is deployed by an organization, and every tier
used, has a lifetime. Even if
the same product or service is deployed by the organization for
decades, the technologies
used to drive that product or service will change. Thus, there must
IoT Security not only be a plan for
Guidelines for designing and implementing the product or service, there must be a https://www.gsma.com/iot/wp-
Service plan to sunset that content/uploads/2017/10/CLP.12-
GSMA Ecosystems CLP12_5.10 product or service. v2.0.pdf
Department for Digital, Culture, Media and Sport 46
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Updating an execution environment, application image, or TCB is a
challenging process. Consider the following example model that
simplifies the overall process:
• For each layer of the execution platform, define a network
resource such as a unique URL for the new application image
• Generate a signing key for each specific layer
• For all new, authorized versions of each layer, generate an image
of that layer
• Include metadata describing the image (version, timestamp,
identity, etc.) in the layer image
• Sign the layer image with the signing key
• Make the image, the signature, and the public key available,
possibly via the unique network resource, or through a update
service
When a new system is deployed it should:
IoT Security • For each layer:
Guidelines for o Retrieve the version(s) to be deployed https://www.gsma.com/iot/wp-
Service o Cryptographically verify the image content/uploads/2017/10/CLP.12-
GSMA Ecosystems CLP12_6.6 o Deploy the image layer on the system v2.0.pdf

IoT Security This recommendation implies that a Patch Management process

Guidelines for should be implemented by the organization to identify vulnerable https://www.gsma.com/iot/wp-
Service services, deploy patches, and monitor the success of implementing content/uploads/2017/10/CLP.12-
GSMA Ecosystems CLP12_6.5 those patches. v2.0.pdf
I understand that cyber safety will always change. I will support
prompt, agile, and secure updates. Once an issue is known that
could affect patient care, a faster response improves care delivery.
Software updates are faster and less expensive than hardware
replacement; and automated, remote software updates are most https://www.iamthecavalry.org/wp-
Hippocratic Oath efficient. Increases in exposure are compensated for by the speed content/uploads/2016/01/I-Am-The-
I am the for Connected Cyber Safety and scale of addressing flaws or weaknesses that could lead to Cavalry-Hippocratic-Oath-for-
Cavalry Medical Devices Updates negative outcomes. Connected-Medical-Devices.pdf
Department for Digital, Culture, Media and Sport 47
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Update processes that are more automated and better controlled

are less prone to error, delay, malice, misinterpretation, or other https://www.iamthecavalry.org/wp-
Hippocratic Oath issues. Process documentation should outline clear roles and content/uploads/2016/01/I-Am-The-
I am the for Connected Automation and responsibilities for relevant stakeholders and allow development of Cavalry-Hippocratic-Oath-for-
Cavalry Medical Devices documentation. corresponding processes inside stakeholder groups. Connected-Medical-Devices.pdf

Processes should verify the authenticity and integrity of software https://www.iamthecavalry.org/wp-

Hippocratic Oath updates to prevent adversarial, malicious, or accidental tampering. content/uploads/2016/01/I-Am-The-
I am the for Connected Secure update Remote update capability can give cost, reputational, and speed Cavalry-Hippocratic-Oath-for-
Cavalry Medical Devices process. advantages if implemented in KNOWN good ways. Connected-Medical-Devices.pdf
Inevitably vulnerabilities will be discovered after devices have been
deployed. Devices must be patchable or upgradable. Naturally,
device firmware should only be modifiable with the proper digital
signature. As it stands, device vendors and manufacturers have
little financial incentive in ensuring ongoing IoT patch upgrades
since revenue comes from the sale of the device, not the
maintenance. Upkeep of IoT devices may detract from revenue. In
addition, vendors are not legally held accountable to ongoing
maintenance of devices beyond initial sales and competition drives
vendors to cut corners, negating on quality for efficiency and speed
of release into the market. While these factors may not have been
IoT Security critical previous to IoT, the interconnected nature of IoT devices https://internetinitiative.ieee.org/images
Principles and Best raises the bar to a new level in terms of functionality and /files/resources/white_papers/internet_
IEEE Practices 2 accountability. of_things_feb2017.pdf

Industrial Industrial Internet ENDPOINT PROTECTION. Endpoint Secure Configuration and https://www.iiconsortium.org/pdf/IIC_P
Internet of Things 7.3 management controls updates of security policy and configuration UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 48
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Consortium Volume G4: at the endpoint, including upgrades and patches of known
(IIC) Security vulnerabilities.
Framework v1.0

COMMUNICATIONS AND CONNECTIVITY PROTECTION.

Industrial Internet Network Configuration and Management controls updates to all
Industrial of Things network elements and provides enforcement of security policy and
Internet Volume G4: configuration for the communications, including network
Consortium Security segmentation, cryptographically protected communications settings, https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.4 and configuration of gateways and firewalls. UB_G4_V1.00_PB-3.pdf
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Vulnerabilities in Configuration & Management, ⑬: Vulnerability of
the Configuration & Management system may result from improper
Industrial Internet access control to the configuration management system, insertion
Industrial of Things of unauthorized changes in the system or corruption of update
Internet Volume G4: payloads. Updates to the endpoints should be planned and
Consortium Security managed so as to limit the number of different operational https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 configurations and reduce fragmentation of the fleet. UB_G4_V1.00_PB-3.pdf
ENDPOINT CONFIGURATION AND MANAGEMENT. The
endpoint must provide secure and controlled changes to the
endpoint components, though in some rare cases no security is
Industrial Internet desired. All updates and changes should be signed, their payload
Industrial of Things encrypted and actions logged for subsequent auditing and recovery
Internet Volume G4: of the endpoint. These services should be provided non-intrusively
Consortium Security to the operational functionality and have a separate logical https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 connectivity to system-level configuration management and control. UB_G4_V1.00_PB-3.pdf
SECURE SOFTWARE PATCHING AND FIRMWARE UPDATE. As
the amount and complexity of software increases, so does the
Industrial Internet number of defects, some of which will be exploitable vulnerabilities.
Industrial of Things Others may cause unpredictable system failures, timing issues,
Internet Volume G4: reduction in system performance, reliability or other unknown
Consortium Security problems. Once discovered, these defects can often be fixed by https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 11.5.1 patching. If over-the-air updates are implemented, network-related UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 49
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
vulnerabilities that affect the integrity of the over-the-air process
should be addressed first.

Vendors MUST offer an automatic firmware update mechanism. A

Internet discussion about the firmware update mechanisms can be found in
Engineering Best Current [I-D.iab-iotsu-workshop].Devices SHOULD be configured to check
Task Force Practices (BCP) for for the existence of firmware updates at frequent but irregular https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.4.1 intervals. iot-security-bcp-01
Automatic firmware updates SHOULD be enabled by default. A
device
MAY offer an option to disable automatic firmware updates.

Especially for any device for which a firmware update would disrupt
operation, the device SHOULD be configurable to allow the
operator to
control the timing of firmware updates.

Internet
Engineering Best Current If enabling or disabling or changing the timing of the automatic
Task Force Practices (BCP) for update feature is controlled by a network protocol, the device MUST https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.4.2 require authentication of any request to control those features. iot-security-bcp-01
Automatic firmware updates SHOULD NOT change network
protocol
Internet interfaces in any way that is incompatible with previous versions. A
Engineering Best Current vendor MAY offer firmware updates which add new features as long
Task Force Practices (BCP) for as https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.4.3 those updates are not automatically initiated. iot-security-bcp-01
Department for Digital, Culture, Media and Sport 50
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
To prevent widespread simultaneous failure of all instances of a
Internet particular kind of device due to a bug in a new firmware release,
Engineering Best Current automatic firmware updates SHOULD be phased-in over a short
Task Force Practices (BCP) for time https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.4.4 interval rather than updating all devices at once iot-security-bcp-01
Firmware updates MUST be authenticated and the integrity of such
updates assured before the update is installed. Unauthenticated
updates or updates where the authentication or integrity checking
fails MUST be rejected.

Firmware updates SHOULD be authenticated using digital signature

items that use public key cryptography to verify the authenticity of
Internet the signer. Ordinary checksums or hash algorithms are insufficient
Engineering Best Current by themselves, and keyed hashes that use shared secrets are
Task Force Practices (BCP) for generally https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.4.5 discoverable by a determined attacker. iot-security-bcp-01
Vendors MUST be transparent about their commitment to supply
devices
with updates before selling products to their customers and what
happens with those devices after the support period finishes. Within
the support period, vendors SHOULD provide firmware updates
whenever new security risks associated with their products are
identified. Such firmware updates SHOULD NOT change the
protocol interfaces to those products, except as necessary to
address security issues, so that they can be deployed without
disruption to customers' networks. Firmware updates MAY
Internet introduce new features which change protocol interfaces if those
Engineering Best Current features are optional and disabled by default.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 5.1 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 51
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Internet
Research Task IoT devices are often expected to stay functional for several years
Force (IRTF) and decades even though they might operate unattended with
Thing-to-Thing State-of-the-Art direct Internet connectivity. Software updates for IoT devices are
Research and Challenges for therefore not only required for new functionality, but also to
Group the Internet of eliminate security vulnerabilities due to software bugs, design flaws, https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Things Security 5.4 or deprecated algorithms. t2trg-iot-seccons/
Like all commercial devices, IoT devices have a given useful
lifetime. The term end-of-life (EOL) is used by vendors or network
Internet operators to indicate the point of time in which they limit or end
Research Task support for the IoT device. This may be planned or unplanned (for
Force (IRTF) example when the manufacturer goes bankrupt, when the vendor
Thing-to-Thing State-of-the-Art just decides to abandon a product, or when a network operator
Research and Challenges for moves to a different type of networking technology). A user should
Group the Internet of still be able to use and perhaps even update the device. This https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Things Security 5.5 requires for some form of authorization handover. t2trg-iot-seccons/

https://www.iotsecurityfoundation.org/w
IoT Security Where remote software upgrade can be supported by the device, p-content/uploads/2017/12/IoT-
IoT Security Compliance there should be a published /transparent and auditable policy and Security-Compliance-
Foundation Framework 1.1 2.4.3.25 schedule of actions to fix any vulnerabilities found. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where remote software upgrade can be supported by the device, p-content/uploads/2017/12/IoT-
IoT Security Compliance the software images are digitally signed by the organisation’s Security-Compliance-
Foundation Framework 1.1 2.4.5.2 approved signing authority. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 52
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security A software update package has its digital signature, signing p-content/uploads/2017/12/IoT-
IoT Security Compliance certificate and signing certificate chain verified by the device before Security-Compliance-
Foundation Framework 1.1 2.4.5.3 the update process begins. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance If remote software upgrade is supported by a device, software Security-Compliance-
Foundation Framework 1.1 2.4.5.4 images shall be encrypted whilst being transferred to it. Framework_WG1_2017.pdf

The cryptographic key chain used for signing production software is https://www.iotsecurityfoundation.org/w
IoT Security different from that used for any other test, development or other p-content/uploads/2017/12/IoT-
IoT Security Compliance software images, to prevent the installation of non-production Security-Compliance-
Foundation Framework 1.1 2.4.5.9 software onto production devices. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 53
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Production software images should be assessed on release to https://www.iotsecurityfoundation.org/w

IoT Security remove all unnecessary debug and symbolic information “Know p-content/uploads/2017/12/IoT-
IoT Security Compliance what is being released, and have checks in place to prevent Security-Compliance-
Foundation Framework 1.1 2.4.5.10 accidental release of superfluous data Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Development software versions have any debug functionality p-content/uploads/2017/12/IoT-
IoT Security Compliance switched off if the software is operated on the product outside of the Security-Compliance-
Foundation Framework 1.1 2.4.5.11 product vendors’ trusted environment. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where remote update is supported, there is an established p-content/uploads/2017/12/IoT-
IoT Security Compliance process/plan for validating and delivering updates on an on-going or Security-Compliance-
Foundation Framework 1.1 2.4.6.2 remedial basis. Framework_WG1_2017.pdf
Implement reliable and securely managed software/firmware update
mechanisms throughout the solution that are link authenticated,
IoT Security Security Design encrypted as needed, and verified for authenticity and integrity https://www.iotsi.org/security-best-
Initiative Best Practices before implementation on system. practices

IoT Security Security Design Ship with, and maintain, security updated open source libraries https://www.iotsi.org/security-best-
Initiative Best Practices used in products and services created. practices
Department for Digital, Culture, Media and Sport 54
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The software update support timespan and frequency are clearly

IoT Security CyberSecurity identified in the manufacturers Device Security Level Agreement https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 10 (DSLA) page. principles

All device Industry use classifications, with the allowed exception of

IoT Security CyberSecurity "Consumer," provide a software patch update support timespan of https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 11 not less than 6 years from manufacture date. principles

The Device Security Level Agreement (DSLA) for a device identifies

IoT Security CyberSecurity the software update mechanism as either Direct-Physical, Remote- https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 12 Network-Automatic, or Remote-Network-Manual facilitated. principles

A device with inbound network services running is supported with

IoT Security CyberSecurity remote-network firmware updates by the manufacturer in order to https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 14 remain in an operational state. principles

A device without a User Interface notification system and without an

IoT Security CyberSecurity owner/operator patch notification system implements Remote- https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 15 Network-Automatic firmware updates. principles

IoT Security CyberSecurity A device with a system classification of "Gateway" implements https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 16 Remote-Network-Automatic firmware updates. principles

Firmware upgrades during the lifetime of the device are inevitable.

Building devices with secure paths for upgrades and cryptographic https://docs.microsoft.com/en-
IoT Security Best Make upgrades assurance of firmware versions will allow the device to be secure us/azure/iot-fundamentals/iot-security-
Microsoft Practices secure during and after upgrades. best-practices
Ensure that device operating systems and all device drivers are
upgraded to the latest versions. If you turn on automatic updates in
Windows 10 (IoT or other SKUs), Microsoft keeps it up-to-date,
providing a secure operating system for IoT devices. Keeping other https://docs.microsoft.com/en-
IoT Security Best Keep the system operating systems (such as Linux) up-to-date helps ensure that us/azure/iot-fundamentals/iot-security-
Microsoft Practices up-to-date they are also protected against malicious attacks. best-practices
Department for Digital, Culture, Media and Sport 55
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Disclose whether the device is capable of receiving security related

IoT Security & updates, and if yes, disclose if the device can receive security https://otalliance.org/system/files/files/i
Online Trust Privacy Trust updates automatically and what user action is required to ensure nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 1 the device is updated correctly and in a timely fashion. k6-22.pdf
Ensure a mechanism is in place for automated safe and secure
methods to provide software and/or firmware updates, patches and
IoT Security & revisions. Such updates must either be signed and/or otherwise https://otalliance.org/system/files/files/i
Online Trust Privacy Trust verified as coming from a trusted source, including but not limited to nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 6 signing and integrity checking k6-22.pdf
Updates and patches must not modify user-configured preferences,
security, and/or privacy settings without user notification. In cases
IoT Security & where the device firmware or software is overwritten, on first use https://otalliance.org/system/files/files/i
Online Trust Privacy Trust the user must be provided the ability to review and select privacy nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 7 settings. k6-22.pdf
Security update process must disclose if they are Automated (vs
automatic). Automated updates provide users the ability to approve,
authorize or reject updates. In certain cases a user may want the
ability to decide how and when the updates are made, including but
not limited to data consumption and connection through their mobile
IoT Security & carrier or ISP connection. Conversely, automatic updates are https://otalliance.org/system/files/files/i
Online Trust Privacy Trust pushed to the device seamlessly without user interaction and may nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 8 or may not provide user notice k6-22.pdf
Ensure all IoT devices and associated software have been
subjected to rigorous, standardized software development lifecycle
testing including unit, system, acceptance, and regression testing
and threat modeling, along with maintaining an inventory of the
source for any third-party/open source code and/or components.
Employ generally accepted code and system hardening techniques
across a range of typical use case scenarios, including prevention
IoT Security & of any data leaks between the device, apps and cloud services. https://otalliance.org/system/files/files/i
Online Trust Privacy Trust Developing secure software requires thinking about security from a nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 9 project’s inception through implementation, testing, and k6-22.pdf
Department for Digital, Culture, Media and Sport 56
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
deployment. Devices should ship with current software and/or on
first boot push automatic updates to address any known critical
vulnerabilities.

Disclose the duration and end-of-life security and patch support

(beyond product warranty). Support may end on a sunset date,
such as January 1, 2025, or for a specific duration from time of
purchase, not unlike a traditional warranty. Ideally such disclosures
should be aligned to the expected lifespan of the device and
communicated to the consumer prior to purchase. (It is recognized
that IoT devices cannot be indefinitely secure and patchable.
Consider communicating the risks of using a device beyond its
usability date, and impact and risk to others if warnings are ignored
IoT Security & or the device is not retired). If users must pay any fees or subscribe https://otalliance.org/system/files/files/i
Online Trust Privacy Trust to an annual support agreement this should be disclosed prior to nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 19 purchase. k6-22.pdf

Open Secure download and boot – To prevent the loading and execution
Connectivity of malicious software, where it is practical, it is recommended that
Foundation OIC Security Secure Download and Secure Boot methods that authenticate a https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1.3 binary’s source as well as its contents be used. _Security_Specification_v1.1.1.pdf
Open Web
Application
Security
Project IoT Security I9: Insecure Ensure all system devices have update capability and can be https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Software/Firmware updated quickly when vulnerabilities are discovered Security_Guidance

Open Web
Application IoT Security I9: Insecure Ensure update files are encrypted and that the files are also https://www.owasp.org/index.php/IoT_
Security Guidance Software/Firmware transmitted using encryption Security_Guidance
Department for Digital, Culture, Media and Sport 57
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Project
(OWASP)

Open Web
Application
Security
Project IoT Security I9: Insecure Ensure that update files are signed and then validated by the device https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Software/Firmware before installing Security_Guidance
Open Web
Application
Security
Project IoT Security I9: Insecure https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Software/Firmware Ensure update servers are secure Security_Guidance
Open Web
Application
Security
Project IoT Security I9: Insecure https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Software/Firmware Ensure the product has the ability to implement scheduled updates Security_Guidance
IoT systems must have update capabilities built into them from the
beginning. Failing to build in OTA update capabilities will leave
devices exposed to threats and vulnerabilities for the entirety of
their lifetimes. Of course, such update capabilities can be used to
manage device configurations, security content, credentials and
much more. Similarly, such update capabilities can be used to push
functionality and collect telemetry in addition to collecting software
An Internet of inventory information and pushing security patches. However, with
Things Security or without such additional functionality, basic update capabilities https://www.symantec.com/content/da
Reference and the ability to manage the security posture of each device must m/symantec/docs/white-papers/iot-
Symantec Architecture be built into the device from the beginning. security-reference-architecture-en.pdf
Department for Digital, Culture, Media and Sport 58
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

U.S. Strategic Principles Consider ways in which to secure the device over network https://www.dhs.gov/sites/default/files/
Department of for Securing The connections or through automated means. Ideally, patches would publications/Strategic_Principles_for_S
Homeland Internet of Things be applied automatically and leverage cryptographic integrity and ecuring_the_Internet_of_Things-2016-
Security (IoT) authenticity protections to more quickly address vulnerabilities. 1115-FINAL....pdf

U.S. Strategic Principles https://www.dhs.gov/sites/default/files/

Department of for Securing The Consider coordinating software updates among third-party vendors publications/Strategic_Principles_for_S
Homeland Internet of Things to address vulnerabilities and security improvements to ensure ecuring_the_Internet_of_Things-2016-
Security (IoT) consumer devices have the complete set of current protections. 1115-FINAL....pdf

Develop an end-of-life strategy for IoT products. Not all IoT devices
U.S. Strategic Principles will be indefinitely patchable and updateable. Developers should https://www.dhs.gov/sites/default/files/
Department of for Securing The consider product sunset issues ahead of time and communicate to publications/Strategic_Principles_for_S
Homeland Internet of Things manufacturers and consumers expectations regarding the device ecuring_the_Internet_of_Things-2016-
Security (IoT) and the risks of using a device beyond its usability date. 1115-FINAL....pdf
Secure System Modification.The principle of secure system
modification states that system modification must maintain system
security with respect to the security requirements and risk tolerance
US National of stakeholders. Upgrades or modifications to systems can
Institute of transform a secure system into an insecure one. The procedures for
Standards and NIST SP.800-160 system modification must ensure that, if the system is to maintain
Technology Systems Security its trustworthiness, the same rigor that was applied to its initial https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.3.3 development is applied to any changes. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 59
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Mitigations: Signing the update payload cryptographically protects
the integrity of the payload, including from undetected intentional
modification by a bad actor. It also provides authenticity in the
provenance of the payload. This is different from a more traditional
approach of using noncryptographic hash such as a cyclic
redundancy check (CRC) or a checksum. These noncryptographic
hashes can validate the integrity against naturally occurring
US National Multistakeholder corruption of the payload, but can be easily subverted by bad
Telecommunic Process; Internet of actors. Similarly, failure to use a strong enough cryptographic
ations and Things (IoT) signature or hash function also fails to completely mitigate these
Information Security risks. For older, weaker hash functions, an attacker with sufficient
Administration Upgradability and motivation and resources could generate a malicious update that https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching generated the same hash as the legitimate update. cations/ntia_iot_capabilities_oct31.pdf
US National Multistakeholder
Telecommunic Process; Internet of
ations and Things (IoT) Mitigation: Encryption of the update before transmission and
Information Security decryption of the update on the device can reduce the risk of
Administration Upgradability and exposure during transmission regardless of the communications https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching path(s) of the update deliverable. cations/ntia_iot_capabilities_oct31.pdf
US National Multistakeholder Basic Implementation: Transport-layer encryption, such as TLS or
Telecommunic Process; Internet of BLE 4.2+, can provide widely-accepted levels of security between
ations and Things (IoT) the endpoints. Using features such as pinning of certificates in TLS
Information Security can authenticate the source, and user-pairing of devices in BLE can
Administration Upgradability and authenticate endpoints. VPNs also offer confidentiality and integrity https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching of data in motion. cations/ntia_iot_capabilities_oct31.pdf
US National Multistakeholder
Telecommunic Process; Internet of
ations and Things (IoT) The device receives the update.
Information Security No design risks are specifically associated with the required step.
Administration Upgradability and However normal good security hygiene practices should be https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching followed, such as mitigations against buffer overflow cations/ntia_iot_capabilities_oct31.pdf
Department for Digital, Culture, Media and Sport 60
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Basic implementation: In addition to the signature and encryption
features above, a monotonic versioning system can prevent a
downgrade attack.
US National Multistakeholder Further security considerations: A system capable of disallowing
Telecommunic Process; Internet of previous versions requires an additional step for a manufacturer-
ations and Things (IoT) driven rollback update, and can make user-driven rollbacks more
Information Security complex. Alternatively, the device can securely validate the path
Administration Upgradability and and source of the update to ensure that the older version is not https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching coming from an untrustworthy source cations/ntia_iot_capabilities_oct31.pdf
Basic Implementation: Manufacturer should consider the use and
installation of a device to determine the optimal approach to
automatic updates, user control, and uptime criticality.

Depending on the context and use case, there will likely be a need
for a balance between giving a user a choice in the updating of
devices and pushing an update after a period of time for the good of
the user and everyone else on the internet. For more on the
question of end user approval of updates, see “Communicating IoT
Device Security Update Capability to Improve Transparency for
Consumers” by the Working Group on Communicating
Upgradability.
US National Multistakeholder
Telecommunic Process; Internet of
ations and Things (IoT) Further Security Considerations: If the user does not take action to
Information Security update the device, the manufacturer or device administrator may
Administration Upgradability and wish to take further actions at a future date. How to address a non- https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching updated device is outside the scope of this document. cations/ntia_iot_capabilities_oct31.pdf
Department for Digital, Culture, Media and Sport 61
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Basic Implementation: Update image remains encrypted and
integrity protected while in motion if traveling across exposed
transport media. Support is provided for multiple of layers of
systems, devices, or CPUs to be targeted.
US National Multistakeholder
Telecommunic Process; Internet of
ations and Things (IoT) Further Security Considerations: The adversary might still be able
Information Security to try to compromise nonexposed internal communication channels.
Administration Upgradability and To address this residual risk, the update image should remain https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching encrypted while in motion. cations/ntia_iot_capabilities_oct31.pdf
Similar to the “Check” step above, however this may be performed
on a target in a lower “child” relationship, if a hierarchical
relationship between update targets is implemented.

US National Multistakeholder
Telecommunic Process; Internet of Basic Implementation: Each target validates the integrity of the plain
ations and Things (IoT) text update image using a cryptographic hash signature. Each
Information Security target decrypts its specific update image, if encrypted.
Administration Upgradability and https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching cations/ntia_iot_capabilities_oct31.pdf
During this step, any activities necessary to performing the update
on the device can occur, including functions such as erasing flash
US National Multistakeholder memory, placing the device in a “safe mode” of operation, ensuring
Telecommunic Process; Internet of sufficient battery life to complete the operation, etc.
ations and Things (IoT)
Information Security
Administration Upgradability and Basic Implementation: No security features are assumed; https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching manufacturer may define them in specific contexts. cations/ntia_iot_capabilities_oct31.pdf
Department for Digital, Culture, Media and Sport 62
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
The actual update process occurs. This includes writing to a file
structure, updating the binary program space in flash memory, etc.

Basic Security Implementation: No special processing is assumed

US National Multistakeholder Further Security Considerations: When updating multiple internal

Telecommunic Process; Internet of targets coordination of timing should be considered. If needed,
ations and Things (IoT) conversion of persistent data on each target should occur during
Information Security this step. Update is placed into a separate flash region from existing
Administration Upgradability and image for reliability purposes (in case a failed update requires a https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching rollback to the previous working version) cations/ntia_iot_capabilities_oct31.pdf
Mitigation: A redundant test of update integrity would confirm that
the process of writing the update image to the intended target was
performed correctly and that no malicious actor or device / memory
failure altered the intended update image.

US National Multistakeholder Basic Implementation: Each target vets the integrity of the installed
Telecommunic Process; Internet of update.
ations and Things (IoT)
Information Security
Administration Upgradability and Further Security Considerations: Potentially use cryptographic https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching hashing. cations/ntia_iot_capabilities_oct31.pdf
Department for Digital, Culture, Media and Sport 63
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Once the code has been verified, it is actually enabled, and
execution path switches to the new, updated code. No additional
risks are incurred during this step.

Basic Implementation: No special processing is assumed

US National Multistakeholder
Telecommunic Process; Internet of
ations and Things (IoT) Further Security Considerations: If multiple flash images are stored
Information Security (redundant duplicate copies, or previous and current), then
Administration Upgradability and activation may entail pointing to the new image for subsequent boot https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching cycles. cations/ntia_iot_capabilities_oct31.pdf
Basic Implementation: No special processing is assumed Further
Security Considerations: If one is concerned about accidental or
intentional communication failure, several mitigations exist. One
approach is to allow remote querying by a central server. However,
this can introduce further risks of attack by confusion or denial of 11
service. Discerning legitimate requests may require further validity
checks. It is left up to the implementer to identify the appropriate
US National Multistakeholder solution.
Telecommunic Process; Internet of
ations and Things (IoT)
Information Security For robustness of the system, one concern is coordination of
Administration Upgradability and versions between targets on a multi-target system. One solution is https://www.ntia.doc.gov/files/ntia/publi
(NTIA) Patching notification of successful update across the system by each target. cations/ntia_iot_capabilities_oct31.pdf
IN GENERAL.—A clause that requires the contractor providing the
Internet-connected device to provide written certification that the
S.1691 - Internet of device—
Things (IoT)
Cybersecurity https://www.congress.gov/bill/115th-
Improvement Act of SEC.3 (a) (1) (A) (i) (II) relies on software or firmware components capable of accepting congress/senate-
US Senate 2017 (Bill) (II) properly authenticated and trusted updates from the vendor; bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 64
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
(C) UPDATES.—A clause that requires such Internet-connected
device software or firmware component to be updated or replaced,
consistent with other provisions in the contract governing the term
S.1691 - Internet of of support, in a manner that allows for any future security
Things (IoT) vulnerability or defect in any part of the software or firmware to be
Cybersecurity patched in order to fix or remove a vulnerability or defect in the https://www.congress.gov/bill/115th-
Improvement Act of software or firmware component in a properly authenticated and congress/senate-
US Senate 2017 (Bill) SEC.3 (a) (1) (C) secure manner. bill/1691/text?format=txt
(D) TIMELY REPAIR.—A clause that requires the contractor to
provide a repair or replacement in a timely manner in respect to any
S.1691 - Internet of new security vulnerability discovered through any of the databases
Things (IoT) described in subparagraph (A)(i)(I) or from the coordinated
Cybersecurity disclosure program described in subsection (b) in the event the https://www.congress.gov/bill/115th-
Improvement Act of vulnerability cannot be remediated through an update described in congress/senate-
US Senate 2017 (Bill) SEC.3 (a) (1) (D) subparagraph (C). bill/1691/text?format=txt
(E) CONTINUATION OF SERVICES.—A clause that requires the
contractor to provide the purchasing agency with general
information on the ability of the device to be updated, such as—

(i) the manner in which the device receives security updates;

(ii) the anticipated timeline for ending security support associated

with the Internet-connected device;

S.1691 - Internet of (iii) formal notification when security support has ceased; and
Things (IoT)
Cybersecurity https://www.congress.gov/bill/115th-
Improvement Act of (iv) any additional information recommended by the National congress/senate-
US Senate 2017 (Bill) SEC.3 (a) (1) (E) Telecommunications and Information Administration. bill/1691/text?format=txt
Department for Digital, Culture, Media and Sport 65
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 4 - Securely store credentials and security-sensitive data

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for Workshop on https://aioti-space.org/wp-

Internet of Security and content/uploads/2017/03/AIOTI-
Things Privacy in the Encryption requirement for identities, access, communication Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected Preset Certified channels and secure storage of keys and to store data at rest – also the-Hyper-connected-World-Report-
(AIOTI) World Security Structures for secure boot process. 20160616_vFinal.pdf

Broadband
Internet
Technical Internet of Things http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and Encrypt Local Storage of Sensitive Data. BITAG recommends _Report_-
Group Privacy that any sensitive or confidential data (e.g., private key, pre-shared _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 key, user or facility information) reside in encrypted storage. nd_Privacy_Recommendations.pdf

Broadband Use Unique Credentials for Each Device. BITAG recommends

Internet that each device have unique credentials. If a device uses public-
Technical Internet of Things key cryptography (e.g., to sign messages, exchange a session key, http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and or authenticate itself) each device should have a unique, verifiable _Report_-
Group Privacy certificate. If a device is using symmetric key cryptography, pairs of _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 endpoints should never share the symmetric key with other parties. nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 66
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Broadband Use Credentials That Can Be Updated. BITAG recommends that

Internet device manufacturers support a secure mechanism by which the
Technical Internet of Things credentials used by a device can be updated. However, http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and implementing this recommendation securely requires particular _Report_-
Group Privacy care, since an incorrect implementation may itself introduce a new _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 attack vector. nd_Privacy_Recommendations.pdf
Strong confidentially protections ensure sensitive information
remains private and inaccessible to unauthorized parties. Ensuring
the confidentiality of sensitive information goes beyond just
encryption. IoT devices should protect sensitive data at rest, in use,
and in transit and limit the information disclosed in response to
anonymous or untrusted requests. The IoT device manufacturer
must first identify the sensitive information a device handles. This
may include personally identifiable information (PII), protected
A Vision for Secure health information (PHI), credentials, and private keys, to name just https://www.cablelabs.com/insights/visi
CableLabs IoT Confidentiality a few categories. on-secure-iot/

Future-proofing the IoT products may

connected world: be deployed in https://downloads.cloudsecurityalliance
13 steps to insecure or .org/assets/research/internet-of-
Cloud Security Developing Secure physically exposed Encrypt indentify/key material within mobile applications when used things/future-proofing-the-connected-
Alliance (CSA) IoT environments - 3 to establish trust relationships with IoT products world.pdf

Future-proofing the Resource

connected world: constraints in https://downloads.cloudsecurityalliance
13 steps to embedded systems .org/assets/research/internet-of-
Cloud Security Developing Secure limit security When possible, use hardware-based security controls to safeguard things/future-proofing-the-connected-
Alliance (CSA) IoT options - 1 sensitive information world.pdf
Department for Digital, Culture, Media and Sport 67
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Identifying the cryptographic algorithms and key sizes to support
within an IoT device is only one aspect of the cryptographic puzzle.
These algorithms must be able to operate within a trusted
environment and keys must be stored within secure containers.
Within larger systems, designers often employ Hardware Security
Security Guidance Modules (HSM) for key storage and operations, however HSMs are https://downloads.cloudsecurityalliance
for Early Adopters often not viable for the IoT. Instead designers must explore other .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of options, such as the Trusted Execution Environment (TEE) and or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.4 Trusted Platform Module (TPM). _Things.pdf
Depending on the complexity of the IoT device, many application-
specific data elements may need to be encrypted when not actively
used in executable processes. The device should encrypt these
parameters using a DAR encryption key securely stored in a
physically hardened, locked down cryptographic module resident in
the device. In addition to sensitive application data, all secret and
Security Guidance private keys, authentication, access control and other security https://downloads.cloudsecurityalliance
for Early Adopters configurations should be stored encrypted if possible. DAR security .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of is designed to protect private information (e.g., medical data) in the or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.4.1.1 event of device theft or loss. _Things.pdf
European
Union Agency Employ a hardware-based immutable root of trust. The Hardware
for Network Root of Trust is a trusted hardware component which receives
and control at power-on. It then extends the chain of trust to other
Information Baseline Security hardware, firmware, and software components. The Root of Trust https://www.ENISA.europa.eu/publicati
Security Recommendations should then be attestable by software agents running within and ons/baseline-security-
(ENISA) for IoT GP-TM-01 throughout the infrastructure. recommendations-for-iot
Ensure a proper and effective use of cryptography to protect the
European confidentiality, authenticity and/or integrity of data and information
Union Agency (including control messages), in transit and in rest. Ensure the
for Network Baseline Security proper selection of standard and strong encryption algorithms and https://www.ENISA.europa.eu/publicati
and Recommendations strong keys, and disable insecure protocols. Verify the robustness ons/baseline-security-
Information for IoT GP-TM-34 of the implementation recommendations-for-iot
Department for Digital, Culture, Media and Sport 68
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Security
(ENISA)

European
Union Agency
for Network
and Cryptographic keys must be securely managed. Encryption is only
Information Baseline Security as robust as the ability for any encryption based system to keep the https://www.ENISA.europa.eu/publicati
Security Recommendations encryption key hidden. Cryptographic key management includes ons/baseline-security-
(ENISA) for IoT GP-TM-35 key generation, distribution, storage, and maintenance. recommendations-for-iot
European
Union Agency
for Network Build devices to be compatible with lightweight encryption and
and security techniques (including entities secure identification, secure
Information Baseline Security configuration, etc.) that can, on the one hand, be usable on https://www.ENISA.europa.eu/publicati
Security Recommendations resource-constrained devices, and, on the other hand, be scalable ons/baseline-security-
(ENISA) for IoT GP-TM-36 so to minimise the management effort and maximise their usability recommendations-for-iot
European
Union Agency Guarantee the different security aspects -confidentiality
for Network (privacy), integrity, availability and authenticity- of the information in
and transit on the networks or stored in the IoT application or in the
Information Baseline Security Cloud, using data encryption methods to minimise network threats https://www.ENISA.europa.eu/publicati
Security Recommendations such as replay, interception, packet sniffing, wiretapping, or ons/baseline-security-
(ENISA) for IoT GP-TM-38 eavesdropping. recommendations-for-iot

European
Union Agency
for Network Baseline Security https://www.ENISA.europa.eu/publicati
and Recommendations Ensure credentials are not exposed in internal or external network ons/baseline-security-
Information for IoT GP-TM-40 traffic. recommendations-for-iot
Department for Digital, Culture, Media and Sport 69
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Security
(ENISA)

https://www.gsma.com/iot/wp-
GSMA IoT Security content/uploads/2017/10/CLP.13-
GSMA Assessment CLP13_6.2 Utilise a Trust Anchor v2.0.pdf
Endpoint devices must be enabled with cryptographically unique
identities to ensure that adversaries, competitors, and hobbyists
can’t impersonate other users or devices in production
IoT Security environments. To accomplish this adequately, the personalization
Guidelines process must be performed at fabrication. This can be done either https://www.gsma.com/iot/wp-
Endpoint through the manufacturer of the particular TCB solution, or during content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.6 the Printed Circuit Board Assembly (PCB/A) process. v2.0.pdf
Where possible, processors should use internal CPU memory for
the processing of core secrets and cryptographic keys not
IoT Security contained within a trust anchor. This will ensure that if an adversary
Guidelines is monitoring, or capable of manipulating, the memory bus, they will https://www.gsma.com/iot/wp-
Endpoint not obtain core secrets, but will only see the effects of the use of content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.1 these secrets on a running application. v2.0.pdf

IoT Security
Guidelines Do not place private cryptographic components in insecure storage https://www.gsma.com/iot/wp-
Endpoint on Endpoints, such as SSH private keys, TLS private keys, or content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.12 passwords Screen reader support enabled. v2.0.pdf
Department for Digital, Culture, Media and Sport 70
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
A cold boot attack is a physical attack strategy against computer
systems that extracts secrets from a running computer by removing
the physical memory from the computer, and placing the memory in
a secondary system controlled by the adversary. The benefit of this
IoT Security attack is that the Attacker can run a custom operating system that
Guidelines dumps the contents of RAM to permanent storage. This will allow https://www.gsma.com/iot/wp-
Endpoint the Attacker to comb through the retrieved data and determine if content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_9.4 there are security related tokens that can be used. v2.0.pdf
An Organizational Root of Trust is a certificate or public-key based
system for authenticating computing platform entities in an
organization. Each computing platform in a Service Ecosystem
must be cryptographically authenticated during network
communications. This diminishes the ability for an insider, or
someone within a privileged network position, to impersonate or
otherwise abuse the trust of a privileged system.

To build an Organizational Root of Trust, simply perform the

following actions:
• Build or acquire, for example, a Hardware Security Module
(HSM) to store the organizational root secret
• Generate a root secret and/or certificate
• Ensure the private facet of the secret is stored securely
• Generate a set of one or more signing keys to be used for
Tier TCB signing key
IoT Security • Sign the public facet of the signing key with the
Guidelines for organizational root https://www.gsma.com/iot/wp-
Service • Ensure these keys cannot be used without authentication content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_5.2 and authorization from the business and engineering leads v2.0.pdf
Department for Digital, Culture, Media and Sport 71
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
CREDENTIAL MANAGEMENT PHASE. After the enrollment
phase, the credential management phase comprises a number of
steps broken down into two categories. The first category
comprises the steps required to generate credentials, bind them to
an entity, and issue them to the entity to which the credential should
be issued. The second category comprises the steps for storing
credentials, and end-of-life as well as extending the useful life of the
credential.

The first category of steps for credential management brings the

entity into the state where the credentials are in place and ready to
use. Credential generation includes any steps required to create the
credential itself, or to enable or direct the entity to create the
credential. Then, during credential binding, the credential, or the
Industrial Internet means to create it, is associated to the identity assigned to the
Industrial of Things entity. Finally, during credential issuance, the credential, or the
Internet Volume G4: means or directive to create it, is delivered to the entity using a
Consortium Security secured and auditable process. The specific process depends on https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 11.7.2 the organizational policy for the environment. UB_G4_V1.00_PB-3.pdf
A device MUST be designed to protect any secrets used to
authenticate
to the device (such as passwords or private keys) from disclosure
via
monitoring of network traffic to or from the device. For example, if
a password is used to authenticate a client to the device, that
password must not appear "in the clear", or in any form via which
Internet extraction of the password from network traffic is computationally
Engineering Best Current feasible.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.2.2 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 72
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
ne existing solution to prevent such data leaks is the use of asecure
element, a tamper-resistant device that is capable of securely
Internet hosting applications and their confidential data. Another potential
Research solution is the usage of of Physical Unclonable Function (PUFs)
Task Force that serves as unique digital fingerprint of a hardware device. PUFs
(IRTF) Thing- can also enable other functionalities such as secure key storage.
to-Thing State-of-the-Art and Protection against such data leakage patterns is non-trivial since
Research Challenges for the devices are inherently resource-constrained. An open question is
Group Internet of Things whether there are any viable techniques to protect IoT devices and https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Security 5.10 the data in the devices in such an adversarial model. t2trg-iot-seccons/

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product’s software signing root of trust is stored in tamper Security-Compliance-
Foundation Framework 1.1 2.4.5.7 resistant memory. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Files and directories are set to appropriate access privileges on a Security-Compliance-
Foundation Framework 1.1 2.4.6.4 need to access basis. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 73
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security The product’s OS kernel and its functions are prevented from being p-content/uploads/2017/12/IoT-
IoT Security Compliance called by external product level interfaces and unauthorised Security-Compliance-
Foundation Framework 1.1 2.4.6.8 applications. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance All the applicable security features supported by the OS are Security-Compliance-
Foundation Framework 1.1 2.4.6.10 enabled. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 74
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The OS is separated from the application(s) and is only accessible Security-Compliance-
Foundation Framework 1.1 2.4.6.11 via defined secure interfaces. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance All network communications keys are stored securely, in Security-Compliance-
Foundation Framework 1.1 2.4.7.12 accordance with industry standards such as FIPS 140 [5] or similar. Framework_WG1_2017.pdf

The product contains a unique and tamper-resistant device https://www.iotsecurityfoundation.org/w

IoT Security identifier (e.g. such as the chip serial number or other unique silicon p-content/uploads/2017/12/IoT-
IoT Security Compliance identifier) which is used for binding code and data to a specific Security-Compliance-
Foundation Framework 1.1 2.4.8.1 device hardware. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where the product has a secure source of time there is a method of p-content/uploads/2017/12/IoT-
IoT Security Compliance validating its integrity, such as Secure NTP. Security-Compliance-
Foundation Framework 1.1 2.4.8.2 https://www.ntpsec.org/. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 75
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security The product securely stores any passwords using an industry p-content/uploads/2017/12/IoT-
IoT Security Compliance standard cryptographic algorithm, compliant with an industry Security-Compliance-
Foundation Framework 1.1 2.4.8.8 standard such as NIST SP800-63b [26] or similar. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security If the product has a password recovery or reset mechanism, an p-content/uploads/2017/12/IoT-
IoT Security Compliance assessment has been made to confirm that this mechanism cannot Security-Compliance-
Foundation Framework 1.1 2.4.8.14 readily be abused by an unauthorised party. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product allows an authorised factory reset of the device’s Security-Compliance-
Foundation Framework 1.1 2.4.8.16 authorisation information. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 76
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product stores all sensitive unencrypted parameters, (e.g. Security-Compliance-
Foundation Framework 1.1 2.4.9.7 keys), in a secure, tamper-resistant location. Framework_WG1_2017.pdf

In device manufacture all asymmetric encryption private keys that https://www.iotsecurityfoundation.org/w

IoT Security are unique to each device are secured in accordance with FIPS 140 p-content/uploads/2017/12/IoT-
IoT Security Compliance [ref 5] and truly randomly internally generated or securely Security-Compliance-
Foundation Framework 1.1 2.4.9.9 programmed into each device. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product securely stores any passwords using an industry Security-Compliance-
Foundation Framework 1.1 2.4.11.5 standard cryptographic algorithm, for example see FIPS 140 [5]. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 77
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security All the related servers and network elements store any passwords p-content/uploads/2017/12/IoT-
IoT Security Compliance using a cryptographic implementation using industry standard Security-Compliance-
Foundation Framework 1.1 2.4.13.16 cryptographic algorithms, for example see FIPS 140 [5]. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security All the related servers and network elements support access control p-content/uploads/2017/12/IoT-
IoT Security Compliance measures to restrict access to sensitive information or system Security-Compliance-
Foundation Framework 1.1 2.4.13.17 processes to privileged accounts. Framework_WG1_2017.pdf

IoT Security Security Design Make use of chip-level security and virtualization capabilities, and https://www.iotsi.org/security-best-
Initiative Best Practices utilize crypto coprocessors for key creation and storage. practices
All stored secrets are vulnerable to compromise with enough time
IoT Security Security Design and/or resources – ALL. Design and mitigate weakness per risk https://www.iotsi.org/security-best-
Initiative Best Practices tolerance. practices
Utilize trusted platform modules (TPM), secure elements (SE), and
IoT Security Security Design other hardware security modules (HSM) for storing and processing https://www.iotsi.org/security-best-
Initiative Best Practices cryptographic secrets. practices

IoT Security Security Design Use high-iteration, heavy-salt, key derivation functions such as https://www.iotsi.org/security-best-
Initiative Best Practices scrypt/jane, bcrypt and PBKDF2 for storing account passwords. practices

IoT Security Security Design Use sufficiently large, as well as high quality, entropy for encryption https://www.iotsi.org/security-best-
Initiative Best Practices routines. practices

IoT Security Security Design When in question over possible data sensitivity or privacy, just https://www.iotsi.org/security-best-
Initiative Best Practices encrypt. practices
Department for Digital, Culture, Media and Sport 78
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
During deployment, each device requires device IDs and
associated authentication keys generated by the cloud service.
Keep Keep these keys physically safe even after the deployment. Any https://docs.microsoft.com/en-
IoT Security Best authentication keys compromised key can be used by a malicious device to us/azure/iot-fundamentals/iot-security-
Microsoft Practices safe masquerade as an existing device. best-practices

If COGS permits, build security features such as secure and

encrypted storage, or boot functionality based on Trusted Platform https://docs.microsoft.com/en-
IoT Security Best Build around Module (TPM). These features make devices more secure and help us/azure/iot-fundamentals/iot-security-
Microsoft Practices secure hardware protect the overall IoT infrastructure. best-practices
Passwords are the primary means of authenticating users on the
MIT Dos and Don’ts of Web today. It is important that any Web site guard the passwords of
Laboratory for Client its users carefully. This is especially important since users, when
Computer Authentication on 3.2 Protect faced with many Web sites requiring passwords, tend to reuse http://pdos.csail.mit.edu/papers/webaut
Science the Web passwords passwords across sites. h:sec10.pdf
Sensitive data comprises key material/credentials, privacy related
data such as identifiers and other data as identified by the M2M
Solution Provider for the purpose of its use case. In order to prevent
misuse of sensitive data, it requires protected and secure storage
within the termination points of the M2M System. Secure storage
capability can be implemented by several means within the network
infrastructure nodes and network applications by the M2M Service
Provider. In addition it needs to be ensured that secure storage
capabilities are present in the termination node residing at the
consumer, i.e. in the M2M Device and/or the M2M Gateway,
depending on the requirements of the use case. It is highly
TR-0008-V2.0.1 recommended that M2M Devices/Gateways support a secure and http://www.onem2m.org/images/files/d
Security (Technical tamper resistant storage capability for sensitive data, in particular eliverables/Release2A/TR-0008-
oneM2M Report) 6.1 when they are physically exposed to potential attackers. Security-v_2_0_1.pdf
Department for Digital, Culture, Media and Sport 79
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

M2M long-term service-layer keys are stored in a HSM (whose

TR-0008-V2.0.1 tamper-resistance may be certified) residing within the M2M http://www.onem2m.org/images/files/d
Security (Technical Device/Gateway which renders it infeasible for the attacker to eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.1 discover the value of keys by logical or physical means. Security-v_2_0_1.pdf

M2M long-term service-layer keys (other than public keys) are

TR-0008-V2.0.1 securely stored in a server-HSM residing in infrastructure http://www.onem2m.org/images/files/d
Security (Technical equipment which renders it infeasible for the attacker to discover eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.2 the value of keys by logical or physical means Security-v_2_0_1.pdf

HSM/server-HSM do not reveal the value of the stored secret keys

TR-0008-V2.0.1 (other than public keys), even to a management system or to an http://www.onem2m.org/images/files/d
Security (Technical authorized representative of the M2M System Operator, such as a eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.3 System Administrator. Security-v_2_0_1.pdf

TR-0008-V2.0.1 The execution of Sensitive Functions never causes long-term http://www.onem2m.org/images/files/d

Security (Technical service-layer keys to be exposed outside of the HSM in which they eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.4 are stored. Sensitive functions may be executed within the HSM. Security-v_2_0_1.pdf

Access to and/or modification of stored Sensitive Data and in

particular of the long-term
TR-0008-V2.0.1 service-layer keys requires strong (i.e. cryptographic) authentication http://www.onem2m.org/images/files/d
Security (Technical of the accessing/modifying eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.6 entity, followed by authorization. Security-v_2_0_1.pdf

Authentication credentials, including but not limited to user

IoT Security & passwords, shall be salted, hashed and/or encrypted. Applies to all https://otalliance.org/system/files/files/i
Online Trust Privacy Trust stored credentials to help prevent unauthorized access and brute nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 17 force attacks. k6-22.pdf
Department for Digital, Culture, Media and Sport 80
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Secure storage refers to the physical method of housing sensitive
or confidential data (“Sensitive Data”). Such data could include but
not be limited to symmetric or asymmetric private keys, certificate
Open data, network access credentials, or personal user information.
Connectivity Sensitive Data requires that its integrity be maintained, whereas
Foundation OIC Security Critical Sensitive Data requires that both its integrity and https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1 confidentiality be maintained. _Security_Specification_v1.1.1.pdf
Hardware secure storage is recommended for use with critical
Sensitive Data such as symmetric and asymmetric private keys,
Open access credentials, personal private data. Hardware secure storage
Connectivity most often involves semiconductor-based non-volatile memory
Foundation OIC Security (“NVRAM”) and includes countermeasures for protecting against https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1.1 unauthorized access to Critical Sensitive Data. _Security_Specification_v1.1.1.pdf
It is generally NOT recommended to rely solely on software and
unsecured memory to store Sensitive Data even if it is encrypted.
Critical Sensitive Data such as authentication and encryption keys
should be housed in hardware secure storage whenever possible.
Open Sensitive Data stored in volatile and non-volatile memory shall be
Connectivity encrypted using acceptable algorithms to prevent access by
Foundation OIC Security unauthorized parties through methods described in section https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1.2 15.1.1.1. _Security_Specification_v1.1.1.pdf

Open Isolation of execution of sensitive processes from unauthorized

Connectivity parties/ processes. This 2502 includes isolation of CPU caches,
Foundation OIC Security and all of execution elements that needed to be 2503 considered as https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1.2 part of trusted (crypto) boundary. _Security_Specification_v1.1.1.pdf
Department for Digital, Culture, Media and Sport 81
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Execution environment elements. Execution environment within a
computing device has many components. To perform security
functions in a robustness manner, each of these components has to
be secured as a separate dimension. For instance, an execution
environment performing AES cannot be considered secure if the
input path entering keys into the execution engine is not secured,
even though the partitions of the CPU, performing the AES
encryption, operate in isolation from other processes. Different
dimensions referred to as elements of the execution environment
are listed below. To qualify as a secure execution environment
(SEE), the corresponding SEE element must qualify as secure.
• (secure) Storage
• (Secure) Execution engine
• (trusted) Input/output paths
Open • (Secure) Time Source/clock
Connectivity • (random) number generator
Foundation OIC Security • (approved) cryptographic algorithms https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1 • Hardware Tamper (protection) _Security_Specification_v1.1.1.pdf

Code of Practice: 5 - Communicate securely

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for Workshop on Basic https://aioti-space.org/wp-

Internet of Security and Requirements on content/uploads/2017/03/AIOTI-
Things Privacy in the IoT HARDWARE Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected AND the-Hyper-connected-World-Report-
(AIOTI) World COMPONENTS Interoperability of components and communication protocols. 20160616_vFinal.pdf
Department for Digital, Culture, Media and Sport 82
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for Workshop on Basic Security and data https://aioti-space.org/wp-

Internet of Security and Requirements on Management process and clarification of ownership required; easy content/uploads/2017/03/AIOTI-
Things Privacy in the INTERFACES, to adopt; data should also be encrypted on the application layer; all Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected COMMUNICATION aspects of cryptographic principles and key management are the-Hyper-connected-World-Report-
(AIOTI) World , CLOUD extremely important and should be carefully described. 20160616_vFinal.pdf
IoT Devices Should Use Strong Authentication by Default.
BITAG recommends that IoT devices be secured by default (e.g.
password protected) and not use common or easily guessable user
Broadband names and passwords (e.g., “admin”, “password”). Finally,
Internet authentication for remote access should be secured, as it potentially
Technical Internet of Things allows others who are not physically present in the home to monitor http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and and control aspects within the home (e.g., changing climate _Report_-
Group Privacy controls, monitoring user activity). Authentication credentials should _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.1 be unique to each device. nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 83
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
IoT Devices Should Follow Security & Cryptography Best
Practices. BITAG recommends that IoT device manufacturers
secure communications using Transport Layer Security (TLS) or
Lightweight Cryptography (LWC) [96,97,98]. Some devices can
perform symmetric key encryption in near-real time. In addition,
Lightweight Cryptography (LWC) provides additional options for
securing traffic to and from resourceconstrained devices. If devices
rely on a public key infrastructure (PKI), then an authorized entity
must be able to revoke certificates when they become
compromised, as web browsers and PC operating systems do
[99,100,101,102,103,104,105]. Cloud services can strengthen the
integrity of certificates issued by certificate authorities through, for
example, participating in Certificate Transparency [106]. Finally,
manufacturers should take care to avoid encryption methods,
protocols, and key sizes with known weaknesses.
Broadband
Internet
Technical Internet of Things Vendors who rely on cloud-hosted support for IoT devices should http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and configure their servers to follow best practices, such as configuring _Report_-
Group Privacy the TLS implementation to only accept the latest TLS protocol _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 versions. nd_Privacy_Recommendations.pdf
Broadband
Internet
Technical Internet of Things Encrypt Configuration (Command & Control) Communications http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and By Default. BITAG recommends that all communication for device _Report_-
Group Privacy management take place over an authenticated and secured _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 channel. nd_Privacy_Recommendations.pdf
Broadband
Internet
Technical Internet of Things Secure Communications To and From IoT Controllers. If IoT http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and devices use a centralized controller to facilitate over-the-Internet _Report_-
Group Privacy communication with a cloud service, then BITAG recommends this _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 communications channel be secured in both directions. nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 84
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Secure authentication, authorization, and accountability minimize

the potential for compromising a device or other devices in the local
IoT ecosystem during the onboarding process. “Onboarding” is the
process by which a new device is connected and added to the
network and the local IoT ecosystem. Onboarding includes the
processes for authentication, authorization, and accountability
Authentication, (AAA) of that new device. Authentication is the process by which
Authorization, and the device identity is verified and confirmed. Authorization
A Vision for Secure Accountability - determines what network resources the device will have access to. https://www.cablelabs.com/insights/visi
CableLabs IoT Onboarding And, accountability is the process that tracks what the device does on-secure-iot/
City of New
York (NYC)
Guidelines for IoT systems should utilize established security frameworks, where
the Internet of possible, and ensure communication between components is tightly
Things Security 4.2 constrained. https://iot.cityofnewyork.us/security/
Future-proofing the
connected world: https://downloads.cloudsecurityalliance
13 steps to IoT Products Can .org/assets/research/internet-of-
Cloud Security Developing Secure Compromise Encrypt all account registration using Transport Layer Security things/future-proofing-the-connected-
Alliance (CSA) IoT Privacy - 1 (TLS) world.pdf
Drones Are
Approaching
Mainstream Status
Future-proofing the and Being
connected world: Used as a Platform https://downloads.cloudsecurityalliance
13 steps to for Carefully evaluate the chosen IoT communication protocols for your .org/assets/research/internet-of-
Cloud Security Developing Secure Reconnaissance - product and configure in modes that limit the amount of information things/future-proofing-the-connected-
Alliance (CSA) IoT 1 shared world.pdf
Department for Digital, Culture, Media and Sport 85
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Future-proofing the
connected world: Critical national https://downloads.cloudsecurityalliance
13 steps to infrastructure can .org/assets/research/internet-of-
Cloud Security Developing Secure rely on the IoT things/future-proofing-the-connected-
Alliance (CSA) IoT ecosystem - 3 Implement secure interface connectivity within your IoT products world.pdf

Security Guidance The encryption of data during transport must be able to take into https://downloads.cloudsecurityalliance
for Early Adopters consideration the resource constrained devices and hence must .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of 5.3.2 eighth bullet have a small footprint be lightweight instead of the traditional ones or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) point to avoid performance bottlenecks. _Things.pdf
Data-in-Transit refers to the sending or receiving of data
(application, management commands, status, etc.) over a link or
network. Whenever possible, DIT protections should include
cryptographic confidentiality (encryption), integrity and
Security Guidance authentication algorithms executed by a properly integrated https://downloads.cloudsecurityalliance
for Early Adopters cryptographic module. Well-validated network and/or application .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of security protocols should be utilized to provide end-to-end DIT or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.4.1.2 security whenever possible. _Things.pdf

Security Guidance https://downloads.cloudsecurityalliance

for Early Adopters .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of Ensure that security data from edge devices and aggregators is or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.7.3 encrypted and authenticated during transport. _Things.pdf
European
Union Agency
for Network
and Security and
Information Resilience of Smart
Security Home All stakeholders should reach a consensus on security https://www.ENISA.europa.eu/publicati
(ENISA) Environments 1 requirements ons/security-resilience-good-practices
Department for Digital, Culture, Media and Sport 86
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network
and Security and
Information Resilience of Smart
Security Home https://www.ENISA.europa.eu/publicati
(ENISA) Environments 2 Industry actors should support security-driven business models ons/security-resilience-good-practices
Use proven solutions, i.e. well known communications
protocols and cryptographic algorithms, recognized by the scientific
community, etc. Certain proprietary solutions, such as custom
cryptographic algorithms, should be avoided. Purely proprietary
European approaches and standards limit interoperability and can severely
Union Agency hamper the potential of the Digital Single Market. Common open
for Network standards will help users access new innovative services,
and especially
Information Baseline Security for SMEs, the public sector and the scientific community. In https://www.ENISA.europa.eu/publicati
Security Recommendations particular, the portability of applications and data between different ons/baseline-security-
(ENISA) for IoT GP-OP-04 providers is essential to avoid lock-in. recommendations-for-iot
European
Union Agency
for Network Use protocols and mechanisms able to represent and
and manage trust and trust relationships. Each communication channel
Information Baseline Security must be trustworthy to a level commensurate with the security https://www.ENISA.europa.eu/publicati
Security Recommendations dependencies it supports (i.e., how much it is trusted by other ons/baseline-security-
(ENISA) for IoT GP-TM-07 components to perform its security functions). recommendations-for-iot
European
Union Agency Ensure a proper and effective use of cryptography to protect the
for Network confidentiality, authenticity and/or integrity of data and information
and (including control messages), in transit and in rest. Ensure the
Information Baseline Security proper selection of standard and strong encryption algorithms and https://www.ENISA.europa.eu/publicati
Security Recommendations strong keys, and disable insecure protocols. Verify the robustness ons/baseline-security-
(ENISA) for IoT GP-TM-34 of the implementation recommendations-for-iot
Department for Digital, Culture, Media and Sport 87
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network Support scalable key management schemes. It has to be
and considered that tiny sensor nodes cannot provide all security
Information Baseline Security features because they have lots of system limitations. Thus, the https://www.ENISA.europa.eu/publicati
Security Recommendations sensed data carried over infrastructure networks may not have ons/baseline-security-
(ENISA) for IoT GP-TM-37 strong encryption or security protection. recommendations-for-iot
European
Union Agency Guarantee the different security aspects -confidentiality
for Network (privacy), integrity, availability and authenticity- of the information in
and transit on the networks or stored in the IoT application or in the
Information Baseline Security Cloud, using data encryption methods to minimise network threats https://www.ENISA.europa.eu/publicati
Security Recommendations such as replay, interception, packet sniffing, wiretapping, or ons/baseline-security-
(ENISA) for IoT GP-TM-38 eavesdropping. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations Ensure that communication security is provided using state-of-the- ons/baseline-security-
(ENISA) for IoT GP-TM-39 art, standardised security protocols, such as TLS for encryption. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations Ensure credentials are not exposed in internal or external network ons/baseline-security-
(ENISA) for IoT GP-TM-40 traffic. recommendations-for-iot
Department for Digital, Culture, Media and Sport 88
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network Guarantee data authenticity to enable trustable exchanges (from
and data emission to data reception - both ways). Data is often stored,
Information Baseline Security cached, and processed by several nodes; not just sent from point A https://www.ENISA.europa.eu/publicati
Security Recommendations to point B. For these reasons, data should always be signed ons/baseline-security-
(ENISA) for IoT GP-TM-41 whenever and wherever the data is captured and stored. recommendations-for-iot
European
Union Agency
for Network
and Ensure web interfaces fully encrypt the user session, from
Information Baseline Security the device to the backend services, and that they are not https://www.ENISA.europa.eu/publicati
Security Recommendations susceptible ons/baseline-security-
(ENISA) for IoT GP-TM-52 to XSS, CSRF, SQL injection, etc. recommendations-for-iot
European
Union Agency
for Network
and Security and
Information Resilience of Smart
Security Home 5.2, second bullet Communication protection: communication should be protected https://www.ENISA.europa.eu/publicati
(ENISA) Environments point against disclosure, modification, replay and denial of service. ons/security-resilience-good-practices
European
Union Agency
for Network
and Security and Cryptography: Confidentiality, integrity and authenticity must be
Information Resilience of Smart protected by using strong and standard cryptography. Keys must be
Security Home 5.2, third bullet managed securely, and the use of a trust infrastructure (such as https://www.ENISA.europa.eu/publicati
(ENISA) Environments point PKI) is encouraged. ons/security-resilience-good-practices
Department for Digital, Culture, Media and Sport 89
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The usage of dedicated security mechanisms varies depending on

the solution used. Several approaches are taken, from the transport
European to the applicative layer:
Union Agency • User authentication/authorization protocols such as Oauth /
for Network OpenID, XACML/SAML Single sign-on etc.
and Security and • Communication protection protocols such as SSL/TLS over
Information Resilience of Smart TCP/IP, or DTLS over UDP.
Security Home • Usage of cryptographic algorithms to secure transport layer is https://www.ENISA.europa.eu/publicati
(ENISA) Environments A.1.3 found amongst many of the communication protocols. ons/security-resilience-good-practices
European
Union Agency Using a trust infrastructure give assurance in heterogeneous
for Network environments where devices may enter or quit a given networks,
and Security and and cannot necessarily be trusted by default. Smart Home is a good
Information Resilience of Smart example of environments where trust is needed:
Security Home • between the devices; and https://www.ENISA.europa.eu/publicati
(ENISA) Environments 6.2 • between the devices and remote services. ons/security-resilience-good-practices
IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.19 Endpoint Communication Security v2.0.pdf

IoT Security This section contains recommendations and best practices for https://www.gsma.com/iot/wp-
Guidelines for network authentication and link encryption for different wide area content/uploads/2017/10/CLP.14-
GSMA Network Operators CLP14_5.2 networks. v2.0.pdf
IoT Security
Guidelines Once a root of trust has been established within the TCB, a protocol https://www.gsma.com/iot/wp-
Endpoint must be used that incorporates the TCB’s capabilities and the root content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.4 of trust effectively. v2.0.pdf
IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint Enforce confidentiality and integrity on the administrative content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.12 communications channel v2.0.pdf
Department for Digital, Culture, Media and Sport 90
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
IoT Security
Guidelines Diminish the potential for replay of administrative commands by https://www.gsma.com/iot/wp-
Endpoint ensuring the communications protocol has adequate entropy by content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.12 using an industry standard communications protocol v2.0.pdf
All communications to and from the trust anchor should be
authenticated and should enforce confidentiality and integrity. The
only exception to this model is if the trust anchor is internal to the
core of the processor. Any external trust anchor, such as a UICC,
can only be trusted if the messages received and sent can be
trusted.

IoT Security To do this, choose trust anchors that are capable of authentication
Guidelines and encryption and validate that all messages containing answers https://www.gsma.com/iot/wp-
Endpoint to challenges are sent confidentially and, where possible, with content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.4 verifiable integrity. v2.0.pdf

All environments are vulnerable to spoofing. For example, any

Cellular radio can signal that it is the owner of any given
International Mobile Subscriber Identity (IMSI), whether it is true or
IoT Security not. Any laptop can change its Ethernet address, impersonating
Guidelines other computers on the Local Area Network (LAN). Regardless of https://www.gsma.com/iot/wp-
Endpoint whether the topology traverses a physical or an airwave space, a content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.6.1 communication Endpoint’s identity can be impersonated. v2.0.pdf
Department for Digital, Culture, Media and Sport 91
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
In the 3GPP model, only Endpoints (called User Equipment in
3GPP) are authenticated. Endpoints do not authenticate the base
stations they connect to. Thus, any base station can claim to serve
on behalf of any Cellular carrier. Individuals capable of manipulating
or building a Cellular base station may then impersonate any
Cellular carrier of their choosing. A custom Cellular base station
currently costs under 1,000 USD to build, but the resultant power
only allows the interception of messages in the local area. Once the
fake tower is built, the base station can impersonate a local Cellular
carrier, and intercept phone calls, text messages, and even data,
from Endpoints in the local area

Newer 3GPP network protocols, such as UMTS and LTE, enforce

mutual authentication of both entities. This allows Endpoints to
cryptographically verify that the base station is serving on behalf of
IoT Security the Cellular carrier it claims to serve. An adversary must now break
Guidelines the Cellular carrier’s cryptography to impersonate a base station, https://www.gsma.com/iot/wp-
Endpoint significantly increasing the complexity, difficulty, and cost of an content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.6.2 attack. v2.0.pdf
Department for Digital, Culture, Media and Sport 92
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Bringing up Cellular interrogators helps summarize this section
quite adequately by touching on the idea that communications
security is not absolute. It only protects the communication channel
between two entities. These entities, however, act as gates allowing
data to pass in and out of the ecosystems these entities are
connected to.

For example, a particular SIM card may be provisioned for use in an

industrial control system such as an oil well monitoring device. A
SIM card, by design, is a removable component. Anyone with
physical access to the oil well monitoring device can extract the SIM
card and place it in a laptop. If the laptop has software on it that can
simulate the functionality of the oil device, the back-end server will
IoT Security be unable to differentiate between the actual oil device and the
Guidelines laptop. Yet, the laptop will be authenticated to the Cellular network https://www.gsma.com/iot/wp-
Endpoint because of the SIM card! Thus, the Cellular network has content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.6.4 authenticated the SIM card, but not the laptop. v2.0.pdf

Each peer in an IoT ecosystem must authenticate all other peers

that participate in that ecosystem. To accomplish this, a TCB must
IoT Security be used to ensure that proper cryptographic architecture is driving
Guidelines the communications technology. Mutual authentication can’t occur if https://www.gsma.com/iot/wp-
Endpoint keys are easily exposed to adversaries. Review the TCB section of content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.6.5 this document for more information. v2.0.pdf
Department for Digital, Culture, Media and Sport 93
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Endpoints, especially Gateways, or Endpoints acting as Gateways,
must be capable of enforcing communications security even in
environments where connectivity to the back-end network is
unavailable. Regardless of whether this lack of connectivity is
temporary or not, the Gateway or Endpoint must be capable of
enforcing security as if the back-end system were available.

To achieve this, the TCB must be used to authenticate all peers that
the Endpoint must communicate privacy-centric, configuration, or
command data to. The TCB can be used to ensure that messages
IoT Security sent and received from peers are being sent and received from an
Guidelines entity that has been provisioned by the same organization. This https://www.gsma.com/iot/wp-
Endpoint reduces the likelihood that an adversarial device is being content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.9 communicated with. v2.0.pdf

All technology deployed in an IoT environment must use

cryptography, regardless of whether the technology is a
IoT Security rudimentary low-power endpoint, or a robust Cloud service. To
Guidelines for properly implement security in an IoT product or service, the https://www.gsma.com/iot/wp-
Service cryptography used must be well architected, managed, and content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.2 adjusted to meet changing specifications over time. v2.0.pdf

Each system in the Service Ecosystem must be capable of mutual

authentication. No computing platforms within this ecosystem
should be accessible to anonymous public users. Each Endpoint,
Partner, or User will communicate with the Service Ecosystem
through technologies that require mutual authentication. Since the
services that make up the user interface are typically deployed and
IoT Security managed in a separate environment, the publicly accessible
Guidelines for interface must be confined to that space. The Service Ecosystem, https://www.gsma.com/iot/wp-
Service however, comprises the set of all system used to deploy service to content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.3 all authenticated resources. v2.0.pdf
Department for Digital, Culture, Media and Sport 94
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Network Operators, when used as partners, allow users to be

IoT Security authenticated using tokens specific to the network operator. While
Guidelines for these tokens, present in the Network Operator’s UICC, authenticate https://www.gsma.com/iot/wp-
Service a user to the network layer, they don’t necessarily authenticate the content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.4 user at the application layer. v2.0.pdf

A user interface should never authenticate a user directly. The

system must always be able to authenticate the user by using the
centrally available service. The only exception to this rule is if an
IoT Security application running on a mobile device is guarded by a local
Guidelines for passcode. This passcode may be used to access the local https://www.gsma.com/iot/wp-
Service application. However, access to remote services and resources content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.8 should be verified by a separate authentication token. v2.0.pdf
Communications privacy is a slightly different topic than application
privacy (described above) or communications information security.
While privacy is largely evaluated from the ability for third parties to
effectively read or intercept data, confidentiality and integrity do not
represent the full scope of communications privacy.

Other issues that affect communications privacy include:

IoT Security • Cryptographic uniqueness of each message
Guidelines for • Transmission patterns https://www.gsma.com/iot/wp-
Service • Plaintext metadata content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.14 • Hardware addresses or attributable serial numbers v2.0.pdf
Department for Digital, Culture, Media and Sport 95
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Even if device passwords are secure, communications between

devices may be hackable. In the IoT there are many protocols,
including Bluetooth, Zigbee, Z-Wave, 6LoWPAN, Thread, Wi-Fi,
cellular, NFC, Sigfox, Neul, and LoRaWAN. Depending on the
protocol and on available computing resources, a device may be
IoT Security more or less able to use strong encryption. Manufacturers should https://internetinitiative.ieee.org/images
Principles and Best examine their situation on a case-by-case basis and use the /files/resources/white_papers/internet_
IEEE Practices 6 strongest encryption possible, preferably IPsec and/or TLS/SSL. of_things_feb2017.pdf
Industrial Internet
Industrial of Things COMMUNICATIONS AND CONNECTIVITY PROTECTION.
Internet Volume G4: Communicating Endpoints Protection provides some of the
Consortium Security functional security building blocks, such as cryptographic keys, to https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.4 secure communication between endpoints. UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things COMMUNICATIONS AND CONNECTIVITY PROTECTION.
Internet Volume G4: Cryptographic Protection uses cryptographic technologies to protect
Consortium Security authenticity of communicating parties and integrity and https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.4 confidentiality of exchanged data and metadata. UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things
Internet Volume G4: COMMUNICATIONS AND CONNECTIVITY PROTECTION. Data-
Consortium Security in-Motion Protection provides controls to preserve the integrity, https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.4 confidentiality and availability of its data. UB_G4_V1.00_PB-3.pdf

DATA PROTECTION. Data, whether in-motion, in-use, or at-rest,

Industrial Internet must be protected against unauthorized access and uncontrolled
Industrial of Things changes by applying functions such as confidentiality controls,
Internet Volume G4: integrity controls, access control, isolation and replication. The level
Consortium Security of protection should be commensurate with the impact of data loss https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.7 or falsification, and the retention period should be defined. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 96
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
SECURITY MODEL AND POLICY. The Security Policy includes
policies for the system and sub-policies for the endpoint protection,
communications and connectivity protection, security monitoring
and analysis, security configuration and management and data
protection (see individual sections 7.3 to 7.7). The system threat
analysis enables the creation of the security objectives for the
system, derived from regulations and standards. From these
objectives, the applicable security policies are selected based on
the industry vertical, customer base, geographic location and other
considerations. The security policy describes the overall business-
risk considerations and defines the guidelines for securing the day-
to-day proper functioning of the system. This policy is then
Industrial Internet transformed into a security model, and determines and drives
Industrial of Things requirements to the functionality of the building blocks of the
Internet Volume G4: security framework. For example, each machine-level security
Consortium Security policy specifically covers the security policies associated with the https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.8 endpoint and the devices it may be connected to or in control of. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 97
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

ENDPOINT AUTHENTICATION. The process of establishing trust

through endpoint authentication, or identity assertion of the remote
endpoint, has several steps. First, an attestation must be made that
the credentials are of the proper level of strength, and that they are
in the possession of the appropriate entity. Then, the actual value of
data in the credential is evaluated for correctness. Finally, validity of
the credential must be tested to ensure that the credential is not
suspended, revoked or expired.
All successful authentication attempts do not result in the same
level of trust in the identity of the remote endpoint. There are
different levels of entity identity assurance based on what type of
Industrial Internet credential is applied to that authentication, how the credential is
Industrial of Things stored, and what actual authentication technique is implemented.
Internet Volume G4: Strong cryptographic credentials are recommended for most
Consortium Security endpoints. In addition, credentials should be stored in the strongest https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 storage available, ideally in trusted hardware. UB_G4_V1.00_PB-3.pdf

ENDPOINT DATA PROTECTION. Securing data in endpoints

involves data-at-rest (DAR) and data-in-use (DIU). The protection
strategy for data-in-motion (DIM) differs at the edge, the cloud, and
Industrial Internet in the communications. Cryptography enforces data confidentiality
Industrial of Things and ensures integrity of the data. It may be used on all the data,
Internet Volume G4: only the sensitive portions or the entire storage medium. In practice,
Consortium Security multiple data protection techniques may be applied simultaneously, https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.8 providing protection from different types of attacks. UB_G4_V1.00_PB-3.pdf

CRYPTOGRAPHY TECHNIQUES FOR ENDPOINT

Industrial Internet PROTECTION. Endpoints must always use standard cryptographic
Industrial of Things algorithms. These algorithms should be implemented utilizing safe-
Internet Volume G4: coding practices, and whenever possible, with libraries that are
Consortium Security updated and maintained regularly. Creating cryptographic https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.11 algorithms without a public evaluation should be avoided. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 98
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

CRYPTOGRAPHIC PROTECTION OF COMMUNICATIONS &

Industrial Internet CONNECTIVITY. Most IIoT applications should use standardized
Industrial of Things protocols whose functionality, including security and cryptography,
Internet Volume G4: have been evaluated and tested. IIC’s ‘Industrial Internet Reference
Consortium Security Architecture’1 identifies and discusses requirements for IIoT core https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 9.1 connectivity protocols. UB_G4_V1.00_PB-3.pdf
BUILDING BLOCKS FOR PROTECTING EXCHANGED
CONTENT. Where possible, information exchange security among
communicating endpoints for sensitive networks and equipment
should employ:
• explicit endpoint communication policies,
Industrial Internet • cryptographically strong mutual authentication between endpoints,
Industrial of Things • authorization mechanisms that enforce access control rules
Internet Volume G4: derived from the policy and
Consortium Security • cryptographically backed mechanisms to ensure confidentiality, https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 9.1.2 integrity and freshness of exchanged information UB_G4_V1.00_PB-3.pdf
CONNECTIVITY STANDARDS AND SECURITY. A core
connectivity technology, as defined in ‘Industrial Internet of Things,
Volume G5: Connectivity Framework’1, should:
• be an open standard with strong independent, international
Industrial Internet governance, such as IEEE, IETF, OASIS, OMG, or W3C,
Industrial of Things • be horizontal and neutral in its applicability across industries,
Internet Volume G4: • be applicable, stable and proven across multiple industries and
Consortium Security • have standard-defined gateways to all other connectivity https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 9.1.3 standards. UB_G4_V1.00_PB-3.pdf

For trusted data exchange in an IoT ecosystem, data generated by

devices and existing infrastructure must be able to be shared
Policy Framework between the cloud, the network, and intelligent devices for analysis https://www.intel.com/content/dam/ww
for the Internet of Privacy and – enabling users to aggregate, filter, and share data from the edge w/public/us/en/documents/corporate-
Intel Things (IoT) Security to the cloud with robust protection. information/policy-iot-framework.pdf
Department for Digital, Culture, Media and Sport 99
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Remote access capabilities as well as secure connectivity need to

International be implemented end-to-end, with particular implications at the
Electrotechnic IoT 2020: Smart device and edge levels. Hence, reliable, secure and trustworthy
al Commission and secure IoT connectivity is integral from device to platform, as are authentication http://www.iec.ch/whitepaper/pdf/iecW
(IEC) platform 5.2.1 and access control. P-loT2020-LR.pdf
Technologies are required to ensure data integrity and data
authenticity as well as data delivery and processing without
International interferences and manipulations. This mainly requires scalable and
Electrotechnic IoT 2020: Smart efficient technologies beyond heavy-weight public key
al Commission and secure IoT infrastructures (PKIs) to identify devices and smart objects in future http://www.iec.ch/whitepaper/pdf/iecW
(IEC) platform 5.2.6.1.1 IoT systems. P-loT2020-LR.pdf

Once communication is introduced, even at a low level (such as in

wireless sensor networks), the potential surfaces for privacy
International breaches increase. Because sensors usually have extremely limited
Electrotechnic IoT 2020: Smart computational and storage capabilities (if any at all), novel methods
al Commission and secure IoT of securing the contents of a data stream, such as embedded and http://www.iec.ch/whitepaper/pdf/iecW
(IEC) platform 5.2.6.1.2 light-weight encryption, are required. P-loT2020-LR.pdf
Standard or well-established, mature algorithms for cryptographic
functions (such as symmetric encryption, public-key encryption,
digital signatures, cryptographic hash / message integrity check)
MUST be used.

Explanation: A tremendous amount of subtlety must be understood

in
order to construct cryptographic algorithms that are resistant to
attack. A very few people in the world have the knowledge required
Internet to construct or analyze robust new cryptographic algorithms, and
Engineering Best Current even
Task Force Practices (BCP) for then, many knowledgeable people have constructed algorithms that https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.1.2 were iot-security-bcp-01
Department for Digital, Culture, Media and Sport 100
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
found to be flawed within a short time.

Standard protocols for authentication, encryption, and other means

of
assuring security SHOULD be used whenever apparently-robust,
applicable protocols exist.

Explanation: The amount of expertise required to design robust

security protocols is comparable to that required to design robust
cryptographic algorithms. However, there are sometimes use cases
for
Internet which no existing standard protocol may be suitable. In these cases
Engineering Best Current it may be necessary to adapt an existing protocol for a new use
Task Force Practices (BCP) for case, https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.1.3 or even to design a new security protocol. iot-security-bcp-01
Internet-connected devices SHOULD support the capability to
encrypt
traffic sent to or from the device. Any information transmitted over
a network is potentially sensitive to some customers. For example,
even a home temperature monitoring sensor may reveal information
about when occupants are away from home, when they wake up
and when
they go to bed, when and how often they cook meals - all of which
Internet are
Engineering Best Current useful to, say, a thief.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.3.1 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 101
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Internet
Engineering Best Current If a device supports encryption and use of encryption is optional,
Task Force Practices (BCP) for the device SHOULD be configurable to require encryption, and this https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.3.2 SHOULD be the default. iot-security-bcp-01
If public key cryptography is used by the device to authenticate
itself to other devices or parties, each device MUST be instantiated
with its own unique private key or keys. In many cases it will be
necessary for the vendor to sign such keys or arrange for them to
be
signed by a trusted party, prior to shipping the device.

Internet
Engineering Best Current Per-device private keys SHOULD be generated on the device and
Task Force Practices (BCP) for never https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.5 exposed outside the device. iot-security-bcp-01
Internet
Research Services such as confidentiality and integrity protection on packet
Task Force data, message authentication codes or encryption are typically used
(IRTF) Thing- to provide end-to-end security. These protection methods render
to-Thing State-of-the-Art and the protected parts of the packets immutable as rewriting is either
Research Challenges for the not possible because a) the relevant information is encrypted and
Group Internet of Things inaccessible to the gateway or b) rewriting integrity-protected parts https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Security 5.1.3 of the packet would invalidate the end-to-end integrity protection. t2trg-iot-seccons/

The Internet Society believes that greater interoperability and the

The Internet of use of generic, open, voluntary, and widely available standards as
Internet Things: An Internet technical building blocks for IoT devices and services (such as the https://www.internetsociety.org/wp-
Society Society Public Interoperability and Internet Protocol, or IP) will support greater user benefits, content/uploads/2017/09/ISOC-
(ISOC) Policy Briefing standards innovation, and economic opportunity. PolicyBrief-IoT.pdf
Department for Digital, Culture, Media and Sport 102
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
The Internet Society believes that IoT security is the collective
responsibility of all who develop and use IoT devices. Participants
in the IoT space should adopt a collaborative approach to security
among its broad, multistakeholder community by assuming
responsibility, sharing best practices and lessons learned,
encouraging security dialog, and emphasizing the development of
flexible, shared security solutions that can adapt and evolve as
threats change over time. IoT security policy should focus on
The Internet of Encourage a empowering players to address security issues close to where they
Internet Things: An Internet collaborative occur, rather than centralizing IoT security among a few, while also https://www.internetsociety.org/wp-
Society Society Public approach to IoT preserving the fundamental properties of the Internet and user content/uploads/2017/09/ISOC-
(ISOC) Policy Briefing security rights. PolicyBrief-IoT.pdf

The software must be architected to identify and ring fence

sensitive software components, including cryptographic processes,
to aid inspection, review and test. The access from other software
components must be controlled and restricted to known and https://www.iotsecurityfoundation.org/w
IoT Security acceptable operations. For example security related processes p-content/uploads/2017/12/IoT-
IoT Security Compliance should be executed at higher privilege levels in the application Security-Compliance-
Foundation Framework 1.1 2.4.5.15 processor hardware. Framework_WG1_2017.pdf

Where the device software communicates with a product related https://www.iotsecurityfoundation.org/w

IoT Security webserver or application over TCP/IP or UDP/IP, the device p-content/uploads/2017/12/IoT-
IoT Security Compliance software uses certificate pinning or public/private key equivalent, Security-Compliance-
Foundation Framework 1.1 2.4.5.21 where appropriate. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The device remains secure and maintains state during a side Security-Compliance-
Foundation Framework 1.1 2.4.5.22 channel attack. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 103
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security The product prevents unauthorised connections to it or other p-content/uploads/2017/12/IoT-
IoT Security Compliance devices the product is connected to. For example is there a firewall Security-Compliance-
Foundation Framework 1.1 2.4.7.1 on each interface and internet layer protocol. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The network component and firewall (if applicable) configuration p-content/uploads/2017/12/IoT-
IoT Security Compliance has been reviewed and documented for the required/defined secure Security-Compliance-
Foundation Framework 1.1 2.4.7.2 behaviour Framework_WG1_2017.pdf

Devices support only the latest versions of application layer https://www.iotsecurityfoundation.org/w

IoT Security protocols with no publically known vulnerabilities and it should not p-content/uploads/2017/12/IoT-
IoT Security Compliance be possible to downgrade a connection to an older, less secure Security-Compliance-
Foundation Framework 1.1 2.4.7.4 version. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Insecure and unauthenticated application layer protocols (such as Security-Compliance-
Foundation Framework 1.1 2.4.7.5 TELNET, FTP, HTTP, SMTP and NTP < v4) are not used. Framework_WG1_2017.pdf

If a connection requires a password or passcode or passkey for https://www.iotsecurityfoundation.org/w

IoT Security connection authentication, the factory issued or reset password is p-content/uploads/2017/12/IoT-
IoT Security Compliance unique to each device and is not derived e.g. from serial numbers.. Security-Compliance-
Foundation Framework 1.1 2.4.7.7 Examples are WiFi access passwords and Bluetooth PINS. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 104
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Where a wireless communications interface requires an initial https://www.iotsecurityfoundation.org/w

IoT Security pairing process, a Strong Authentication shall be used, requiring p-content/uploads/2017/12/IoT-
IoT Security Compliance physical interaction with the device or possession of a shared Security-Compliance-
Foundation Framework 1.1 2.4.7.8 secret. For example, Bluetooth Numeric Comparison. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security For any WiFi connection, WPA2 with AES or a similar strength p-content/uploads/2017/12/IoT-
IoT Security Compliance encryption has been used and insecure protocols such as WPA and Security-Compliance-
Foundation Framework 1.1 2.4.7.10 TKIP are disabled. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Where the MQTT protocol is used, it is protected by a TLS Security-Compliance-
Foundation Framework 1.1 2.4.7.13 connection with no known cipher vulnerabilities. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 105
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Where the CoAP protocol is used, it is protected by a DTLS Security-Compliance-
Foundation Framework 1.1 2.4.7.14 connection with no known cipher vulnerabilities. Framework_WG1_2017.pdf

Where cryptographic suites are used such as TLS, all cipher suites
shall be listed and validated against the current security https://www.iotsecurityfoundation.org/w
IoT Security recommendations such as NIST 800-131A 2] or OWASP. Where p-content/uploads/2017/12/IoT-
IoT Security Compliance insecure ciphers suites are identified they shall be removed from Security-Compliance-
Foundation Framework 1.1 2.4.7.15 the product. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Where there is a loss of communications it shall not compromise Security-Compliance-
Foundation Framework 1.1 2.4.7.17 the integrity of the device. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The product only enables the communications interfaces, network p-content/uploads/2017/12/IoT-
IoT Security Compliance protocols, application protocols and network services necessary for Security-Compliance-
Foundation Framework 1.1 2.4.7.18 the products’ operation. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Communications protocols should be at the most secure versions p-content/uploads/2017/12/IoT-
IoT Security Compliance available and/or appropriate for the product. For example, Bluetooth Security-Compliance-
Foundation Framework 1.1 2.4.7.19 4.2 rather than 4.0. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 106
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security Post product launch communications protocols should be p-content/uploads/2017/12/IoT-
IoT Security Compliance maintained to the most secure versions available and/or appropriate Security-Compliance-
Foundation Framework 1.1 2.4.7.20 for the product. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security A true random number generator source is exclusively used for all p-content/uploads/2017/12/IoT-
IoT Security Compliance relevant cryptographic operations including nonce, initialisation Security-Compliance-
Foundation Framework 1.1 2.4.9.1 vector and key generation algorithms. NIST SP 800-90A [3] Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The true random number generator source has been validated for p-content/uploads/2017/12/IoT-
IoT Security Compliance true randomness using an NIST SP800-22 [4], FIPS 140-2 [5] or Security-Compliance-
Foundation Framework 1.1 2.4.9.2 similar compliance process. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security There is a process for secure provisioning of keys that includes p-content/uploads/2017/12/IoT-
IoT Security Compliance generation, distribution, revocation and destruction. For example in Security-Compliance-
Foundation Framework 1.1 2.4.9.3 compliance with FIPS140-2 [5] or similar process. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance There is a secure method of key insertion that protects keys against Security-Compliance-
Foundation Framework 1.1 2.4.9.4 copying Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 107
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security All the product related cryptographic functions have no publicly p-content/uploads/2017/12/IoT-
IoT Security Compliance known unmitigated weaknesses, for example MD5 and SHA-1 are Security-Compliance-
Foundation Framework 1.1 2.4.9.5 not used, e.g. those stipulated in NIST SP800-131A [2]. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security All the product related cryptographic functions are sufficiently p-content/uploads/2017/12/IoT-
IoT Security Compliance secure for the lifecycle of the product, e.g. those stipulated in NIST Security-Compliance-
Foundation Framework 1.1 2.4.9.6 SP800- 131A [2]. ]. Framework_WG1_2017.pdf

In device manufacture all asymmetric encryption private keys that https://www.iotsecurityfoundation.org/w

IoT Security are unique to each device are secured in accordance with FIPS 140 p-content/uploads/2017/12/IoT-
IoT Security Compliance [5] and truly randomly internally generated or securely programmed Security-Compliance-
Foundation Framework 1.1 2.4.9.9 into each device. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where the application communicates with a product related remote p-content/uploads/2017/12/IoT-
IoT Security Compliance server(s) or device it does so over a secure connection such as a Security-Compliance-
Foundation Framework 1.1 2.4.11.4 TLS connection using certificate pinning. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 108
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security All the product related web servers’ TLS certificate(s) are signed by p-content/uploads/2017/12/IoT-
IoT Security Compliance trusted certificate authorities; are within their validity period; and Security-Compliance-
Foundation Framework 1.1 2.4.13.4 processes are in place for their renewal. Framework_WG1_2017.pdf

The Product Manufacturer or Service Provider has a process to https://www.iotsecurityfoundation.org/w

IoT Security monitor the relevant security advisories to ensure all the product p-content/uploads/2017/12/IoT-
IoT Security Compliance related web servers use protocols with no publicly known Security-Compliance-
Foundation Framework 1.1 2.4.13.5 weaknesses. Framework_WG1_2017.pdf

The product related web servers support appropriately secure https://www.iotsecurityfoundation.org/w

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product related web servers have repeated renegotiation of Security-Compliance-
Foundation Framework 1.1 2.4.13.7 TLS connections disabled. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 109
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Where a product related to a webserver encrypts communications https://www.iotsecurityfoundation.org/w

IoT Security using TLS and requests a client certificate, the server(s) only p-content/uploads/2017/12/IoT-
IoT Security Compliance establishes a connection if the client certificate and its chain of trust Security-Compliance-
Foundation Framework 1.1 2.4.13.9 are valid. Framework_WG1_2017.pdf
Where a product related to a webserver encrypts communications
using TLS, certificate pinning is implemented. For example using
OWASP, https://www.iotsecurityfoundation.org/w
IoT Security https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinni p-content/uploads/2017/12/IoT-
IoT Security Compliance ng or similar organisations’ certificate and public key pinning Security-Compliance-
Foundation Framework 1.1 2.4.13.10 guidance. Framework_WG1_2017.pdf

Implement end-to-end security and privacy of system data and

IoT Security Security Design operations; from fielded devices, to the server, to the end-user on a https://www.iotsi.org/security-best-
Initiative Best Practices management web portal. practices

IoT Security Security Design Restrict system and network communications to only known, https://www.iotsi.org/security-best-
Initiative Best Practices authorized system components where able. practices

IoT Security Security Design Utilize two-factor authenticated and encrypted remote management https://www.iotsi.org/security-best-
Initiative Best Practices services. practices

IoT Security Security Design Do not build your own encryption functions – and have encryption https://www.iotsi.org/security-best-
Initiative Best Practices implementations security-reviewed. practices

IoT Security Security Design Whitelist and control both ingress and egress of device/system https://www.iotsi.org/security-best-
Initiative Best Practices communications where able. practices

IoT Security Security Design https://www.iotsi.org/security-best-

Initiative Best Practices Use whitelisting methods over blacklisting when feasible. practices

Implement application data layer encryption in addition to

IoT Security Security Design communications link layer encryption for higher risk data https://www.iotsi.org/security-best-
Initiative Best Practices communications. practices
Department for Digital, Culture, Media and Sport 110
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT Security Security Design https://www.iotsi.org/security-best-

Initiative Best Practices Utilize mutually authenticated and encrypted RF communications. practices

Ensure the identity, authenticity, and integrity of communicated data

IoT Security Security Design by authenticating both the communication link and the data https://www.iotsi.org/security-best-
Initiative Best Practices communicated. practices

IoT Security Security Design When in question over possible data sensitivity or privacy, just https://www.iotsi.org/security-best-
Initiative Best Practices encrypt. practices
MIT Dos and Don’ts of
Laboratory for Client 3.1 Use Use of cryptography is critical to providing authentication. Without
Computer Authentication on cryptography the use of cryptography, it is not possible to protect a system from http://pdos.csail.mit.edu/papers/webaut
Science the Web appropriately the weakest of adversaries. h:sec10.pdf

Authenticators are the workhorse of any authentication scheme.

MIT Dos and Don’ts of These are the tokens presented by the client to gain access to the
Laboratory for Client 3.3 Handle system. As discussed above, authenticators protect passwords by
Computer Authentication on authenticators being a short-term secret; the authenticator can be changed at any http://pdos.csail.mit.edu/papers/webaut
Science the Web carefully time whereas passwords are much less convenient to change. h:sec10.pdf
Object
Management Data in the device, in flight throughout the public network, provider
Group (OMG) cloud, and enterprise network, as well as at rest in a variety of
Cloud locations and formats must be protected from inappropriate access
Standards and use. Multiple methods can be utilized, and indeed, in many
Customer cases, multiple methods are applied simultaneously to provide https://www.omg.org/cloud/deliverable
Council Cloud Customer different levels of protection of data against different types of threats s/CSCC-Cloud-Customer-Architecture-
(CSCC) Architecture for IoT Data Protection or isolation from different entities supporting the system. for-IoT.pdf
Department for Digital, Culture, Media and Sport 111
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

As many M2M Applications generate and exchange sensitive data,

and essential M2M Services deal with the routing and exploitation
of such information, the M2M System needs to be able to support
security services such as ensuring availability, mutual
TR-0008-V2.0.1 authentication between communicating parties, confidentiality (e.g. http://www.onem2m.org/images/files/d
Security (Technical protection against eavesdropping by unauthorized parties), integrity eliverables/Release2A/TR-0008-
oneM2M Report) 6.3 (i.e. protection against manipulation) and access control. Security-v_2_0_1.pdf

TR-0008-V2.0.1 A security association is established between the communicating http://www.onem2m.org/images/files/d

Security (Technical entities, which provides mutual authentication, integrity and eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.7 confidentiality. Security-v_2_0_1.pdf

TR-0008-V2.0.1 http://www.onem2m.org/images/files/d
Security (Technical The security association between communicating entities uses eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.8 protocols which are proven to resist man-in-the-middle attacks. Security-v_2_0_1.pdf

Communications whose security is anchored in M2M Service Layer

TR-0008-V2.0.1 keys use session keys, i.e. keys with a limited lifetime which can be http://www.onem2m.org/images/files/d
Security (Technical set by security policy. Session keys can be derived from M2M eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.9 Service-layer keys. Security-v_2_0_1.pdf

TR-0008-V2.0.1 The protocol includes functionality to detect if all or part of a http://www.onem2m.org/images/files/d

Security (Technical message is an unauthorized repeat of an earlier message or part of eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.10 a message Security-v_2_0_1.pdf

TR-0008-V2.0.1 Establish Secure Communications Link/security association http://www.onem2m.org/images/files/d

Security (Technical between relevant entities/nodes using modern cryptographic eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.19 algorithms Security-v_2_0_1.pdf

TR-0008-V2.0.1 http://www.onem2m.org/images/files/d
Security (Technical Ensure appropriate strong standard algorithms and strong keys are eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.24 used, and key management is in place. Security-v_2_0_1.pdf
Department for Digital, Culture, Media and Sport 112
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Ensure devices and associated applications support current
generally accepted security and cryptography protocols and best
practices. All personally identifiable data in transit and in storage
IoT Security & must be encrypted using current generally accepted security https://otalliance.org/system/files/files/i
Online Trust Privacy Trust standards. This includes but is not limited to wired, Wi-Fi, and nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 2 Bluetooth connections k6-22.pdf

All IoT support websites must fully encrypt the user session from
the device to the backend services. Current best practices include
HTTPS and HTTP Strict Transport Security (HSTS) by default, also
IoT Security & known as AOSSL or Always On SSL. Devices should include https://otalliance.org/system/files/files/i
Online Trust Privacy Trust mechanisms to reliably authenticate their backend services and nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 3 supporting applications. 1 k6-22.pdf
End-user communications, including but not limited to email and
SMS, must adopt authentication protocols to help prevent
spearphishing and spoofing. Domains should implement SPF,
IoT Security & DKIM and DMARC for all security and privacy-related https://otalliance.org/system/files/files/i
Online Trust Privacy Trust communications and notices as well as for parked domains and nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 34 those that never send email.5 k6-22.pdf
IoT vendors using email communication should adopt transport-
level confidentiality, including generally accepted security
IoT Security & techniques to aid in securing communications and enhancing the https://otalliance.org/system/files/files/i
Online Trust Privacy Trust privacy and integrity of the message (also referred to as nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 36 “Opportunistic TLS for email”). 7 k6-22.pdf
Department for Digital, Culture, Media and Sport 113
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
An important aspect of security of the entire ecosystem is the
robustness of publicly vetted and peer-reviewed (e.g. NIST-
approved) cryptographic algorithms. Security is not achieved by
obscurity of the cryptographic algorithm. To ensure both
interoperability and security, not only widely accepted cryptographic
algorithms must be used, but also a list of approved cryptographic
functions must be specified explicitly. As new algorithms are NIST
Open approved or old algorithms are deprecated, the list of approved
Connectivity algorithms must be maintained by OIC. All other algorithms (even if
Foundation OIC Security they deemed stronger by some parties) must be considered non- https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.5 approved. _Security_Specification_v1.1.1.pdf
FIPS Random Number Generator (“RNG”) – Insufficient
randomness or entropy in the RNG used for authentication
Open challenges can substantially degrade security strength. For this
Connectivity reason, it is recommended that a FIPS 800-90A-compliant RNG
Foundation OIC Security with a certified noise source be used for all authentication https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1.3, 1) challenges. _Security_Specification_v1.1.1.pdf
All cryptographic functions used to protect secrets from the
application user must be implemented on a trusted system (e.g.,
The server)
Protect master secrets from unauthorized access
Cryptographic modules should fail securely
All random numbers, random file names, random GUIDs, and
random strings should be generated
using the cryptographic module’s approved random number
generator when these random values are intended to be un-
guessable
Open Web Cryptographic modules used by the application should be compliant
Application OWASP Secure to FIPS 140-2 or an equivalent standard. (See
Security Coding Practices http://csrc.nist.gov/groups/STM/cmvp/validation.html) https://www.owasp.org/images/0/08/O
Project Quick Reference Cryptographic Establish and utilize a policy and process for how cryptographic WASP_SCP_Quick_Reference_Guide
(OWASP) Guide Practices keys will be managed _v2.pdf
Department for Digital, Culture, Media and Sport 114
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security
Project IoT Security I1: Insecure Web Ensure that any web interface has the ability to use HTTPS to https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface protect transmitted information Security_Guidance
Open Web
Application
Security I4: Lack of Ensure all communication between system components is
Project IoT Security Transport encrypted as well as encrypting traffic between the system or https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Encryption device and the internet Security_Guidance
Open Web
Application
Security I4: Lack of
Project IoT Security Transport Use recommended and accepted encryption practices and avoid https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Encryption proprietary protocols Security_Guidance
Open Web
Application
Security I4: Lack of
Project IoT Security Transport Ensure SSL/TLS implementations are up to date and properly https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Encryption configured Security_Guidance
Open Web
Application
Security I4: Lack of
Project IoT Security Transport https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Encryption Consider making a firewall option available for the product Security_Guidance
Open Web
Application
Security
Project IoT Security I6: Insecure Cloud https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface Ensure that all cloud interfaces use transport encryption Security_Guidance
Department for Digital, Culture, Media and Sport 115
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security
Project IoT Security I7: Insecure Mobile https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface Ensure that any mobile application uses transport encryption Security_Guidance
Open Web
Application
Security I8: Insufficient
Project IoT Security Security Ensure encryption options are made available (e.g. Enabling AES- https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Configurability 256 where AES-128 is the default setting) Security_Guidance
Security rests on fundamentals. Encryption, authentication, and
“key management” are invariably the foundation of meaningfully
resilient security. Fortunately, some great open source libraries
perform encryption really well, even in resource constrained IoT
devices. Unfortunately, most companies still take dangerous risks
attempting to do the key management for IoT entirely on their own.
In contrast, roughly $4 billion per day of e-commerce transactions
are protected by a simple but strong trust model serving billions of
An Internet of users, and serving over a million companies worldwide. This “trust
Things Security model” helps their systems safely authenticate systems of other https://www.symantec.com/content/da
Reference companies and safely start encrypted communications with those m/symantec/docs/white-papers/iot-
Symantec Architecture systems. security-reference-architecture-en.pdf

Secure Distributed Composition. The principle of secure

US National distributed composition states that the composition of distributed
Institute of components that enforce the same security policy should result in a
Standards and NIST SP.800-160 system that enforces that policy at least as well as the individual
Technology Systems Security components do. Many of the design principles for secure systems https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F1.17 deal with how components can or should interact. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 116
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Trusted Communication Channels. The principle of trusted
communication channels states that when composing a system
where there is a potential threat to communications between
US National components (i.e., the interconnections between components), each
Institute of communication channel must be trustworthy to a level
Standards and NIST SP.800-160 commensurate with the security dependencies it supports (i.e., how
Technology Systems Security much it is trusted by other components to perform its security https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.18 functions). alPublications/NIST.SP.800-160.pdf
IN GENERAL.—A clause that requires the contractor providing the
Internet-connected device to provide written certification that the
device—(III) uses only non-deprecated industry-standard protocols
and technologies for functions such as—

(aa) communications, such as standard ports for network traffic;

S.1691 - Internet of
Things (IoT) (bb) encryption; and
Cybersecurity https://www.congress.gov/bill/115th-
Improvement Act of SEC.3 (a) (1) (A) (i) congress/senate-
US Senate 2017 (Bill) (III) (cc) interconnection with other devices or peripherals; and bill/1691/text?format=txt
Web of Things
(WoT) Security and Use Secure Transports. When defining protocols for APIs https://www.w3.org/TR/wot-
Privacy exposed by a TD, it is often important to use secure protocols security/#recommended-security-
W3C Considerations 4.1.2 guaranteeing data authenticity and confidentiality. practices
Department for Digital, Culture, Media and Sport 117
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 6 - Minimise exposed attack surfaces

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for Workshop on Basic https://aioti-space.org/wp-

Internet of Security and Requirements on content/uploads/2017/03/AIOTI-
Things Privacy in the IoT HARDWARE Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected AND IoT devices should only be able to perform documented functions, the-Hyper-connected-World-Report-
(AIOTI) World COMPONENTS making sense for device/service. 20160616_vFinal.pdf

The CEO’s Guide

to Securing the No ancillary services. A device should not offer any services to the https://www.business.att.com/cybersec
AT&T Internet of Things network that it does not require to support its core functions urity/docs/exploringiotsecurity.pdf

The CEO’s Guide

to Securing the No backdoors. A device should not have hidden or known entry https://www.business.att.com/cybersec
AT&T Internet of Things points that can be easily exploited by the device vendor or others. urity/docs/exploringiotsecurity.pdf
Department for Digital, Culture, Media and Sport 118
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Atlantic
Council A published commitment to integrating security throughout the
Scowcroft development, manufacturing, and deployment life cycle. Key
Center for Smart Homes and elements, such as adversarial threat modeling,32 resilience testing, http://www.atlanticcouncil.org/images/p
Strategy and the Internet of and reduced elective complexity, lower costs and shorten the ublications/Smart_Homes_0317_web.
Security Things (issue brief) timeline of securing IoT devices. pdf

Close Unnecessary Ports and Disable Unnecessary Services.

Broadband BITAG recommends that device manufacturers close unnecessary
Internet ports, such as telnet, as unnecessary ports may be unsecured or
Technical Internet of Things can otherwise become compromised [107]. Devices should close or http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and disable administrative interfaces and functions that are not being _Report_-
Group Privacy used. Devices should also not ship with drivers that the device is _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.2 not using. nd_Privacy_Recommendations.pdf
IoT Devices Should Be Restrictive Rather Than Permissive in
Communicating. BITAG recommends that IoT devices
communicate only with trusted endpoints. When possible, devices
should not be reachable via inbound connections by default. IoT
devices should not rely on the network firewall alone to restrict
communication, as some communication between devices within
the home may not necessarily traverse the firewall.

Note that a BITAG recommendation to restrict the configuration of

IoT device communications should not come at the cost of an open
ecosystem. A user should be able to configure communications
Broadband between arbitrary IoT devices, and devices that trust one another
Internet should be allowed to communicate. Secure communications can
Technical Internet of Things bootstrap restricted trust lists that reflect the set of devices with http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and which any given device expects to communicate. These inter- _Report_-
Group Privacy device communications should only be permitted through trusted _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.3 mechanisms and secure communication channels. nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 119
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT systems should be designed with an explicit focus on

City of New minimizing security risks (e.g. unauthorized operation or hacking,
York (NYC) system faults, tampering, and environmental risks), limiting the
Guidelines for potential impact from a security breach (e.g. the release of
the Internet of personally identifiable information), and ensuring that any
Things Security 4.1 compromises can be quickly detected and managed. https://iot.cityofnewyork.us/security/

City of New All data should be protected in transit and at rest, and systems
York (NYC) should be secured against unauthorized access or operation. Data
Guidelines for storage mechanisms must not be easily removed from devices and
the Internet of systems must not have vulnerable external interfaces (e.g.
Things Security 4.4 unsecured USB ports). https://iot.cityofnewyork.us/security/

Future-proofing the
connected world: The low price point https://downloads.cloudsecurityalliance
13 steps to increases the .org/assets/research/internet-of-
Cloud Security Developing Secure potential adversary Consider physical safeguards such as tamper detection to guard things/future-proofing-the-connected-
Alliance (CSA) IoT pool - 1 against physical access to sensitive internals world.pdf

Future-proofing the
connected world: The low price point https://downloads.cloudsecurityalliance
13 steps to increases the .org/assets/research/internet-of-
Cloud Security Developing Secure potential adversary Lock-down physical ports (including test ports) on the product using things/future-proofing-the-connected-
Alliance (CSA) IoT pool - 2 passwords world.pdf

Future-proofing the Medical Devices

connected world: and Medical https://downloads.cloudsecurityalliance
13 steps to Standard Protocols .org/assets/research/internet-of-
Cloud Security Developing Secure are Vulnerable to things/future-proofing-the-connected-
Alliance (CSA) IoT Attack - 2 Authenticate access to all ports world.pdf
Department for Digital, Culture, Media and Sport 120
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

European Use hardware that incorporates security features to strengthen the

Union Agency protection and integrity of the device – for example, specialised
for Network security chips / coprocessors that integrate security at the transistor
and level, embedded in the processor, providing, among other things, a
Information Baseline Security trusted storage of device identity and authentication means, https://www.ENISA.europa.eu/publicati
Security Recommendations protection of keys at rest and in use, and preventing unprivileged ons/baseline-security-
(ENISA) for IoT GP-TM-02 from accessing to security recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security Enable security by default. Any applicable security https://www.ENISA.europa.eu/publicati
Security Recommendations features should be enabled by default, and any unused or insecure ons/baseline-security-
(ENISA) for IoT GP-TM-08 functionalities should be disabled by default. recommendations-for-iot

Limit permissions of the allowed actions for a given

system (e.g., the information owner or the database administrator
determines who can update a shared file accessed by a group of
European online users). Implement fine-grained authorisation mechanisms -
Union Agency such as Attribute-Based Access Control (ABAC) or Role-Based
for Network Access
and Control (RBAC)- for executing privileged actions, access to files and
Information Baseline Security directories, applications, etc. Use the Principle of least privilege https://www.ENISA.europa.eu/publicati
Security Recommendations (POLP): applications must operate at the lowest privilege level ons/baseline-security-
(ENISA) for IoT GP-TM-27 possible. recommendations-for-iot
European
Union Agency Device firmware should be designed to isolate privileged
for Network code, processes and data from portions of the firmware that do not
and need access to them, and device hardware should provide isolation
Information Baseline Security concepts to prevent unprivileged from accessing security sensitive https://www.ENISA.europa.eu/publicati
Security Recommendations code. in order to minimise the potential for compromised code to ons/baseline-security-
(ENISA) for IoT GP-TM-28 access those code and/or data. recommendations-for-iot
Department for Digital, Culture, Media and Sport 121
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network Ensure that the device cannot be easily disassembled and
and that the data storage medium is encrypted at rest and cannot be
Information Baseline Security easily removed. There should be mechanisms to control device https://www.ENISA.europa.eu/publicati
Security Recommendations security settings, such as remotely locking or erasing contents of a ons/baseline-security-
(ENISA) for IoT GP-TM-32 device if the device has been stolen. recommendations-for-iot
European Ensure that devices only feature the essential physical
Union Agency external ports (such as USB) necessary for them to function and
for Network that
and the test/debug modes are secure, so they cannot be used to
Information Baseline Security maliciously access the devices. In general, lock down physical ports https://www.ENISA.europa.eu/publicati
Security Recommendations to ons/baseline-security-
(ENISA) for IoT GP-TM-33 only trusted connections. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations ons/baseline-security-
(ENISA) for IoT GP-TM-50 Ensure only necessary ports are exposed and available. recommendations-for-iot
European
Union Agency
for Network
and Risk Segmentation - Splitting network elements into
Information Baseline Security separate components to help isolate security breaches and https://www.ENISA.europa.eu/publicati
Security Recommendations minimise overall risk. Networks can be divided into isolated ons/baseline-security-
(ENISA) for IoT GP-TM-47 subnetworks to boost performance and improve security. recommendations-for-iot
Department for Digital, Culture, Media and Sport 122
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network
and
Information Baseline Security Disable specific ports and/or network connections for https://www.ENISA.europa.eu/publicati
Security Recommendations selective connectivity. If necessary, provide users with guidelines to ons/baseline-security-
(ENISA) for IoT GP-TM-45 perform this process in the final implementation. recommendations-for-iot
European
Union Agency
for Network Make intentional connections. Prevent unauthorised connections to
and it or other devices the product is connected to, at all levels of the
Information Baseline Security protocols. IoT devices must provide notice and/or request a user https://www.ENISA.europa.eu/publicati
Security Recommendations confirmation when initially pairing, onboarding, and/or connecting ons/baseline-security-
(ENISA) for IoT GP-TM-44 with other devices, platforms or services. recommendations-for-iot
Since some devices, gateways, etc. are required to be managed
remotely rather than operated manually in the field, measures for
tamper protection and detection are needed. Detection and reaction
European to hardware tampering should not rely on network connectivity.
Union Agency
for Network
and Hardware tampering means that an attacker has physical control of
Information Baseline Security the device for some period of time. Broadly speaking, hardware https://www.ENISA.europa.eu/publicati
Security Recommendations tampering might occur at any of the different periods in the life cycle ons/baseline-security-
(ENISA) for IoT GP-TM-31 of a device. recommendations-for-iot
European
Union Agency
for Network Protection of remote monitoring interfaces is crucial since they often
and Security and provide a highly-privileged entry point into a device. This protection
Information Resilience of Smart includes access control and authentication mechanisms, as
Security Home described in good practices on Identification, authentication, https://www.ENISA.europa.eu/publicati
(ENISA) Environments 7.2.3 authorisation. ons/security-resilience-good-practices
Department for Digital, Culture, Media and Sport 123
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Non-Removable UICC. The Network Operator should provide non-

IoT Security removable UICCs (i.e. Machine Form Factor) for IoT Services https://www.gsma.com/iot/wp-
Guidelines for where the service threat model suggests that the IoT Endpoint content/uploads/2017/10/CLP.14-
GSMA Network Operators CLP.14_5.1.1.2 device may be vulnerable to physical tampering. v2.0.pdf

IoT Security Each system must be accessible by administration to troubleshoot

Guidelines for and diagnose application faults. This can be challenging in https://www.gsma.com/iot/wp-
Service environments where services or servers are short-lived, if an content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_5.6 administrative model is not sufficiently designed. v2.0.pdf

Use a Private APN for Cellular Connectivity. By restricting access to

the APN, an organization can ensure that only authenticated
IoT Security endpoints are allowed to connect to the service infrastructure made
Guidelines for available through the APN. This diminishes the potential for rogue https://www.gsma.com/iot/wp-
Service or random wireless clients to connect to the content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_7.3 APN and access restricted services. v2.0.pdf

IoT Security The physical device should not only be tamper resistant at the chip
Guidelines level, it should also be tamper resistant at the product level. The https://www.gsma.com/iot/wp-
Endpoint case used in the product should provide protection from adversarial content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.3 or curious users. v2.0.pdf
Department for Digital, Culture, Media and Sport 124
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Applications running on an Endpoint typically do not require super-
user privileges. Most often, applications require access to device
drivers or a network port. While some of these devices, ports, or
other objects may require super-user privileges to initially access
them, the super-user privileges are not required to perform
subsequent operations. Thus, it is best practice to only use super-
user privileges at the start of the application to gain access to these
resources. Then, super-user privileges should be dropped.

IoT Security Dropping super-user privileges is a common process that is well

Guidelines documented, and has been implemented exceptionally well in https://www.gsma.com/iot/wp-
Endpoint applications such as the Secure Shell (SSH), apache2, and other content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.9 well engineered servers. v2.0.pdf
Applications running on an Endpoint should have different user
identities associated with each unique process. This ensures that if
one application is compromised, a separate application on the
same Endpoint cannot be compromised without a successful
IoT Security second attack. This extra step required on behalf of an Attacker is
Guidelines often a critical hindrance to the overall exploit development process https://www.gsma.com/iot/wp-
Endpoint and increases the cost and complexity of an attack against an content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.10 Endpoint. v2.0.pdf
Department for Digital, Culture, Media and Sport 125
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Programming languages have varying degrees of security,
depending on the purpose of the language and how high level it is.
Some languages provide constructs for limiting access to raw
memory, and enforce constraints around how memory is used. The
engineering team should identify a language that is capable of
providing security to the application run-time or resultant binary.

The compiler or run-time should be security hardened, where

possible, to restrict the potential for a vulnerability to be abused by
an adversary. In a well defined run-time environment, even an
IoT Security easy-to-trigger programming flaw can be extremely difficult to fully
Guidelines exploit. This presumes that security enhancements are used to https://www.gsma.com/iot/wp-
Endpoint protect the way the application executes, accesses memory, and is content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.11 supported by the operating system’s security enhancements. v2.0.pdf

Applications running on an Operating System should be designed

to use (either transparently, or intentionally) the security
enhancements of the underlying Operating System and Kernel. This
includes technologies such as:Applications running on an Operating
System should be designed to use (either transparently, or
intentionally) the security enhancements of the underlying
Operating System and Kernel. This includes technologies such as:
ASLR"
User-Pointer Dereference Protection (UDEREF)
Structure Leakage (information disclosure) Protection
Each operating system used in an embedded system will provide
different variations and combinations of these technologies,
IoT Security sometimes under different names. Determine what the operating
Guidelines system and kernel are capable of providing, and enable these https://www.gsma.com/iot/wp-
Endpoint technologies, where possible, to enhance the security of content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.1 applications." v2.0.pdf
Department for Digital, Culture, Media and Sport 126
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

When a product is being developed it is often enabled with

debugging and testing technologies to facilitate the engineering
IoT Security process. This is entirely normal. However, when a device is ready
Guidelines for production deployment, these technologies should be stripped https://www.gsma.com/iot/wp-
Endpoint from the production environment prior to the definition of the content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.2 Approved Configuration. v2.0.pdf

Components on the physical circuit typically do not use any

semblance of confidentiality and integrity when communicating with
each other or the central processing unit. As a result, any adversary
can read or write data transmitted on these buses. The effect of this
IoT Security gap in communications security is the ability for an adversary to
Guidelines impersonate legitimate devices on the physical circuit. If the https://www.gsma.com/iot/wp-
Endpoint adversary chooses, they can impersonate a critical component such content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_9.3 as NVRAM, RAM, or even a trust anchor. v2.0.pdf

While the Organizational Root of Trust and its services will define
authentication technologies that secure the network communication
layer, the user, administration, and partner authorization
IoT Security technologies must be configured separately. While these entities’
Guidelines for communications channels are secured with the Organizational Root https://www.gsma.com/iot/wp-
Service of Trust, their actions and identities must be authenticated using a content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.12 separate system. v2.0.pdf
Department for Digital, Culture, Media and Sport 127
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
In some service infrastructure environments, ingress and egress
protection mechanisms are not configured by default. This means
that engineers must employ firewall or network traffic rulesets
themselves. These rules must be set in infrastructure before any
service is deployed to the public.

Note that software firewalls carry an additional risk, in that they can
be manipulated by a savvy attacker. If a software firewall is used,
any server infrastructure that is improperly hardened may be
manipulated by an attacker. In other words, if a public service
running on a server carries unnecessary privileges (such as super-
IoT Security user privileges) and is compromised, the attacker will likely be
Guidelines for capable of disabling the software firewall. Thus, the engineering https://www.gsma.com/iot/wp-
Service team must evaluate whether a software firewall is too high of a risk content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.13 for the chosen architecture. v2.0.pdf

Accepting dynamically generated data, such as advertisements,

from a Partner requires a certain level of presumption regarding the
quality and security of the data. Instead of making presumptions
IoT Security and applying the data to the presentation layer, the engineering
Guidelines for team must take steps to ensure that the data distributed from the https://www.gsma.com/iot/wp-
Service service application to or from a partner is well formed and does not content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_6.5 contain potentially malicious content. v2.0.pdf
Department for Digital, Culture, Media and Sport 128
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Some implementations of modern RAM technology such as
Dynamic Random Access Memory (DRAM) and Static Random
Access Memory (SRAM) are vulnerable to errors that can be
provably induced by certain memory access sequences. Abusing
this type of error can result in the alteration of a specific bit, or bits,
in predictable areas of memory. A successful exploit of this
condition can alter bits in memory that represent types of privilege
denoted by software.

In other words, if exploited correctly, an adversary can elevate their

privileges from one user to another user by manipulating a
hardware flaw in modern implementations of DRAM or SRAM.
Many modern implementations of DRAM and SRAM have been
IoT Security found provably exploitable through this vulnerability. However, it
Guidelines for requires the ability to execute code on the local system in order to https://www.gsma.com/iot/wp-
Service create the memory access sequences capable of triggering this content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_8.1 bug. v2.0.pdf
Modern service infrastructure often utilizes virtual machines to
deploy services on demand. While this model has proved extremely
convenient and easy to deploy with, the problem with this
methodology is the security of the overall infrastructure. While the
engineering team may succeed in deploying a well thought-out
architecture, the organization that manages and deploys the virtual
infrastructure may not be as successful.

IoT Security One major concern of deploying in virtual server environments is

Guidelines for the ability for hosts to be compromised, or for servers (virtual https://www.gsma.com/iot/wp-
Service guests) to intercept the data of other guests running on the same content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_8.2 infrastructure. v2.0.pdf
Department for Digital, Culture, Media and Sport 129
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Some IoT devices may operate continuously unattended and not

subject to the security implied by this frequent, direct human
observation. While it is best to keep devices relatively isolated so
that only a few designated persons have physical access,
especially for completely unattended devices, making them tamper-
proof or tamper-evident may be advantageous. This form of
IoT Security endpoint hardening can help block potential intruders from reaching https://internetinitiative.ieee.org/images
Principles and Best data. It may also defend against a hacker buying and then /files/resources/white_papers/internet_
IEEE Practices 1 weaponizing devices. of_things_feb2017.pdf

Recently DDoS attacks have been conducted in large measure by

armies of poorly protected IoT devices that have become zombie
systems in massive global campaigns. Most IoT devices are made
of commodity components that have vastly overpowered network
IoT Security capabilities for the function they are supposed to perform causing https://internetinitiative.ieee.org/images
Principles and Best congestion on home networks and potentially contributing to huge /files/resources/white_papers/internet_
IEEE Practices 7 costs for the targets of IoT-borne DDoS attacks. of_things_feb2017.pdf
Industrial Internet
Industrial of Things ENDPOINT PROTECTION. Endpoint Physical Security provides
Internet Volume G4: physical protection of the endpoint with anti-tampering and theft
Consortium Security prevention mechanisms to prevent uncontrolled changes or removal https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.3 of the endpoint. UB_G4_V1.00_PB-3.pdf

Industrial Internet ENDPOINT PROTECTION. Endpoint Root of Trust provides a

Industrial of Things foundation to secure other functions at the endpoint, from the
Internet Volume G4: hardware to applications including firmware, virtualization layer,
Consortium Security operating system, execution environment and application. It also https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.3 provides confidence on the endpoint identity. UB_G4_V1.00_PB-3.pdf
Industrial
Internet FROM FUNCTIONAL TO IMPLEMENTATION VIEWPOINT.
Consortium Industrial Internet Principle of economy of mechanism: keep the design as simple and https://www.iiconsortium.org/pdf/IIC_P
(IIC) of Things 7.9 small as possible. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 130
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Volume G4:
Security
Framework v1.0

Industrial Internet
Industrial of Things
Internet Volume G4: FROM FUNCTIONAL TO IMPLEMENTATION VIEWPOINT.
Consortium Security Principle of complete mediation: every access to every object must https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.9 be checked for authority. UB_G4_V1.00_PB-3.pdf

Industrial Internet FROM FUNCTIONAL TO IMPLEMENTATION VIEWPOINT.

Industrial of Things Principle of open design: a design should not be secret. The
Internet Volume G4: mechanisms should not depend on the ignorance of potential
Consortium Security attackers, but rather on the possession of specific, more easily https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.9 protected, keys or passwords. UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things FROM FUNCTIONAL TO IMPLEMENTATION VIEWPOINT.
Internet Volume G4: Principle of least privilege: every program and every user of the
Consortium Security system should operate using the least set of privileges necessary to https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.9 complete the job. UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things FROM FUNCTIONAL TO IMPLEMENTATION VIEWPOINT.
Internet Volume G4: Principle of least common mechanism: minimize the amount of
Consortium Security mechanism common to more than one user and depended on by all https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.9 users. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 131
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.

Changes in hardware components and configuration, ①: Hardware
integrity must be assured throughout the endpoint lifecycle to deter
uncontrolled changes to the hardware components. A potential
Industrial Internet vulnerability of the hardware is the usurpation of some part of the
Industrial of Things hardware resources. The endpoint must be able to protect itself
Internet Volume G4: against unauthorized access and the monopolizing of key resources
Consortium Security such as memory, processing cycles and privileged processing https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 modes. UB_G4_V1.00_PB-3.pdf

NETWORK FIREWALLS. Network firewalls are message-oriented

filtering gateways used extensively to segment IIoT systems. Most
firewalls are Layer 2, 3 or 4 IP routers/message forwarders with
sophisticated message filters. Firewalls may be deployed as either
Industrial Internet physical or virtual network devices. A firewall’s filtering function
Industrial of Things examines every message received by the firewall. If the filter
Internet Volume G4: determines that the message agrees with the firewall’s configured
Consortium Security traffic policy, the message is passed to the firewall’s router https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 9.2.5 component to be forwarded. UB_G4_V1.00_PB-3.pdf

CONTAINER ISOLATION. The container isolation model

Industrial Internet implements either hardware-or software-enforced boundaries
Industrial of Things Software containers rely on the OS to enforce the resource isolation
Internet Volume G4: boundaries; hardware containers use a physically different compute
Consortium Security element on the same platform. Hybrid containers combine both https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.12.2 approaches. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 132
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Device firmware SHOULD be designed to use hardware and
operating
systems that implement memory compartmentalization techniques,
in
order to prevent read, write, and/or execute access to areas of
memory by processes not authorized to use those areas for those
purposes.

Vendors that do not make use of such features MUST document

their
design rationale.

Explanation: Such mechanisms, when properly used, reduce the

impact
of a firmware bug, such as a buffer overflow vulnerability.
Operating systems, or even firmware running on "bare metal", that
do
not provide such a separation allow an attacker to gain access to
the
Internet complete address space. While these concepts have been available
Engineering Best Current in
Task Force Practices (BCP) for hardware for a long time already, they often are not utilized by https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.6.1 real-time operating systems. iot-security-bcp-01
Device firmware SHOULD be designed to isolate privileged code
and
data from portions of the firmware that do not need to access them,
Internet in order to minimize the potential for compromised code to access
Engineering Best Current those code and/or data.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.6.2 iot-security-bcp-01
Department for Digital, Culture, Media and Sport 133
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security Any debug interface (for example, I/O ports such as JTAG) only p-content/uploads/2017/12/IoT-
IoT Security Compliance communicate with authorised and authenticated entities on the Security-Compliance-
Foundation Framework 1.1 2.4.4.5 production devices. Framework_WG1_2017.pdf

All communications port(s), such as USB, RS232 etc., which are https://www.iotsecurityfoundation.org/w
IoT Security not used as part of the product’s normal operation are not physically p-content/uploads/2017/12/IoT-
IoT Security Compliance accessible or only communicate with authorised and authenticated Security-Compliance-
Foundation Framework 1.1 2.4.4.9 entities. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance After manufacture, all the product’s test points are securely disabled Security-Compliance-
Foundation Framework 1.1 2.4.4.10 or removed wherever possible. Framework_WG1_2017.pdf

The product has measures to prevent unauthenticated software and https://www.iotsecurityfoundation.org/w

IoT Security files being loaded onto it. In the event that the product is intended to p-content/uploads/2017/12/IoT-
IoT Security Compliance allow un-authenticated software, such software should only be run Security-Compliance-
Foundation Framework 1.1 2.4.5.1 with limited permissions and/or sandbox. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 134
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

If the product has any port(s) that are not required for normal
operation, they are only allowed to communicate with authorised
and authenticated entities or securely disabled when shipped. https://www.iotsecurityfoundation.org/w
IoT Security Where a port is used for field diagnostics, the port input is p-content/uploads/2017/12/IoT-
IoT Security Compliance deactivated and the output provides no information which could Security-Compliance-
Foundation Framework 1.1 2.4.5.5 compromise the device Framework_WG1_2017.pdf

Production software images should be assessed on release to https://www.iotsecurityfoundation.org/w

The software must be architected to identify and ring fence

sensitive software components, including cryptographic processes,
to aid inspection, review and test. The access from other software
components must be controlled and restricted to known and
acceptable operations. For example security related processes https://www.iotsecurityfoundation.org/w
IoT Security should be executed at higher privilege levels in the application p-content/uploads/2017/12/IoT-
IoT Security Compliance processor Security-Compliance-
Foundation Framework 1.1 2.4.5.15 hardware. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 135
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security All interactive OS accounts or logins have been disabled or p-content/uploads/2017/12/IoT-
IoT Security Compliance eliminated from the software at the end of the software Security-Compliance-
Foundation Framework 1.1 2.4.6.3 development process. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Passwords file(s) are owned by and are only accessible to and Security-Compliance-
Foundation Framework 1.1 2.4.6.5 writable by the Devices’ OS’s most privileged account. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 136
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance All OS non-essential services have been removed from the Security-Compliance-
Foundation Framework 1.1 2.4.6.6 products’ software image or filesystems. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance All OS command line access to the most privileged accounts has Security-Compliance-
Foundation Framework 1.1 2.4.6.7 been removed from the operating system. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Security-Compliance-
Foundation Framework 1.1 2.4.6.9 Applications are operated at the lowest privilege level possible. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 137
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Products with one or more network interfaces, the uncontrolled, and Security-Compliance-
Foundation Framework 1.1 2.4.7.3 any unintended packet forwarding function should be blocked. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 138
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance All the products unused ports are closed and the minimal required Security-Compliance-
Foundation Framework 1.1 2.4.7.6 number of ports are active. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product supports access control measures to the root account Security-Compliance-
Foundation Framework 1.1 2.4.8.9 to restrict access to sensitive information or system processes. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 139
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security The product only allows controlled user account access; access p-content/uploads/2017/12/IoT-
IoT Security Compliance using anonymous or guest user accounts are not supported without Security-Compliance-
Foundation Framework 1.1 2.4.8.11 justification. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance Any product related web servers have their webserver identification Security-Compliance-
Foundation Framework 1.1 2.4.13.2 options (e.g. Apache or Linux) switched off. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance All product related web servers have their webserver HTTP trace Security-Compliance-
Foundation Framework 1.1 2.4.13.3 and trace methods disabled. Framework_WG1_2017.pdf

The product related web servers support appropriately secure https://www.iotsecurityfoundation.org/w

IoT Security TLS/DTLS ciphers and disable / remove support for deprecated p-content/uploads/2017/12/IoT-
IoT Security Compliance ciphers. For example those published at ENISA [27] SSL Labs [29], Security-Compliance-
Foundation Framework 1.1 2.4.13.6 IETF RFC7525 [28]: Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 140
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security All the related and network elements servers prevent p-content/uploads/2017/12/IoT-
IoT Security Compliance anonymous/guest access except for read only access to public Security-Compliance-
Foundation Framework 1.1 2.4.13.18 information. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 141
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The product has all of the production test and calibration software
used during manufacture erased or removed or secured before the
product is dispatched from the factory. This is to prevent alteration
of the product post manufacture when using authorised production
software, for example hacking of the RF characteristics for greater https://www.iotsecurityfoundation.org/w
IoT Security RF ERP. Where such functionality is required in a service centre, it p-content/uploads/2017/12/IoT-
IoT Security Compliance shall be erased or removed upon completion of any servicing Security-Compliance-
Foundation Framework 1.1 2.4.14.1 activities. Framework_WG1_2017.pdf

IoT Security Security Design Expect software vulnerabilities & validate secure coding using https://www.iotsi.org/security-best-
Initiative Best Practices automated & manuals means. practices

IoT Security Security Design Implement and operate only the system services that are necessary https://www.iotsi.org/security-best-
Initiative Best Practices for the function of the system/solution. practices

IoT Security Security Design https://www.iotsi.org/security-best-

Initiative Best Practices Deploy systems and services based on a least-privilege model. practices

IoT Security Security Design Compartmentalize communication IO in system design wherever https://www.iotsi.org/security-best-
Initiative Best Practices possible; and run these services at least-privilege levels. practices

Run as much system code as possible at the lowest

IoT Security Security Design privilege/permission level possible; and as little as you can in https://www.iotsi.org/security-best-
Initiative Best Practices highest privilege/permission level. practices

IoT Security Security Design Consider restricting or tightly controlling access to system https://www.iotsi.org/security-best-
Initiative Best Practices components, firmware, and technical data for critical systems. practices

IoT Security Security Design Validate system security approach and implementation throughout https://www.iotsi.org/security-best-
Initiative Best Practices the SDLC. practices

IoT Security Security Design Conduct security/vulnerability testing on both software code and https://www.iotsi.org/security-best-
Initiative Best Practices finished systems. practices
Department for Digital, Culture, Media and Sport 142
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT Security Security Design Protect the system enclosure and electronics from physical access, https://www.iotsi.org/security-best-
Initiative Best Practices probing, and attack. practices

IoT Security Security Design Shed technology attack surface whenever and wherever possible in https://www.iotsi.org/security-best-
Initiative Best Practices design and development. practices

The hardware design should include the minimum features required

for operation of the hardware, and nothing more. An example is to
Scope hardware to include USB ports only if necessary for the operation of the device. https://docs.microsoft.com/en-
IoT Security Best minimum These additional features open the device for unwanted attack us/azure/iot-fundamentals/iot-security-
Microsoft Practices requirements vectors that should be avoided. best-practices

Build in mechanisms to detect physical tampering, such as opening

of the device cover or removing a part of the device. These tamper https://docs.microsoft.com/en-
IoT Security Best Make hardware signals may be part of the data stream uploaded to the cloud, which us/azure/iot-fundamentals/iot-security-
Microsoft Practices tamper proof could alert operators of these events. best-practices

IoT deployments may require hardware to be deployed in unsecure

locations, such as in public spaces or unsupervised locales. In such
situations, ensure that hardware deployment is tamper-proof to the
maximum extent. If USB or other ports are available on the https://docs.microsoft.com/en-
IoT Security Best Deploy hardware hardware, ensure that they are covered securely. Many attack us/azure/iot-fundamentals/iot-security-
Microsoft Practices securely vectors can use these as entry points. best-practices
The worst security attacks against IoT infrastructure are launched
using physical access to devices. One important safety practice is
to protect against malicious use of USB ports and other physical
access. One key to uncovering breaches that might have occurred
Physically protect is logging of physical access, such as USB port use. Again, https://docs.microsoft.com/en-
IoT Security Best the IoT Windows 10 (IoT and other SKUs) enables detailed logging of these us/azure/iot-fundamentals/iot-security-
Microsoft Practices infrastructure events. best-practices
Department for Digital, Culture, Media and Sport 143
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Lifecycle management of the IoT system is complex, multi-faceted,

Object and has relationships with identity management, device
Management management, the supply chain, application and software
Group (OMG) development, through to system operations and change
Cloud management of deployed and in-service systems. Attention to
Standards System, security in all of these areas is required in order to prevent a variety
Customer Application, and of attacks ranging from malicious code insertion to inappropriate https://www.omg.org/cloud/deliverable
Council Cloud Customer Solution Lifecycle firmware/software deployment, to effective cryptographic key s/CSCC-Cloud-Customer-Architecture-
(CSCC) Architecture for IoT Management management. for-IoT.pdf

TR-0008-V2.0.1 Processes should be implemented to protect the storage. Therefore http://www.onem2m.org/images/files/d

Security (Technical it is recommended that least-privileges are implemented so that eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.5 service privileges are minimized as much as possible to reduce risk. Security-v_2_0_1.pdf
Ensure all IoT devices and associated software have been
subjected to rigorous, standardized software development lifecycle
testing including unit, system, acceptance, and regression testing
and threat modeling, along with maintaining an inventory of the
source for any third-party/open source code and/or components.
Employ generally accepted code and system hardening techniques
across a range of typical use case scenarios, including prevention
of any data leaks between the device, apps and cloud services.
Developing secure software requires thinking about security from a
project’s inception through implementation, testing, and
IoT Security & deployment. Devices should ship with current software and/or on https://otalliance.org/system/files/files/i
Online Trust Privacy Trust first boot push automatic updates to address any known critical nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 9 vulnerabilities. k6-22.pdf

Design devices to minimum requirements necessary for operation.

IoT Security & For example, USB ports or memory card slots should only be https://otalliance.org/system/files/files/i
Online Trust Privacy Trust included if they are required for the operation and maintenance of nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 11 the device. Unused ports and services should be disabled. k6-22.pdf
Department for Digital, Culture, Media and Sport 144
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Implement measures to help prevent or make evident any physical
tampering of devices. Such measures help to protect the device
IoT Security & from being opened or modified for malicious purposes after https://otalliance.org/system/files/files/i
Online Trust Privacy Trust installation or from being returned to a retailer in a compromised nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 37 state. k6-22.pdf
Paths/ ports used for data entry into or export out of trusted/ crypto-
boundary needs to be protected. This includes paths into and out
secure execution engine and secure memory.

Open
Connectivity Path protection can be both hardware based (e.g. use of a
Foundation OIC Security privileged bus) or software based (using encryption over an https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.3 untrusted bus). _Security_Specification_v1.1.1.pdf
Department for Digital, Culture, Media and Sport 145
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Do not disclose sensitive information in error responses, including

system details, session identifiers or account information
Use error handlers that do not display debugging or stack trace
information
Implement generic error messages and use custom error pages
The application should handle application errors and not rely on the
server configuration
Properly free allocated memory when error conditions occur
Error handling logic associated with security controls should deny
access by default
All logging controls should be implemented on a trusted system
(e.g., The server)
Logging controls should support both success and failure of
specified security events
Ensure logs contain important log event data
Ensure log entries that include un-trusted data will not execute as
code in the intended log viewing interface or software
Restrict access to logs to only authorized individuals
Utilize a master routine for all logging operations
Do not store sensitive information in logs, including unnecessary
system details, session identifiers or passwords
Ensure that a mechanism exists to conduct log analysis
Log all input validation failures
Log all authentication attempts, especially failures
Log all access control failures
Log all apparent tampering events, including unexpected changes
to state data
Log attempts to connect with invalid or expired session tokens
Log all system exceptions
Open Web Log all administrative functions, including changes to the security
Application OWASP Secure configuration settings
Security Coding Practices Log all backend TLS connection failures https://www.owasp.org/images/0/08/O
Project Quick Reference Error Handling and Log cryptographic module failures WASP_SCP_Quick_Reference_Guide
(OWASP) Guide Logging Use a cryptographic hash function to validate log entry integrity _v2.pdf
Department for Digital, Culture, Media and Sport 146
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security
Project IoT Security I3: Insecure Ensure all devices operate with a minimal number of network ports https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Network Services active Security_Guidance
Open Web
Application
Security
Project IoT Security I3: Insecure Ensure all devices do not make network ports and/or services https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Network Services available to the internet via UPnP for example Security_Guidance
Open Web
Application
Security
Project IoT Security I10: Poor Physical Ensure the device is produced with a minimal number of physical https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Security external ports (e.g. USB ports) Security_Guidance
Open Web
Application
Security
Project IoT Security I10: Poor Physical Ensure the firmware of Operating System can not be accessed via https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Security unintended methods such as through an unnecessary USB port Security_Guidance
Open Web
Application
Security
Project IoT Security I10: Poor Physical https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Security Ensure the product is tamper resistant Security_Guidance
Open Web
Application
Security Ensure the product has the ability to limit administrative capabilities
Project IoT Security I10: Poor Physical in some fashion, possibly by only connecting locally for admin https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Security functions Security_Guidance
Department for Digital, Culture, Media and Sport 147
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security
Project IoT Security I10: Poor Physical Ensure the product has the ability to disable external ports such as https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Security USB Security_Guidance

System hardening, whitelisting, and application sandboxing can

provide network protection, closing back doors, limiting network
connectivity by application, and restricting both inbound and
outbound traffic flow. This can also provide protection against
different exploits, restricting app behavior, protecting the system
from buffer overflows and zero day attacks, while preserving control
of the device. Such solutions can also be used to prevent
unauthorized use of removable media as well as locking down
device configuration and settings, while also de-escalating user
privileges where needed. Such solutions can also provide auditing
An Internet of and alerting functions, helping monitor logs and security events.
Things Security Policy based technologies can even be run in environments without https://www.symantec.com/content/da
Reference the connectivity or processing power required to run traditional m/symantec/docs/white-papers/iot-
Symantec Architecture signature-based technologies. security-reference-architecture-en.pdf

Build in controls to allow manufacturers, service providers, and

consumers to disable network connections or specific ports when
U.S. Strategic Principles needed or desired to enable selective connectivity. Depending on https://www.dhs.gov/sites/default/files/
Department of for Securing The the purpose of the IoT device, providing the consumers with publications/Strategic_Principles_for_S
Homeland Internet of Things guidance and control over the end implementation can be a sound ecuring_the_Internet_of_Things-2016-
Security (IoT) practice. 1115-FINAL....pdf
Department for Digital, Culture, Media and Sport 148
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

U.S. Strategic Principles Use hardware that incorporates security features to strengthen the https://www.dhs.gov/sites/default/files/
Department of for Securing The protection and integrity of the device. For example, use computer publications/Strategic_Principles_for_S
Homeland Internet of Things chips that integrate security at the transistor level, embedded in the ecuring_the_Internet_of_Things-2016-
Security (IoT) processor, and provide encryption and anonymity. 1115-FINAL....pdf

Build the device using the most recent operating system that is
U.S. Strategic Principles technically viable and economically feasible. Many IoT devices use https://www.dhs.gov/sites/default/files/
Department of for Securing The Linux operating systems, but may not use the most up-to-date publications/Strategic_Principles_for_S
Homeland Internet of Things operating system. Using the current operating system ensures that ecuring_the_Internet_of_Things-2016-
Security (IoT) known vulnerabilities will have been mitigated. 1115-FINAL....pdf

U.S. Strategic Principles https://www.dhs.gov/sites/default/files/

Department of for Securing The Start with basic software security and cybersecurity practices and publications/Strategic_Principles_for_S
Homeland Internet of Things apply them to the IoT ecosystem in flexible, adaptive, and ecuring_the_Internet_of_Things-2016-
Security (IoT) innovative ways. 1115-FINAL....pdf
Department for Digital, Culture, Media and Sport 149
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Reduced Complexity. The principle of reduced complexity states

that the system design should be as simple and small as possible.
A small and simple design will be more understandable, more
analyzable, and less prone to error. This principle applies to any
aspect of a system, but it has particular importance for security due
to the various analyses performed to obtain evidence about the
emergent security property of the system. For such analyses to be
US National successful, a small and simple design is essential. Application of
Institute of the principle of reduced complexity contributes to the ability of
Standards and NIST SP.800-160 system developers to understand the correctness and
Technology Systems Security completeness of system security functions. It also facilitates https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.7 identification of potential vulnerabilities alPublications/NIST.SP.800-160.pdf

Hierarchical Protection. The principle of hierarchical protection

states that a component need not be protected from more
trustworthy components. In the degenerate case of the most trusted
US National component, it must protect itself from all other components. For
Institute of example, if an operating system kernel is deemed the most
Standards and NIST SP.800-160 trustworthy component in a system, then it must protect itself from
Technology Systems Security all untrusted applications it supports, but the applications, https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.12 conversely, do not need to protect themselves from the kernel. alPublications/NIST.SP.800-160.pdf

Minimized Security Elements. The principle of minimized security

elements states that the system should not have extraneous trusted
US National components. This principle has two aspects: the overall cost of
Institute of security analysis and the complexity of security analysis. Trusted
Standards and NIST SP.800-160 components, necessarily being trustworthy, are generally costlier to
Technology Systems Security construct, owing to increased rigor of development processes. They https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.13 also require greater security analysis to qualify their trustworthiness. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 150
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Least Privilege. The principle of least privilege states that each

component should be allocated sufficient privileges to accomplish
US National its specified functions, but no more. This limits the scope of the
Institute of component’s actions, which has two desirable effects: the security
Standards and NIST SP.800-160 impact of a failure, corruption, or misuse of the component will have
Technology Systems Security a minimized security impact; and the security analysis of the https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.14 component will be simplified. alPublications/NIST.SP.800-160.pdf

Secure Defaults. The principle of secure defaults states that the

default configuration of a system (to include its constituent
subsystems, components, and mechanisms) reflects a restrictive
US National and conservative enforcement of security policy. The principle of
Institute of secure defaults applies to the initial (i.e., default) configuration of a
Standards and NIST SP.800-160 system as well as to the security engineering and design of access
Technology Systems Security control and other security functions that should follow a “deny https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.2.5 unless explicitly authorized” strategy. alPublications/NIST.SP.800-160.pdf

Minimized Sharing. The principle of minimized sharing states that

no computer resource should be shared between system
components (e.g., subjects, processes, functions) unless it is
US National absolutely necessary to do so. Minimized sharing helps to simplify
Institute of design and implementation. In order to protect user-domain
Standards and NIST SP.800-160 resources from arbitrary active entities, no resource should be
Technology Systems Security shared unless that sharing has been explicitly requested and https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.6 granted. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 151
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Network interfaces exposed by a TD (WoT Interfaces) should only

provide the minimal necessary functionality, which helps to
Web of Things minimize implementation errors, possibilities for exposing potentially
(WoT) sensitive data, DoS attack possibilities etc. Devices should be
Security and strongly encapsulated, meaning the network interfaces should not
Privacy Minimize Network expose implementation details (for example, the use of particular https://www.w3.org/TR/wot-
Consideration Interface software frameworks). Consider different levels of access for security/#recommended-security-
s Functionality 4.1.5 different users. practices
Department for Digital, Culture, Media and Sport 152
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 7 - Ensure software integrity

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for Workshop on https://aioti-space.org/wp-

Internet of Security and content/uploads/2017/03/AIOTI-
Things Privacy in the Basic Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected Requirements on Third-party libraries the-Hyper-connected-World-Report-
(AIOTI) World APPLICATIONS Rules for maintaining, updates, checking for vulnerabilities. 20160616_vFinal.pdf

Broadband
Internet Secure software supply chain. Manufacturers should protect the
Technical Internet of Things secure software supply chain to prevent introduction of malware http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and during the manufacturing process; vendors and manufacturers _Report_-
Group Privacy should take appropriate measures to secure their software supply _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.10 chain. nd_Privacy_Recommendations.pdf
Increasing Security
through an To further ensure device integrity, each device should be
Industry-Led “hardened” to minimize the attack surface by closing unnecessary
A Vision for Secure Standards-based ports, disabling unnecessary services, and using a secure https://www.cablelabs.com/insights/visi
CableLabs IoT Approach bootloader with configuration validation on-secure-iot/

The data created or received by a device must be trustworthy, and

protected from unauthorized modification. This requires that the
A Vision for Secure device identity, execution environment, configuration, and https://www.cablelabs.com/insights/visi
CableLabs IoT Integrity communications are secured using well-established methods. on-secure-iot/
European Use hardware that incorporates security features to strengthen the
Union Agency protection and integrity of the device – for example, specialised
for Network security chips / coprocessors that integrate security at the transistor
and level, embedded in the processor, providing, among other things, a
Information Baseline Security trusted storage of device identity and authentication means, https://www.ENISA.europa.eu/publicati
Security Recommendations protection of keys at rest and in use, and preventing unprivileged ons/baseline-security-
(ENISA) for IoT GP-TM-02 from accessing to security recommendations-for-iot
Department for Digital, Culture, Media and Sport 153
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency The boot process initialises the main hardware
for Network components, and starts the operating system. Trust must be
and established in the boot environment before any trust in any other
Information Baseline Security software or executable program can be claimed, so the booted https://www.ENISA.europa.eu/publicati
Security Recommendations environment must be verified and determined to be in an ons/baseline-security-
(ENISA) for IoT GP-TM-03 uncompromised state. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security Restore Secure State - Enable a system to return to a state that https://www.ENISA.europa.eu/publicati
Security Recommendations was known to be secure, after a security breach has occured or if ons/baseline-security-
(ENISA) for IoT GP-TM-06 an upgrade has not been successful. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations Mechanisms for self-diagnosis and self-repair/healing to ons/baseline-security-
(ENISA) for IoT GP-TM-16 recover from failure, malfunction or a compromised state. recommendations-for-iot
Sign code cryptographically to ensure it has not been Management
tampered with after being signed as safe for the device, and
European implement run-time protection and secure execution monitoring to
Union Agency be sure malicious attacks do not overwrite code after it is loaded.
for Network Only run signed code and never unsigned code. Measuring the
and bootprocess enables the detection of manipulation of the host OS
Information Baseline Security and software, so that malicious changes in the behaviour of the https://www.ENISA.europa.eu/publicati
Security Recommendations devices can be detected. It enables boot-time detection of rootkits, ons/baseline-security-
(ENISA) for IoT GP-TM-04 viruses and worms. recommendations-for-iot
Department for Digital, Culture, Media and Sport 154
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency Employ a hardware-based immutable root of trust. The Hardware
for Network Root of Trust is a trusted hardware component which receives
and control at power-on. It then extends the chain of trust to other
Information Baseline Security hardware, firmware, and software components. The Root of Trust https://www.ENISA.europa.eu/publicati
Security Recommendations should then be attestable by software agents running within and ons/baseline-security-
(ENISA) for IoT GP-TM-01 throughout the infrastructure. recommendations-for-iot
European
Union Agency
for Network
and Security and Self-protection: HW and SW self-protection measures should be in
Information Resilience of Smart place to protect previous security functions. Data used to enforce
Security Home 5.2, sixth bullet these security functions should be protected, and hardening should https://www.ENISA.europa.eu/publicati
(ENISA) Environments point be used to reduce the attack surface ons/security-resilience-good-practices

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.1 Implement a Trusted Computing Base v2.0.pdf
Critical applications stored in executable regions of memory, such
as first-stage bootloaders or Trusted Computing Bases, should be
stored read-only. This ensures that the device can be booted into a
IoT Security valid configuration without interjection from an adversary. Without
Guidelines this assurance, executable code loaded after the first stage of https://www.gsma.com/iot/wp-
Endpoint execution will not be able to trust that it was booted into a valid content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.16 configuration or state. v2.0.pdf

IoT Security
Guidelines Do not embed remote administrative capabilities into a publicly https://www.gsma.com/iot/wp-
Endpoint accessible application or API, use a separate and distinct content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.12 communications channel v2.0.pdf
Department for Digital, Culture, Media and Sport 155
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
IoT Endpoints that have user interfaces such as touch screens, rich
displays, or alternative interface technologies, must be able to
render information to the user and take information from a user in a
secure manner.
While attributes of the user interface, such as passwords, have
already been covered in this document, there are some more subtle
issues that must be discussed:
Alerting systems
Action confirmation
IoT Security When an anomaly has occurred, such as physical tampering or an
Guidelines application behaving in an unintended fashion, the user should https://www.gsma.com/iot/wp-
Endpoint receive a visible alert. Alternatively, the user should be able to content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.4 review alerts from the system from within the User Interface. v2.0.pdf
In order for an application to run properly, it must be loaded and
IoT Security executed in a consistent way on a reliable, high quality, and secure
Guidelines for platform. The TCB defines how to formulate this platform, but the https://www.gsma.com/iot/wp-
Service Bootstrap model defines how the application shall be ran on top of content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_5.3 it. v2.0.pdf
BOOT PROCESS INTEGRITY. The boot process initializes the
Industrial Internet main hardware components, and starts the operating system. Trust
Industrial of Things must be established in the boot environment before any trust in any
Internet Volume G4: other software or executable program can be claimed. So the
Consortium Security booted environment must be verified and determined to be in an https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.7.1 uncompromised state. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 156
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Intercepts or overrides of the system boot process, ②+③: The
endpoint boot process can be altered by modifying the firmware
interface between the hardware platform firmware and the operating
system such as the unified extensible firmware interface (UEFI) or
basic Input/output system (BIOS)1. Changes to the bootloader are
another threat as changes could compromise the integrity of the
endpoint by starting unauthorized or insecure versions of the
operating system. Attacks at this level could also affect the normal
Industrial Internet or secure boot process of the endpoint, the recognition of all the
Industrial of Things hardware resources and the establishment of a solid root of trust for
Internet Volume G4: securing other components.
Consortium Security • Compromises to the Guest OS, Hypervisors and Separation https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 Kernels, ④+⑤: These UB_G4_V1.00_PB-3.pdf
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Compromises to the Guest OS, Hypervisors and Separation
Kernels, ④+⑤: These software layers control allocation of
hardware resources to applications. Attacks to these layers can
Industrial Internet alter the behavior of the system, allow information flows to bypass
Industrial of Things security controls and enable attackers to gain privileged access to
Internet Volume G4: endpoint hardware and software resources. Once access is gained
Consortium Security to this layer, attackers will have opportunity to affect the entire https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 software stack and further alter security controls built in to this level. UB_G4_V1.00_PB-3.pdf
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Illicit changes to Application Software or exposed Application
Programming Interface (API), ⑥+⑦+⑧+⑨: Endpoint applications
are often the target for malware or an attacker seeking to infiltrate
and compromise the endpoint. Execution of malicious applications
Industrial Internet or overriding of application APIs can adversely impact the
Industrial of Things trustworthiness of the endpoint. Exposed APIs should also be
Internet Volume G4: protected against denial of service attack where continuous access
Consortium Security from unauthorized users could limit the responsiveness and access https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 to the exposed functionality. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 157
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Vulnerabilities of the Deployment Process, ⑩: Errors and potential
malicious code may also infiltrate the endpoint as part of the
deployment process, for example, incorrect or malicious installation
Industrial Internet scripts, intercepted communications, or unauthorized replacement
Industrial of Things of a package on the update server. Reduction of possible endpoint
Internet Volume G4: configurations in large-scale endpoint deployments will be important
Consortium Security in reducing complexity and vulnerabilities in the deployment https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 process. UB_G4_V1.00_PB-3.pdf
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Vulnerabilities in the Development Environment, ⑮: The
introduction of weaknesses during the software development
Industrial Internet lifecycle can leave the IIoT systems susceptible to attack. These
Industrial of Things weaknesses may be introduced during architecting, designing, or
Internet Volume G4: writing of the code. Use of vulnerable or malicious libraries or
Consortium Security untrusted development frameworks may lead to their inclusion in https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 the resulting code running in the IIoT system. UB_G4_V1.00_PB-3.pdf
ESTABLISH ROOTS OF TRUST. The roots of trust (RoT), or trust
roots, consisting of hardware, software, people and organizational
processes, establish confidence in the system. An endpoint without
a correctly implemented RoT will lack the ability to establish
Industrial Internet confidence that it will behave as intended.
Industrial of Things The root of trust on a device determines the level of confidence in
Internet Volume G4: the authenticity of the credentials belonging to that particular
Consortium Security device. The root of trust should be able to generate, manage and https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.4 store at least one identity. UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things RUNTIME INTEGRITY. After the boot-process integrity has been
Internet Volume G4: attested to, the OS is running and applications can execute.
Consortium Security Runtime integrity controls monitor, and ideally, enforce the integrity https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.7.2 of the endpoint beyond the boot process UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 158
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Ensuring lifetime security in IoT products and services must be a

The Internet of fundamental priority to maintain overall user trust in this technology.
Internet Things: An Internet Users need to trust that IoT devices and related data services are https://www.internetsociety.org/wp-
Society Society Public secure, especially as they become more pervasive and integrated content/uploads/2017/09/ISOC-
(ISOC) Policy Briefing Security into our daily lives. PolicyBrief-IoT.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product’s processor system has an irrevocable Secure Boot Security-Compliance-
Foundation Framework 1.1 2.4.4.1 process. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where the product has a secure source of time there is a method of p-content/uploads/2017/12/IoT-
IoT Security Compliance validating its integrity, such as Secure NTP. Security-Compliance-
Foundation Framework 1.1 2.4.8.2 https://www.ntpsec.org/. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 159
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The product has measures to prevent unauthenticated software and https://www.iotsecurityfoundation.org/w

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance To prevent the stalling or disruption of the devices software Security-Compliance-
Foundation Framework 1.1 2.4.5.6 operation any watchdog timers for this purpose cannot be disabled. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product’s software signing root of trust is stored in Security-Compliance-
Foundation Framework 1.1 2.4.5.7 tamperresistant memory. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product has protection against reverting the software to an Security-Compliance-
Foundation Framework 1.1 2.4.5.8 earlier and potentially less secure version. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 160
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The software has been designed to fail safely, i.e. in the case of https://www.iotsecurityfoundation.org/w
IoT Security unexpected invalid inputs, or erroneous software operation, the p-content/uploads/2017/12/IoT-
IoT Security Compliance product does not become dangerous, or compromise security of Security-Compliance-
Foundation Framework 1.1 2.4.5.24 other connected systems. Framework_WG1_2017.pdf

Where a product includes a trusted secure boot process, the entire https://www.iotsecurityfoundation.org/w
IoT Security production test and any related calibration is executed with the p-content/uploads/2017/12/IoT-
IoT Security Compliance processor system operating in its secured boot, authenticated Security-Compliance-
Foundation Framework 1.1 2.4.14.5 software mode. Framework_WG1_2017.pdf

IoT Security Security Design Fingerprint and validate the integrity of critical system operating https://www.iotsi.org/security-best-
Initiative Best Practices thresholds or parameters. practices

IoT Security Security Design Make use of secure boot, secure micro-kernels and hardware https://www.iotsi.org/security-best-
Initiative Best Practices virtualization capabilities whenever possible. practices
Department for Digital, Culture, Media and Sport 161
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Development of secure software requires ground-up thinking about
security, from the inception of the project all the way to its
Follow secure implementation, testing, and deployment. The choices of platforms,
software languages, and tools are all influenced with this methodology. The https://docs.microsoft.com/en-
IoT Security Best development Microsoft Security Development Lifecycle provides a step-by-step us/azure/iot-fundamentals/iot-security-
Microsoft Practices methodology approach to building secure software. best-practices
Open-source software provides an opportunity to quickly develop
solutions. When you're choosing open-source software, consider
the activity level of the community for each open-source
component. An active community ensures that software is
Choose open- supported and that issues are discovered and addressed. https://docs.microsoft.com/en-
IoT Security Best source software Alternatively, an obscure and inactive open-source software project us/azure/iot-fundamentals/iot-security-
Microsoft Practices with care might not be supported and issues are not likely be discovered. best-practices
Many software security flaws exist at the boundary of libraries and
APIs. Functionality that may not be required for the current
deployment might still be available via an API layer. To ensure https://docs.microsoft.com/en-
IoT Security Best overall security, make sure to check all interfaces of components us/azure/iot-fundamentals/iot-security-
Microsoft Practices Integrate with care being integrated for security flaws. best-practices
In order to ensure that all components of a device are operating
properly and have not been tampered with, it is best to ensure that
Open the device is booted properly. There may be multiple stages of boot.
Connectivity The end result is an application running on top an operating system
Foundation OIC Security that takes advantage of memory, CPU and peripherals through https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.2.1 drivers. _Security_Specification_v1.1.1.pdf

Open Secure download and boot – To prevent the loading and execution
Connectivity of malicious software, where it is practical, it is recommended that
Foundation OIC Security Secure Download and Secure Boot methods that authenticate a https://openconnectivity.org/specs/OIC
(OCF) Specification v1.1.1 15.1.1.3 binary’s source as well as its contents be used. _Security_Specification_v1.1.1.pdf
Department for Digital, Culture, Media and Sport 162
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Software and
Information
Industry Empowering the http://www.siia.net/Portals/0/pdf/Policy/
Association Internet of Things: Policies for Embedded Software Should Provide for Product Reports/Empowering%20the%20Intern
(SIIA) Benefits 6 Integrity et%20of%20Things.pdf
In powering up, each device boots and runs some code. In that
context, it is crucial that we ensure devices only do what we
programmed them to do, and ensure that others cannot reprogram
them to behave maliciously. In other words, the first step in
protecting a device is to protect the code to be sure the device only
boots and runs code that you want it running. Fortunately, many
chipmakers already build “secure boot” capabilities into their chips.
Similarly, for “higher level” code, a number of time-proven,
opensource, and client-side libraries like OpenSSL can easily be
used to check signatures of code, and accept code only if it comes
from an authorized source. In that context, signing firmware, boot
images, and higherlevel embedded code are all increasingly
common, including signing the underlying software components
such as any operating system, and not just applications, but all
An Internet of code on the device. This approach can ensure that all critical
Things Security components, sensors, actuators, controllers, and relays are all https://www.symantec.com/content/da
Reference properly configured to only run signed code and never run unsigned m/symantec/docs/white-papers/iot-
Symantec Architecture code. security-reference-architecture-en.pdf
Department for Digital, Culture, Media and Sport 163
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Secure Evolvability. The principle of secure evolvability states that
a system should be developed to facilitate the maintenance of its
security properties when there are changes to its functionality
structure, interfaces, and interconnections (i.e., system architecture)
or its functionality configuration (i.e., security policy enforcement).
These changes may include for example: new, enhanced, and
upgraded system capability; maintenance and sustainment
US National activities; and reconfiguration. Although it is not possible to plan for
Institute of every aspect of system evolution, system upgrades and changes
Standards and NIST SP.800-160 can be anticipated by analyses of mission or business strategic
Technology Systems Security direction; anticipated changes in the threat environment; and https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.8 anticipated maintenance and sustainment needs. alPublications/NIST.SP.800-160.pdf
US National Self-Reliant Trustworthiness. The principle of self-reliant
Institute of trustworthiness states that systems should minimize their reliance
Standards and NIST SP.800-160 on other systems for their own trustworthiness. A system should be
Technology Systems Security trustworthy by default with any connection to an external entity used https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.1.16 to supplement its function. alPublications/NIST.SP.800-160.pdf
Self-Analysis. The principle of self-analysis states that a
component must be able to assess its internal state and
functionality to a limited extent at various stages of execution, and
that this self-analysis capability must be commensurate with the
level of trustworthiness invested in the system. At the system level,
self-analysis can be achieved via hierarchical trustworthiness
assessments established in a bottom up fashion. In this approach,
US National the lower-level components check for data integrity and correct
Institute of functionality (to a limited extent) of higher-level components. For
Standards and NIST SP.800-160 example, trusted boot sequences involve a trusted lower-level
Technology Systems Security component attesting to the trustworthiness of the next higher-level https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.2.3 components so that a transitive chain of trust can be established. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 164
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
US National
Institute of Defense in Depth. Defense in depth describes security
Standards and NIST SP.800-160 architectures constructed through the application of multiple
Technology Systems Security mechanisms to create a series of barriers to prevent, delay, or deter https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.4.2 an attack by an adversary. alPublications/NIST.SP.800-160.pdf

Code of Practice: 8 - Ensure that personal data is protected

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
1. Proactive not Reactive;
Preventative not Remedial Privacy by Design is characterised by
Alliance for proactive rather than reactive measures. It anticipates and prevents
Internet of privacy-invasive events before they happen. It does not wait for
Things privacy risks to materialise, nor does it offer remedies for resolving https://aioti.eu/wp-
Innovation Report: Working privacy infractions once they have occurred – it aims to prevent content/uploads/2017/03/AIOTIWG04
(AIOTI) Group 4 – Policy 5 them from occurring. Report2015-Policy-Issues.pdf
Department for Digital, Culture, Media and Sport 165
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
2. Privacy as the Default Setting
Privacy by Design seeks to deliver the maximum degree of privacy
Alliance for by ensuring that personal data are automatically protected in any
Internet of given IT system or business practice. If an individual does nothing,
Things their privacy still remains intact. No action is required on the part of https://aioti.eu/wp-
Innovation Report: Working the individual to protect their privacy – it is built into the product, by content/uploads/2017/03/AIOTIWG04
(AIOTI) Group 4 – Policy 5 default. Report2015-Policy-Issues.pdf

Alliance for
Internet of 3. End-to-End Security – Full Lifecycle Protection
Things Privacy by Design extends throughout the entire lifecycle of the https://aioti.eu/wp-
Innovation Report: Working data involved, from start to finish. This ensures that at the end of content/uploads/2017/03/AIOTIWG04
(AIOTI) Group 4 – Policy 5 the process, all data are securely destroyed, in a timely fashion. Report2015-Policy-Issues.pdf

Alliance for 5. Respect for User Privacy – Keep it User-Centric

Internet of Above all, Privacy by Design requires architects and operators to
Things keep the interests of the individual uppermost by offering such https://aioti.eu/wp-
Innovation Report: Working measures as strong privacy defaults, appropriate notice, and content/uploads/2017/03/AIOTIWG04
(AIOTI) Group 4 – Policy 5 empowering user-friendly options. Report2015-Policy-Issues.pdf
No Personal Data by Default, ‘As-If’ by Design & De-Identification
by Default
Data minimalisation starts with only requesting, collecting,
obtaining, deriving and processing personal data to the extent
necessary (need-to-know principle), and. The ‘As-If’ principle it to
Alliance for Workshop on design and engineer ecosystems in IoT as if these will (now or in a https://aioti-space.org/wp-
Internet of Security and Basic later phase) process personal data. The As-If principle is closely content/uploads/2017/03/AIOTI-
Things Privacy in the Requirements on related to the privacy by design and privacy by default principles. Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected PRACTICAL Design de-Identification capabilities so personal data is de-identified the-Hyper-connected-World-Report-
(AIOTI) World PRIVACY IN IoT as soon as legally possible. 20160616_vFinal.pdf
Department for Digital, Culture, Media and Sport 166
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Rights management for accessing data controlled by the user

based on the assessment where and when a Thing or IoT
Alliance for Workshop on ecosystems in its lifecycle comes into contact with personal data, https://aioti-space.org/wp-
Internet of Security and creates/derives (new) personal data, or otherwise processes content/uploads/2017/03/AIOTI-
Things Privacy in the Manufacturer- personal data, while keeping in my mind the contextuality of Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected Implemented purposes and use, as well as multi-purpose Things and IoT the-Hyper-connected-World-Report-
(AIOTI) World Parametrization ecosystems. 20160616_vFinal.pdf

Alliance for Workshop on Awareness & Technically regulating access to data to define who can use it for https://aioti-space.org/wp-
Internet of Security and Information what purpose, and how that can be made transparent, and content/uploads/2017/03/AIOTI-
Things Privacy in the Supplied with subsequently measured and monitored. Design in a transparent Workshop-on-Security-and-Privacy-in-
Innovation Hyper connected Indication of way, so the data subject is and remains clear and aware of privacy the-Hyper-connected-World-Report-
(AIOTI) World Purpose issues, choices it makes and possible consequences thereof. 20160616_vFinal.pdf

Alliance for
Internet of https://aioti.eu/wp-
Things AIOTI Digitisation Promote transparency about what data is collected (including content/uploads/2017/03/AIOTI-
Innovation of Industry Policy 3.32 (ii) First bullet passive collection in smart spaces and smart cities) and do so in a Digitisation-of-Ind-policy-doc-Nov-
(AIOTI) Recommendations point way which is clear and simple for the user 2016.pdf

Alliance for
Internet of https://aioti.eu/wp-
Things AIOTI Digitisation Implement privacy enhancing techniques such as data content/uploads/2017/03/AIOTI-
Innovation of Industry Policy 3.32 (ii) Second segmentation, segregation, aggregation, pseudonymisation, Digitisation-of-Ind-policy-doc-Nov-
(AIOTI) Recommendations bullet point tokENISAtion and anonymization to the extent possible. 2016.pdf
Department for Digital, Culture, Media and Sport 167
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Atlantic
Council
Scowcroft Describe the ways in which customer data is used or will be used,
Center for Smart Homes and as well as methods for consumers to opt out. This includes change http://www.atlanticcouncil.org/images/p
Strategy and the Internet of in ownership of the company, or sharing information with third- ublications/Smart_Homes_0317_web.
Security Things parties. pdf

Broadband
Internet Internet of Things IoT Devices Should Ship with a Privacy Policy That is Easy to http://www.bitag.org/documents/BITAG
Technical (IoT) Security and Find & Understand. BITAG recommends that IoT devices ship with _Report_-
Advisory Privacy a privacy policy, but that policy must be easy for a typical user to _Internet_of_Things_(IoT)_Security_a
Group (BITAG) Recommendations 7.7 find and understand. nd_Privacy_Recommendations.pdf
City of New The City should make processes and policies related to IoT and
York (NYC) IoT-related data publicly available in an up-to-date, clear and
Guidelines for comprehensive manner. IoT principles, guidelines, operational
the Internet of Privacy + policies and responsibilities should be transparent and made public https://iot.cityofnewyork.us/privacy-
Things Transparency 1.1 via a City government website. and-transparency/
Data and information collected by IoT devices should be classified
and treated accordingly, per the City of New York’s Data
City of New Classification Policy, as Public, Sensitive, Private or Confidential.
York (NYC) All personally identifiable information (PII) should be classified at a
Guidelines for minimum as private. All data that is classified as being confidential,
the Internet of Privacy + or personally identifiable, should be protected from unauthorized https://iot.cityofnewyork.us/privacy-
Things Transparency 1.3 use and disclosure. and-transparency/
PII should by default be anonymized before being shared in any
City of New way that could make the information publicly searchable or
York (NYC) discoverable. Any copies and reproductions must have the same or
Guidelines for higher level of classification as the original. Any combinations of
the Internet of Privacy + data should be reclassified according to the City’s Data https://iot.cityofnewyork.us/privacy-
Things Transparency 1.4 Classification Policy. and-transparency/
Department for Digital, Culture, Media and Sport 168
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
City of New
York (NYC) PII data types should have a clearly associated retention policy and
Guidelines for disposal procedure. Sensitive, private or confidential data should be
the Internet of Privacy + kept for no longer than is operationally necessary or required for the https://iot.cityofnewyork.us/privacy-
Things Transparency 1.5 specified, explicit and legitimate purposes. and-transparency/
City of New Before any sensitive, private, or confidential data is shared outside
York (NYC) the originating City agency, the agency should ensure that the need
Guidelines for cannot be met by using anonymized or aggregated data and that
the Internet of Privacy + the appropriate protections are in place to preserve the https://iot.cityofnewyork.us/privacy-
Things Transparency 1.6 confidentiality of the data. and-transparency/

Users of IoT systems should be made aware of all of the data

collected from or about them, and should be given the opportunity
Security Guidance to opt out of data collection practices at a granular level. https://downloads.cloudsecurityalliance
for Early Adopters Recognizing the concerns that many of the IoT devices may not .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of have proper user interface, companies should find suitable methods or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.1.1 to provide the choice and notice to consumers. _Things.pdf

Within the IoT, data collected will have a long lifespan. It is

important to consider the full lifespan of the data collected, both
Security Guidance within the collecting organization and within any third parties to https://downloads.cloudsecurityalliance
for Early Adopters which it is provided. Stakeholders should be made aware of when .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of data is provided to third parties, the controls used to secure it, and or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.1.4 how and when the data is disposed of _Things.pdf

Security Guidance Stakeholders should be able to easily identify the data collected https://downloads.cloudsecurityalliance
for Early Adopters from them for any particular IoT system, as well as the planned or .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of potential uses for that data. Stakeholders should also be allowed to or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.1.5 opt in to data collection, at both a coarse and granular level. _Things.pdf
Department for Digital, Culture, Media and Sport 169
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Security Guidance https://downloads.cloudsecurityalliance

for Early Adopters .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of Limit the data that is being collected or aggregated by a gateway to or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.3.3 what is really necessary. _Things.pdf

http://ec.europa.eu/information_society
Report on Transparency and user interface control – empower the user to /newsroom/image/document/2017-
European Workshop on obtain sufficient knowledge on what its devices and related system 15/final_report_20170113_v0_1_clean
Commission Security & Privacy are doing and sharing, even if it concerns M2M communications _778231E0-BC8E-B21F-
and AIOTI in IoT 1) 2) and transactions 18089F746A650D4D_44113.pdf
European
Union Agency
for Network Personal data must be collected and processed fairly and
and lawfully. The fairness principle specifically requires that personal
Information Baseline Security data https://www.ENISA.europa.eu/publicati
Security Recommendations should never be collected and processed without the data subject’s ons/baseline-security-
(ENISA) for IoT GP-TM-10 consent. recommendations-for-iot
Department for Digital, Culture, Media and Sport 170
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network Make sure that personal data is used for the specified
and purposes for which they were collected, and that any further
Information Baseline Security processing of personal data is compatible and that the data https://www.ENISA.europa.eu/publicati
Security Recommendations subjects ons/baseline-security-
(ENISA) for IoT GP-TM-11 are well informed. recommendations-for-iot
Minimise the data collected and retained. Many IoT
stakeholders only need aggregated data and have no need of the
European raw
Union Agency data collected by IoT devices. Stakeholders must delete raw data
for Network as
and soon as they have extracted the data required for their data
Information Baseline Security processing. As a principle, deletion should take place at the nearest https://www.ENISA.europa.eu/publicati
Security Recommendations point of data collection of raw data (e.g. on the same device after ons/baseline-security-
(ENISA) for IoT GP-TM-12 processing). recommendations-for-iot
European IoT stakeholders must be compliant with the EU General
Union Agency Data Protection Regulation (GDPR). The complex mesh of
for Network stakeholders involved asks for/implies the necessity of a precise
and allocation of legal responsibilities among them with regard to the
Information Baseline Security processing of the individual’s personal data, based on the https://www.ENISA.europa.eu/publicati
Security Recommendations specificities ons/baseline-security-
(ENISA) for IoT GP-TM-13 of their respective interventions. recommendations-for-iot
European
Union Agency
for Network Users of IoT products and services must be able to
and exercise their rights to information, access, erasure, rectification,
Information Baseline Security data portability, restriction of processing, objection to processing, https://www.ENISA.europa.eu/publicati
Security Recommendations and their right not to be evaluated on the basis of automated ons/baseline-security-
(ENISA) for IoT GP-TM-14 processing. recommendations-for-iot
Department for Digital, Culture, Media and Sport 171
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network Data processed by a third-party (i.e., if the organisation
and utilises a cloud email provider), must be protected by a data
Information Baseline Security processing agreement with the third-party. With the transference of https://www.ENISA.europa.eu/publicati
Security Recommendations data, the responsibility of protecting that data also should be ons/baseline-security-
(ENISA) for IoT GP-OP-12 transferred and compliance verified. recommendations-for-iot
European Only share consumers’ personal data with third parties
Union Agency with consumers’ affirmative consent, unless required and limited for
for Network the use of product features or service operation. Require that
and thirdparty
Information Baseline Security service providers are held to the same polices including holding https://www.ENISA.europa.eu/publicati
Security Recommendations such data in confidence and notification requirements of any data ons/baseline-security-
(ENISA) for IoT GP-OP-13 loss/breach incident and/or unauthorised access. recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security Privacy must be a guiding principle when designing and https://www.ENISA.europa.eu/publicati
Security Recommendations developing systems, in order to make privacy an integral part of the ons/baseline-security-
(ENISA) for IoT GP-PS-08 system. recommendations-for-iot
Data integrity and confidentiality must be enforced by access
European controls. When the subject requesting access has been authorised
Union Agency to access particular processes, it is necessary to enforce the
for Network defined security policy. The effectiveness and the strength of
and access control depend on the correctness of the access control
Information Baseline Security decisions (e.g., how the security rules are configured) and the https://www.ENISA.europa.eu/publicati
Security Recommendations strength of access control enforcement (e.g., the design of software ons/baseline-security-
(ENISA) for IoT GP-TM-29 management or hardware security). recommendations-for-iot
Department for Digital, Culture, Media and Sport 172
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network
and Security and
Information Resilience of Smart User data protection: the integrity, confidentiality and authenticity of
Security Home 5.2, fourth bullet user data must be protected. Confidentiality protection must be https://www.ENISA.europa.eu/publicati
(ENISA) Environments point defined with regards to privacy issues. ons/security-resilience-good-practices
European
Union Agency Users shall verify the authorisations given to devices and services
for Network for data access and data exchange. This is particularly true in case
and Security and of an update where access rights may be modified without user’s
Information Resilience of Smart consent. For example, devices and services can display a
Security Home comprehensive view of their communications with external devices https://www.ENISA.europa.eu/publicati
(ENISA) Environments 7.1 and services, their requirement to use private data, etc. ons/security-resilience-good-practices

GSMA IoT Security https://www.gsma.com/iot/iot-security-

GSMA Assessment CLP11_6 Privacy Considerations assessment/
An imperative aspect of IoT technology is their ability to connect the
physical world to the digital world. The result of this is a gap in
privacy, as the user’s physical environment is directly associated
with the things they like and view online. This may cause
undesirable effects over time.

As a result, it is important that IoT Service Providers consider the

privacy of their consumers and develop Privacy Management
interfaces that are integrated into both the Endpoint, where
possible, and the product or service’s web interface.
IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint This technology should allow the user to determine what attributes content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.7 of their privacy are being utilized by the system, what the Terms of v2.0.pdf
Department for Digital, Culture, Media and Sport 173
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Service are, and the ability to turn off the exposure of this
information to the business or its partners. This granularity and opt-
out system will help to ensure that users have the right and the
ability to control the information that they share about themselves
and their physical world.

GSMA Build an API for Users to Control Privacy Attributes. All users must
be able to control what information they offer to third parties,
through service
APIs. The information should be classified into types of data, and
attributed with security
classifications. Users should be able to retrieve the types of data
and classifications that are
IoT Security used in the modelling of their account. The user should be able to
Guidelines for apply constraints to the https://www.gsma.com/iot/wp-
Service types of data, to allow them to grant or revoke access to this data to content/uploads/2017/10/CLP.13-
Ecosystems CLP12_8.3 Partners. v2.0.pdf
GSMA To properly manage interactions with Partner organizations
IoT Security effectively, security classifications must be defined. This will set the
Guidelines for tone for not only the internal organizational policy on data security, https://www.gsma.com/iot/wp-
Service but will help define the level of security Partner organizations apply content/uploads/2017/10/CLP.13-
Ecosystems CLP12_5.11 to the business’s data, their own data, and customer’s data. v2.0.pdf
Department for Digital, Culture, Media and Sport 174
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
GSMA After defining security classifications, the organization should define
types of data to be used by the overall IoT product or service. This
will enable the organization to clearly define what types of
information are acquired, generated, and disseminated to peers in
the IoT system, and how the organization should treat these types
of data. This data will provide context and value to the overall
components used throughout the IoT environment.
While this document will not attempt to model all variations of data
that may be relevant to a specific organization, certain types may
be as follows:
• Users
• Actions
IoT Security • Images
Guidelines for • Editable documents https://www.gsma.com/iot/wp-
Service • Personally-Identifiable Information content/uploads/2017/10/CLP.13-
Ecosystems CLP12_5.12 • Protected Health Information v2.0.pdf
GSMA While the privacy model deals with the way user’s information is
offered to Partners, the
authorization model defines how the business or Partners will act
on behalf of a user. This,
for instance, would come in handy for a home automation system
where a Partner’s metrics
could optimize the use of heating or cooling in a given home. The
IoT Security authorization model would
Guidelines for grant the Partner the ability to change heating or cooling controls for https://www.gsma.com/iot/wp-
Service that user’s home when content/uploads/2017/10/CLP.13-
Ecosystems CLP12_6.1 certain metrics were detected by the Partner. v2.0.pdf
GSMA Defining policies and procedures for the classification of data is not
enough. There must also be a model for detecting whether the data
IoT Security has been exposed by a Partner. The organization must have a plan
Guidelines for in place to evaluate whether a Partner was involved in business https://www.gsma.com/iot/wp-
Service practices that breach the technological controls or policies set in content/uploads/2017/10/CLP.13-
Ecosystems CLP12_6.7 place to guard user’s data and privacy. v2.0.pdf
Department for Digital, Culture, Media and Sport 175
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
GSMA After security classifications have been defined, and data types
have been attributed a valid classification, and a breach policy has
been enacted, a data distribution policy should be generated. A
data distribution policy describes how information should be
IoT Security processed through technical controls and out to service applications
Guidelines for that have been granted permission to access the data. The https://www.gsma.com/iot/wp-
Service permissions model is a part of the data distribution policy, and pairs content/uploads/2017/10/CLP.13-
Ecosystems CLP12_7.4 with the user’s ability to create granular data permissions. v2.0.pdf
GSMA All users must be able to control what information they offer to third
parties, through service APIs. The information should be classified
into types of data, and attributed with security classifications. Users
should be able to retrieve the types of data and classifications that
are used in the modelling of their account. The user should be able
to apply constraints to the types of data, to allow them to grant or
revoke access to this data to Partners.

IoT Security
Guidelines for This can come in the form of an authenticated API, or a GUI that https://www.gsma.com/iot/wp-
Service allows simple Yes or No controls on a general, and per-Partner content/uploads/2017/10/CLP.13-
Ecosystems CLP12_8.3 basis. v2.0.pdf
The basic idea of IoT is to connect everyday objects via Internet or
ad-hoc network. IoT devices provide services that are discoverable
by other IoT devices. Most of the protocols leak sensitive personally
identifiable information (PII,) like owner's name or information that
may be linkable to an individual, like a device’s host name. This
IoT Security information can be linked to other information sources to target https://internetinitiative.ieee.org/images
Principles and Best attacks. Service mechanisms and authentication protocols are /files/resources/white_papers/internet_
IEEE Practices 9 required so that only authorized clients can discover the device. of_things_feb2017.pdf
Department for Digital, Culture, Media and Sport 176
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IERC-
European IoT Governance, Stick flow policies combine sticky policies for data with their flow
Research Privacy and policies, i.e. a data item in a system using this technology is http://www.internet-of-things-
Cluster on the Security Issues - annotated with a security policy which describes how a data item research.eu/pdf/IERC_Position_Paper
Internet of IERC Position can be used and which conditions have to be satisfied before an _IoT_Governance_Privacy_Security_F
Things (IERC) Paper item can flow to another entity. inal.pdf
Context-sharing enabled objects must be able to answer the
question which information should be shared with whom. This
question can be automatically answered, if the object has a fine-
grained privacy policy that contains both the trusted objects and the
context characteristics allowed for sharing. Additionally, an object
IERC- needs mechanisms that enforce this policy. The contents of a policy
European IoT Governance, are typically user and thus, object dependent. Many users have
Research Privacy and different opinions about what kind of context should be regarded as http://www.internet-of-things-
Cluster on the Security Issues - private and not every object supports all types of context. As a research.eu/pdf/IERC_Position_Paper
Internet of IERC Position consequence, we can expect that some policies might be more _IoT_Governance_Privacy_Security_F
Things (IERC) Paper restrictive than others. inal.pdf

IERC- The same ability of third parties to know that two entities are
European IoT Governance, exchanging data can be a violation of privacy. Both users and
Research Privacy and services might need to operate in given scenarios without releasing http://www.internet-of-things-
Cluster on the Security Issues - identification, addressing or other sensitive information the other research.eu/pdf/IERC_Position_Paper
Internet of IERC Position endpoint. This can be in conflict with the some requirements related _IoT_Governance_Privacy_Security_F
Things (IERC) Paper to authentication, authorization and non-repudiation. inal.pdf
Department for Digital, Culture, Media and Sport 177
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
DATA CONFIDENTIALITY. Data confidentiality refers to ensuring
that information is not disclosed to unauthorized parties. To
implement this, cryptography renders data unintelligible to
unauthorized entities that do not have the proper key for decryption
of the data. The algorithm must be designed and implemented to
ensure that no unauthorized party can determine the keys
associated with the encryption or derive the plaintext. Data
confidentiality is often mandated by regulations, in particular when
privacy of the records is important or the record contains personally
identifiable information (PII).

Industrial Internet Some fields in a record may contain sensitive data that requires
Industrial of Things confidentiality while other fields need to be processed by an
Internet Volume G4: application. In this case, data tokenization can replace sensitive
Consortium Security fields or the value can be modified so confidentiality and privacy of https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.8.1 those fields is preserved UB_G4_V1.00_PB-3.pdf

Privacy and security are critical building blocks for our nation’s IoT
Policy Framework ecosystem – and capabilities that must be designed into our IoT https://www.intel.com/content/dam/ww
for the Internet of Privacy and systems from the outset using the best known Privacy-by-Design w/public/us/en/documents/corporate-
Intel Things (IoT) Security methodologies. information/policy-iot-framework.pdf

The IoT presents new challenges for traditional privacy principles.

Consumer notice and consent will continue to be important,
however other privacy principles must also be emphasized to
Policy Framework ensure consumer privacy is adequately protected. For example, https://www.intel.com/content/dam/ww
for the Internet of Privacy and focusing on accountability for the appropriate collection, use, and w/public/us/en/documents/corporate-
Intel Things (IoT) Security protection of the consumer’s data. information/policy-iot-framework.pdf
Department for Digital, Culture, Media and Sport 178
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Optimal privacy and security methods must be developed as

Policy Framework required for different IoT solutions. Use cases should be used to https://www.intel.com/content/dam/ww
for the Internet of Privacy and proactively identify privacy and security risks and to develop robust w/public/us/en/documents/corporate-
Intel Things (IoT) Security strategies to mitigate those risks. information/policy-iot-framework.pdf
Performance requirements of future IoT systems will result in
scenarios in which computations on data collected from devices will
have to be executed as close as possible to devices. Often, those
domains may not meet the security requirements of the data owner,
i.e. the data should not be disclosed to the component of the IoT
International system which processes it. Thus mechanisms are required which
Electrotechnic IoT 2020: Smart will make it possible to protect the confidentiality and integrity of
al Commission and secure IoT data, while still allowing execution of computations and production http://www.iec.ch/whitepaper/pdf/iecW
(IEC) platform 5.2.2.1.3 of meaningful results for the data owner. P-loT2020-LR.pdf
An IoT device user/owner would like to monitor and verify its
operational behavior. For instance, the user might want to know if
Internet the device is connecting to the server of the manufacturer for any
Research Task reason. This feature - connecting to the manufacturer's server –
Force (IRTF) may be necessary in some scenarios, such as during the initial
Thing-to-Thing State-of-the-Art configuration of the device. However, the user should be kept
Research and Challenges for aware of the data that the device is sending back to the vendor. For
Group the Internet of example, the user might want to know if his/her TV is sending data https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Things Security 5.6 when he/she inserts a new USB stick. t2trg-iot-seccons/
Department for Digital, Culture, Media and Sport 179
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
1. Identification - refers to the identification of the users, their IoT
devices, and generated data.

2. Localization - relates to the capability of locating a user and even

tracking them, e.g., by tracking MAC addresses in Wi-Fi or
Bluetooth.

3. Profiling - is about creating a profile of the user and their

preferences.

4. Interaction - occurs when a user has been profiled and a given

interaction is preferred, presenting (for example, visually) some
information that discloses private information.

5. Lifecycle transitions - take place when devices are, for example,

sold without properly removing private data.

6. Inventory attacks - happen if specific information about IoT

devices in possession of a user is disclosed.
Internet
Research Task
Force (IRTF) 7. Linkage - is about when information of two of more IoT systems
Thing-to-Thing State-of-the-Art (or other data sets) is combined so that a broader view of the
Research and Challenges for personal data captured can be created.
Group the Internet of https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Things Security 5.9 t2trg-iot-seccons/
Department for Digital, Culture, Media and Sport 180
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
When IoT systems are deployed, the above issues should be
considered to ensure that private data remains private. These
issues are particularly challenging in environments in which multiple
users with different privacy preferences interact with the same IoT
devices. For example, an IoT device controlled by user A (low
privacy settings) might leak private information about another user
B (high privacy settings). How to deal with these threats in practice
is an area of ongoing research.

Security-by-design and privacy-by-design practices for IoT devices

The Internet of Encourage should be encouraged. Whether via privacy and data protection
Things: An Internet responsible design regulation, voluntary industry selfregulation, or other incentives or https://www.internetsociety.org/wp-
Internet Society Public practices for IoT policy means, IoT device developers should be encouraged to content/uploads/2017/09/ISOC-
Society (ISOC) Policy Briefing services respect the end-user’s privacy and data security interests and PolicyBrief-IoT.pdf
Department for Digital, Culture, Media and Sport 181
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
consider those interests a core element of the product-development
process.

IoT devices that collect data about people in one jurisdiction may
transmit that data to another jurisdiction for data storage or
processing. Challenges can arise if the data collected is deemed to
be personal or sensitive and is subject to data protection laws in
multiple jurisdictions.

The Internet of
Things: An Internet Enabling cross-border data flows that protect privacy and promote https://www.internetsociety.org/wp-
Internet Society Public legal certainty for users and IoT service providers will be key for content/uploads/2017/09/ISOC-
Society (ISOC) Policy Briefing Privacy promoting the global growth of IoT PolicyBrief-IoT.pdf

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance The product/service ensures that all Personal Information is Security-Compliance-
Foundation Framework 1.1 2.4.12.2 encrypted at rest and in transit. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 182
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security The Product Manufacturer or Service Provider shall ensure that a p-content/uploads/2017/12/IoT-
IoT Security Compliance data retention policy is in place, and compliant with the legal Security-Compliance-
Foundation Framework 1.1 2.4.12.5 requirements for the territories the product or service is deployed. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security There is a method or methods for the product owner to be informed p-content/uploads/2017/12/IoT-
IoT Security Compliance about what Personal Information is collected, why, where it will be Security-Compliance-
Foundation Framework 1.1 2.4.12.6 stored. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 183
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security p-content/uploads/2017/12/IoT-
IoT Security Compliance There is a method or methods for the product owner to check/verify Security-Compliance-
Foundation Framework 1.1 2.4.12.7 what Personal Information is collected and deleted. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The product / service can be made compliant with the local and/or p-content/uploads/2017/12/IoT-
IoT Security Compliance regional Personal Information protection legislation where the Security-Compliance-
Foundation Framework 1.1 2.4.12.8 product is to be sold. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The supplier or manufacturer of any device shall provide p-content/uploads/2017/12/IoT-
IoT Security Compliance information about how the device(s) functions within the end user’s Security-Compliance-
Foundation Framework 1.1 2.4.12.9 network. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The supplier or manufacturer of any devices or devices shall p-content/uploads/2017/12/IoT-
IoT Security Compliance provide information about how the device(s) shall be setup to Security-Compliance-
Foundation Framework 1.1 2.4.12.10 maintain the end user’s privacy and security. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 184
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The supplier or manufacturer of any devices and/or services shall https://www.iotsecurityfoundation.org/w

IoT Security provide information about how the device(s) removal and/or p-content/uploads/2017/12/IoT-
IoT Security Compliance disposal shall be carried out to maintain the end user’s privacy and Security-Compliance-
Foundation Framework 1.1 2.4.12.11 security. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security The supplier or manufacturer of any devices or services shall p-content/uploads/2017/12/IoT-
IoT Security Compliance provide clear information about the end user’s responsibilities to Security-Compliance-
Foundation Framework 1.1 2.4.12.12 maintain the devices and/or services privacy and security. Framework_WG1_2017.pdf

A device is designed and architected to protect personal privacy

IoT Security CyberSecurity through data collection transparency and anonymization of user https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 19 activity. principles

IoT Security CyberSecurity A device clearly identifies the collection or processing of personally https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 20 identifiable data in the Device Support-Level Agreement (DSLA). principles

A device in active use to identify and/or track persons and their

IoT Security CyberSecurity activity is overtly identified as such to the public in the devices https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 21 operating environment. principles

A published Device Security Level Agreement (DSLA) is maintained

IoT Security CyberSecurity once initially created to provide the change history of material https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 22 modifications to this public information. principles
Department for Digital, Culture, Media and Sport 185
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
The physical location in which data is stored may be regulated, with
the regulations varying from country to country. This is particularly
Object the case for personally identifiable information (PII) and for sensitive
Management data such as health data and financial records. The European
Group (OMG) Union has particularly stringent regulations that apply to the PII of
Cloud European citizens. As a result, any IoT cloud system must take into
Standards account data sovereignty rules and store and process data only in
Customer those locations permitted by the regulations – this requires that the https://www.omg.org/cloud/deliverable
Council Cloud Customer provider cloud used provides the cloud service customer with s/CSCC-Cloud-Customer-Architecture-
(CSCC) Architecture for IoT Data Sovereignty control over storage and processing locations. for-IoT.pdf
Although a user of a M2M System is generally considered to be an
application or functional agent that represents a human, there are
links between a device and its user that can be either directly
derived or indirectly deduced. Consequently, identifiers used for
communication in the M2M System should not be directly related to
TR-0008-V2.0.1 the real identity of either the device or its user, except where this is http://www.onem2m.org/images/files/d
Security (Technical a requirement for operation of a specific M2M Application. The use eliverables/Release2A/TR-0008-
oneM2M Report) 9.3 of pseudonyms is a means to support this requirement. Security-v_2_0_1.pdf
Conspicuously disclose what personally identifiable and sensitive
data types and attributes are collected and how they are used,
IoT Security & limiting collection to data which is reasonably useful for the https://otalliance.org/system/files/files/i
Online Trust Privacy Trust functionality and purpose for which it is being collected. Disclose nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 20 and provide consumer opt-in for any other purposes. k6-22.pdf

IoT Security & https://otalliance.org/system/files/files/i

Online Trust Privacy Trust . Disclose the data retention policy and storage duration of nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 22 personally identifiable information. k6-22.pdf
Department for Digital, Culture, Media and Sport 186
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Only share consumers’ personal data with third parties with
consumers’ affirmative consent, unless required and limited for the
use of product features or service operation. Require that third-party
IoT Security & service providers are held to the same polices, including holding https://otalliance.org/system/files/files/i
Online Trust Privacy Trust such data in confidence and notification requirements of any data nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 25 loss/breach incident and/or unauthorized access. k6-22.pdf

IoT Security & Provide controls and/or documentation enabling the consumer to https://otalliance.org/system/files/files/i
Online Trust Privacy Trust review and edit privacy preferences of the IoT device including the nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 26 ability to reset to the “factory default.” k6-22.pdf
Commit to not sell or transfer any identifiable consumer data unless
it is a dependent part of the sale or liquidation of the core business
IoT Security & which originally collected the data, provided the acquiring party’s https://otalliance.org/system/files/files/i
Online Trust Privacy Trust privacy policy does not materially change the terms. Otherwise nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 27 notice and consent must be obtained. k6-22.pdf
Whenever the opportunity is presented to decline or opt out of any
policy, the consequences must be clearly and objectively explained,
IoT Security & including any impact to product features or functionality. It is https://otalliance.org/system/files/files/i
Online Trust Privacy Trust recommended the end-user value of opting in and/or sharing data nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 29 be communicated to the end user. k6-22.pdf

IoT Security & Comply with applicable regulations, including but not limited to the https://otalliance.org/system/files/files/i
Online Trust Privacy Trust Children’s Online Privacy Protection Act (COPPA) and international nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 30 privacy, security and data transfer regulatory requirements. 3 4 k6-22.pdf

IoT Security & Publicly post the history of material privacy notice changes for a https://otalliance.org/system/files/files/i
Online Trust Privacy Trust minimum of two years. Best practices include date stamping, nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 31 redlines, and summary of the impacts of the changes. k6-22.pdf
Department for Digital, Culture, Media and Sport 187
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security
Project IoT Security I5: Privacy Ensure only the minimal amount of personal information is collected https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Concerns from consumers Security_Guidance
Open Web
Application
Security
Project IoT Security I5: Privacy Ensure all collected personal data is properly protected using https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Concerns encryption at rest and in transit Security_Guidance
Open Web
Application
Security
Project IoT Security I5: Privacy Ensure only authorized individuals have access to collected https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Concerns personal information Security_Guidance
Open Web
Application
Security
Project IoT Security I5: Privacy https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Concerns Ensuring data is de-identified or anonymized Security_Guidance
Open Web
Application
Security
Project IoT Security I5: Privacy https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Concerns Ensuring a data retention policy is in place Security_Guidance
Open Web
Application
Security
Project IoT Security I5: Privacy Ensuring end-users are given a choice for data collected beyond https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Concerns what is needed for proper operation of the device Security_Guidance
Department for Digital, Culture, Media and Sport 188
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Software and
Information
Industry Empowering the http://www.siia.net/Portals/0/pdf/Policy/
Association Internet of Things: Privacy Rights for the IoT Should Be Based on Risk and Societal Reports/Empowering%20the%20Intern
(SIIA) Benefits 2 Benefits. et%20of%20Things.pdf

https://www.tiaonline.org/wp-
Realizing the content/uploads/2018/05/Realizing_the
Telecommunic Potential of the Industry believes that IoT services must adopt principles similar to _Potential_of_the_Internet_of_Things_
ations Industry Internet of Things: those that have worked successfully on the Internet to enable -
Association Recommendations informed consumer choice: transparency about what data will be _Recommendations_to_Policymakers.
(TIA) to Policy Makers collected, how it will be used, and who will have access. pdf
Acceptable Security. The principle of acceptable security requires
that the level of privacy and performance the system provides
should be consistent with the users’ expectations. The perception of
personal privacy may affect user behavior, morale, and
effectiveness. Based on the organizational privacy policy and the
US National system design, users should be able to restrict their actions to
Institute of protect their privacy. When systems fail to provide intuitive
Standards and NIST SP.800-160 interfaces, or meet privacy and performance expectations, users
Technology Systems Security may either choose to completely avoid the system or use it in ways https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.2.10 that may be inefficient or even insecure. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 189
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 9 - Make systems resilient to outages

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Atlantic Standalone Operation. Document which specific features and
Council benefits will continue to work without Internet access and chronicle
Scowcroft negative impacts from compromised devices or cloud-based
Center for Smart Homes and systems. The most proactive companies may find it less expensive http://www.atlanticcouncil.org/images/p
Strategy and the Internet of to buy back obsolete devices, rather than continue to support ublications/Smart_Homes_0317_web.
Security Things them." pdf
IoT Devices Should Continue to Function if Internet
Connectivity is Disrupted. BITAG recommends that an IoT device
should be able to perform its primary function or functions (for
example, a light switch or a thermostat should continue to function
with manual controls), even if it is not connected to the Internet.
This is because Internet connectivity may be disrupted due to
causes ranging from accidental misconfiguration or intentional
attack (e.g., a denial of service attack); device function should be
robust in the face of these types of connectivity disruptions. IoT
devices that have implications for user safety should continue to
function under disconnected operation to protect the safety of
consumers. In these cases, the device or backend system should
Broadband notify the user about the failure.
Internet
Technical Internet of Things http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and When possible, device manufacturers should make it easy for users _Report_-
Group Privacy to disable or block (e.g.,with a firewall) various network traffic _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.4 without hampering the device’s primary function. nd_Privacy_Recommendations.pdf

IoT Devices Should Continue to Function If the Cloud Back-

Broadband End Fails. Many services that depend on or use a cloud back-end
Internet can continue to function, even if in a degraded or partially-functional
Technical Internet of Things state, when connectivity to the cloud back-end is interrupted or the http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and service itself fails. For example, a thermostat whose setting can be _Report_-
Group Privacy altered via a cloud service should in the worst case continue to _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.5 operate using either lastknown or default settings. A cloud-hosted nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 190
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
home security camera should be accessible from within the home,
even when Internet connectivity fails.

The IoT Supply Chain Should Play Their Part In Addressing IoT
Security and Privacy Issues. Manufacturers should support for an
Broadband IoT device throughout the course of its lifespan, from design to the
Internet time when a device is retired, including transparency about the
Technical Internet of Things timespan over which they plan to provide continued support for a http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and device, and what the consumer should expect from the device’s _Report_-
Group Privacy function at the end of the _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.1 device’s lifespan. nd_Privacy_Recommendations.pdf
Many cable operators have deployed DDoS monitoring and
mitigation systems to ensure the continued availability of their
broadband Internet access services during an attack. A DDoS
attack seeks to make a device, service, or network resource
unavailable to its intended users by flooding the target with
superfluous network traffic in an attempt to overload systems and
prevent legitimate traffic from getting through to the target of the
attack. A significant DDoS attack will typically originate from many
DDoS Monitoring thousands or hundreds of thousands of compromised devices. Both
A Vision for Secure and Mitigation the frequency and magnitude of DDoS attacks continue to grow, https://www.cablelabs.com/insights/visi
CableLabs IoT Systems fueled in large part by the proliferation of insecure IoT. on-secure-iot/
Department for Digital, Culture, Media and Sport 191
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
A secure IoT device is available when it is needed for its legitimate
use and unavailable when it is not. IoT devices should be designed
to function in a predictable and expected manner, if and when there
is a loss of broadband connectivity or a loss of communications with
any associated cloud service. Conversely, devices should use
restrictive, rather than permissive, default network traffic policies to
limit communications to expected norms, guarding against both
A Vision for Secure unintended as well as malicious denial of service attacks that can https://www.cablelabs.com/insights/visi
CableLabs IoT Availability disrupt the availability of the device or other devices on the network. on-secure-iot/
Source Address Validation (SAV) is a recommended best practice
for all ISPs, hosting providers, cloud providers and others to prevent
reflective DDoS attacks.[ SAV with spoofed packet dropping is
supported in Cable Modem Termination Systems (CMTS)
equipment deployed in cable access networks globally. This feature
became available in the Data Over Cable Service Interface
Specification (DOCSIS) release 3.0, first issued in 2006, as a
mandatory requirement. Moreover, the DOCSIS specification
A Vision for Secure Prevention of IP requires that SAV be turned on by default for DOCSIS 3.0 and 3.1 https://www.cablelabs.com/insights/visi
CableLabs IoT Address Spoofing compliant CMTS devices. on-secure-iot/
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations Rate limiting – controlling the traffic sent or received by ons/baseline-security-
(ENISA) for IoT GP-TM-46 a network to reduce the risk of automated attacks. recommendations-for-iot

European Implement a DDoS-resistant and Load-Balancing

Union Agency infrastructure to protect the services against DDoS attacks which
for Network Baseline Security can https://www.ENISA.europa.eu/publicati
and Recommendations affect the device itself or other devices and/or users on the local ons/baseline-security-
Information for IoT GP-TM-51 network or other networks. recommendations-for-iot
Department for Digital, Culture, Media and Sport 192
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Security
(ENISA)

Design with system and operational disruption in mind. Build IoT

European devices to fail safely and securely, so that the failure does not lead
Union Agency to a greater systemic disruption. Have a fail-safe design that
for Network specifically ensures that no malfunction can impact the delivery of a
and commodity (e.g. energy, gas, heat or water), preventing the system
Information Baseline Security from causing unacceptable risk of injury or physical damage, https://www.ENISA.europa.eu/publicati
Security Recommendations protecting the environment against harm, and avoiding interruption ons/baseline-security-
(ENISA) for IoT GP-TM-15 of safety-critical processes. recommendations-for-iot
Hardware must provide basic reliability measures to resist outages
and jamming
The typical examples are:
• In case of outage (power, network or simply the associated cloud
services):
o Provide the user with a notification
o Provide smart fail-safe mechanism or standalone option (if an
outage or
European denial of service happens, devices should be able to go offline,
Union Agency continue
for Network to provide their functionalities, and synchronize to remote services
and Security and as soon as they become available again).
Information Resilience of Smart • For network: use the diversity of available interfaces (including
Security Home hardwired connections) or RF spectrum to maintain connection. https://www.ENISA.europa.eu/publicati
(ENISA) Environments 6.1 • For power: use battery back-up and/or alternate charging options. ons/security-resilience-good-practices
Department for Digital, Culture, Media and Sport 193
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations ons/baseline-security-
(ENISA) for IoT GP-PS-03 Security must consider the risk to human safety recommendations-for-iot
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations ons/baseline-security-
(ENISA) for IoT GP-PS-04 Designing for power conservation should not compromise security. recommendations-for-iot
For publicly accessible services, several pieces of security and
reliability technology are required to maintain the availability,
confidentiality, and integrity of the service:
DDoS-resistant infrastructure
IoT Security Load-Balancing infrastructure
Guidelines for Redundancy systems https://www.gsma.com/iot/wp-
Service Web Application Firewalls (optional) content/uploads/2017/10/CLP.12-
GSMA Ecosystems CLP12_5.4 Traditional Firewalls v2.0.pdf
For radio communications, there is a constant threat of jamming, or
the intentional broadcasting of noise or patterns that can be used to
IoT Security scramble legitimate signals. As radio signals are simply composed
Guidelines of electrons flying through space in a specific pattern, it is fairly https://www.gsma.com/iot/wp-
Endpoint easy to concoct a series of signals that interrupt or mangle the content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_9.1 pattern that forms communications data. v2.0.pdf

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_9.1 Intentional or Unintentional Denial of Service v2.0.pdf
Department for Digital, Culture, Media and Sport 194
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Components within an embedded system are designed to be used
within certain environmental thresholds. This includes voltage
levels, current draw, ambient or operating temperature, and
humidity. Each component is typically rated for certain windows of
approved levels. If the device is subjected to states above or below
a given window, the component may act erratically, or behave in a
fashion that is useful to an adversary.
Therefore, it is important to detect changes to these environmental
levels to determine whether the device should continue running, or
if it should power off. It should be noted, however, that powering off
may be a desired effect, and that the adversary may abuse this
IoT Security engineering decision to leverage a denial of service. The
Guidelines engineering team should evaluate this model to determine if it is https://www.gsma.com/iot/wp-
Endpoint more beneficial to shut down or more beneficial to attempt to stay content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.7 online v2.0.pdf
Endpoints that provide critical services to the user must be enabled
with a warning threshold that indicates power-related events. These
events may include:
Low battery state
IoT Security Critically low battery state
Guidelines Black-out events https://www.gsma.com/iot/wp-
Endpoint Brown-out events content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.8 Switch to battery back-up events v2.0.pdf

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_5.8.3 Backup channels in case of physical or logical link failure v2.0.pdf

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_5.8.3 Protection against Denial of Service attacks v2.0.pdf
Department for Digital, Culture, Media and Sport 195
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint Restrict communications options to the strict minimum required for content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_5.8.3 a given IoT Service. v2.0.pdf
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Unwanted changes to Endpoint Data, ⑪: Data throughout the
endpoint from low-level firmware all the way up the software stack
represents a key area of vulnerability. These vulnerabilities include
Industrial Internet unauthorized access to mission-critical or private data. Attackers
Industrial of Things may adversely affect the behavior of the system by injecting false
Internet Volume G4: data. Denial-of-service attacks on data access may impede timely
Consortium Security and accurate execution of the endpoint functionality resulting in https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 costly outcomes. UB_G4_V1.00_PB-3.pdf
SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS.
Breach of the Monitoring & Analysis system, ⑫: An attacker could
gain visibility on the functions of the monitored system. For
example, an attacker could modify monitoring data to make it
Industrial Internet appear as if a particular event did not occur. Modification of the
Industrial of Things security logs and monitoring data may result in undetected
Internet Volume G4: vulnerabilities or compromised states. As a result, attackers would
Consortium Security benefit from a coverage gap, compromising endpoint hardware and https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.1 software or destroying evidence of their activities after an attack. UB_G4_V1.00_PB-3.pdf
International Reliable and trustworthy actuation requires new technologies and
Electrotechnic IoT 2020: Smart extended system architectures to ensure reliable execution of tasks
al Commission and secure IoT and to be able to recover from system failures, e.g. from the http://www.iec.ch/whitepaper/pdf/iecW
(IEC) platform 5.2.5.4 network or from devices. P-loT2020-LR.pdf
Department for Digital, Culture, Media and Sport 196
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
A device SHOULD be designed to gracefully tolerate excessive
numbers
of authentication attempts, for instance by giving CPU priority to
existing protocol sessions that have already successfully
authenticated, limiting the number of concurrent new sessions in
the
process of authenticating, and randomly discarding attempts to
establish new sessions beyond that limit. The specific mechanism is
a design choice to be made in light of the specific function of the
Internet device and the protocols used by the device. What's important for
Engineering Best Current this requirement is that this be an explicit choice.
Task Force Practices (BCP) for https://tools.ietf.org/html/draft-moore-
(IETF) IoT Devices 2.2.3 iot-security-bcp-01
Internet
Research
Task Force
(IRTF) Thing-
to-Thing State-of-the-Art and
Research Challenges for the
Group Internet of Things The tight memory and processing constraints of things naturally https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Security 5.1.2 alleviate resource exhaustion attacks. t2trg-iot-seccons/

Where a Product or Services includes any safety critical or https://www.iotsecurityfoundation.org/w

IoT Security lifeimpacting functionality, the services infrastructure shall p-content/uploads/2017/12/IoT-
IoT Security Compliance incorporate protection against DDOS attacks, such as dropping of Security-Compliance-
Foundation Framework 1.1 2.4.13.20 traffic or sinkholing. See NIST 800-53 SC-5 [32] Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 197
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

https://www.iotsecurityfoundation.org/w
IoT Security Where a Product or Services includes any safety critical or p-content/uploads/2017/12/IoT-
IoT Security Compliance lifeimpacting functionality, the services infrastructure shall Security-Compliance-
Foundation Framework 1.1 2.4.13.21 incorporate redundancy to ensure service continuity and availability. Framework_WG1_2017.pdf

Devices supporting sensitive or safety-critical functions are

IoT Security CyberSecurity designed and architected to continue safe and secure operation https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 18 during communications interruption or failure. principles
In IoT systems resilience and fault tolerance is very important. IoT
Object systems should not depend on one single component at any point
Management and should tolerate the failure of a single component, such as a
Group (OMG) single IoT device. Components in the provider cloud can be made
Cloud resilient through the use of multiple instances of programs and
Standards cloud services allied with data replication and redundancy on
Customer multiple storage systems. The networks should also be resilient, for https://www.omg.org/cloud/deliverable
Council Cloud Customer example with multiple paths and multiple providers in the public s/CSCC-Cloud-Customer-Architecture-
(CSCC) Architecture for IoT Resilience network. for-IoT.pdf
Open Web
Application
Security
Project IoT Security I3: Insecure Review all required network services for vulnerabilities such as https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Network Services buffer overflows or denial of service Security_Guidance

Design with system and operational disruption in mind.

Understanding what consequences could flow from the failure of a
device will enable developers, manufacturers, and service providers
U.S. Strategic Principles to make more informed risk-based security decisions. Where https://www.dhs.gov/sites/default/files/
Department of for Securing The feasible, developers should build IoT devices to fail safely and publications/Strategic_Principles_for_S
Homeland Internet of Things securely, so that the failure does not lead to greater systemic ecuring_the_Internet_of_Things-2016-
Security (IoT) disruption. 1115-FINAL....pdf
Department for Digital, Culture, Media and Sport 198
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Secure Failure and Recovery. The principle of secure failure and
recovery states that neither a failure in a system function or
mechanism nor any recovery action in response to failure should
lead to a violation of security policy. This principle parallels the
US National principle of continuous protection to ensure that a system is capable
Institute of of detecting (within limits) actual and impending failure at any stage
Standards and NIST SP.800-160 of its operation (i.e., initialization, normal operation, shutdown, and
Technology Systems Security maintenance) and to take appropriate steps to ensure that security https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.2.6 policies are not violated. alPublications/NIST.SP.800-160.pdf
Avoid Heavy Functional Processing without Authentication.
Web of Things When defining WoT Interfaces exposed by a TD, it is important to
(WoT) Security and avoid any heavy functional processing before the successful https://www.w3.org/TR/wot-
Privacy authentication of a WoT client. Any publicly exposed network security/#recommended-security-
W3C Considerations 4.1.3 interface should avoid heavy processing altogether. practices
Department for Digital, Culture, Media and Sport 199
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 10 - Monitor system telemetry data

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
City of New
York (NYC)
Guidelines for The City and its partners should engage in both audit-based and
the Internet of continuous monitoring to ensure that systems are working and that
Things Security 4.6 devices have not been compromised. https://iot.cityofnewyork.us/security/
Monitoring for security events within an IoT infrastructure should
also be done, ideally on a 24/7 basis. Planning for the capture of
security-relevant data and establishment of rules for identifying
Security Guidance events or combinations of events-of-interest should be conducted https://downloads.cloudsecurityalliance
for Early Adopters early on in the engineering lifecycle. Consider having security .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of analysts charged with near-real time monitoring of the security or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.5.4 posture of your implementation _Things.pdf
As can be seen, it is important to understand what components
within the IoT ecosystem will actually provide audit data feeds and
which components should actually be mined for anomalous
behavior within their operational data stream. As an example,
considering which components are owned by a consumer will allow
Security Guidance for a plan to captured and analyze appropriate data (e.g. failed https://downloads.cloudsecurityalliance
for Early Adopters logins). It is also important to ensure that no sensitive (privacy- .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of related) information is included in the audit logs unless it is or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.7 protected using sufficient security safeguards (e.g. encryption). _Things.pdf

Security Guidance https://downloads.cloudsecurityalliance

for Early Adopters In general, it is important to log data that may indicate that an .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of incident has occurred or will occur. Whenever possible, the or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.7.2 following minimum data elements should be logged. _Things.pdf
Department for Digital, Culture, Media and Sport 200
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
European
Union Agency
for Network
and
Information Baseline Security https://www.ENISA.europa.eu/publicati
Security Recommendations Implement regular monitoring to verify the device ons/baseline-security-
(ENISA) for IoT GP-TM-56 behaviour, to detect malware and to discover integrity errors. recommendations-for-iot
European The auditing of security-relevant events and the
Union Agency monitoring and tracking of system abnormalities are key elements
for Network in
and the after-the-fact detection of, and recovery from, security breaches.
Information Baseline Security Conduct periodic audits and reviews of security controls to ensure https://www.ENISA.europa.eu/publicati
Security Recommendations that the controls are effective. Perform penetration tests at least ons/baseline-security-
(ENISA) for IoT GP-TM-57 biannually. recommendations-for-iot
European
Union Agency
for Network Implement a logging system that records events relating to
and user authentication, management of accounts and access rights,
Information Baseline Security modifications to security rules, and the functioning of the system. https://www.ENISA.europa.eu/publicati
Security Recommendations The logs must also be preserved on durable storage ons/baseline-security-
(ENISA) for IoT GP-TM-55 and retrievable via an authenticated connection. recommendations-for-iot
European
Union Agency
for Network
and Security and
Information Resilience of Smart
Security Home Security audit: security events must be logged, and users should be https://www.ENISA.europa.eu/publicati
(ENISA) Environments 5.2, first bullet point notified whenever needed. ons/security-resilience-good-practices

GSMA IoT Security https://www.gsma.com/iot/iot-security-

GSMA Assessment CLP13_6.13 Logging and Diagnostics assessment/
Department for Digital, Culture, Media and Sport 201
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Network Operators can provide data analytics and deep packet
inspection services to identify threats and anomalies in the data
generated by IoT Services. An example could be that a Network
Operator could periodically perform deep packet inspection for
specific strings like social security numbers and GPS coordinates
that might suggest that such information is not protected properly https://www.gsma.com/iot/wp-
Analytics-based and alert the IoT Service Provider responsible that information content/uploads/2017/10/CLP.14-
GSMA Security CLP14_5.8.2 could be leaking. v2.0.pdf
Modelling Endpoint behaviour is an imperative part of IoT security.
This is because a compromised Endpoint can be indistinguishable
from an Endpoint behaving normally if only successful interactions
IoT Security with the device are logged and analysed. For a more
Guidelines comprehensive perspective of an IoT environment, the full https://www.gsma.com/iot/wp-
Endpoint behavioural fingerprint of a device should be catalogued to identify content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_7.2 anomalies that may be indicative of adversarial behaviour. v2.0.pdf

Each system must be monitored to allow administrators and

IoT Security Information Technology (IT) works to detect and diagnose
Guidelines for anomalies. Monitoring must be performed at multiple dimensions. https://www.gsma.com/iot/wp-
Service For example, network monitoring at the infrastructure level helps content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_5.7 diagnose application attacks or DDoS against network components v2.0.pdf
Use Partner-Enhanced Monitoring Services. This will allow the IoT
business to more quickly identify whether a particular user or
Endpoint
is either a threat, or has been compromised by an adversary. As a
IoT Security result, businesses may
Guidelines for react more effectively to pre-empt attacks against other areas of the https://www.gsma.com/iot/wp-
Service business’s content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_7.2 infrastructure. v2.0.pdf
Department for Digital, Culture, Media and Sport 202
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
While false positive analysis is an extremely complex topic, there is
a simple way to identify whether a technology is more likely to
present false positives. This is by evaluating the following items:
• Is the data source trustworthy
• Can the data source be tampered with or spoofed
• Is the data source from the analogue domain
• Can the data be corroborated from multiple points of origin
• Do the corroborating data sources exist on the same endpoint
system
• Are corroborating data sources easy to tamper with or spoof
IoT Security • Are tools readily available to manipulate the data source
Guidelines for • What level of expertise or cost is required to manipulate the data https://www.gsma.com/iot/wp-
Service source content/uploads/2017/10/CLP.13-
GSMA Ecosystems CLP12_8.4 • Is the device attached to the data source trustworthy v2.0.pdf
Industrial Internet
Industrial of Things ENDPOINT PROTECTION. Endpoint Monitoring and Analysis
Internet Volume G4: includes integrity checking, detecting malicious usage patterns,
Consortium Security denial of service activities, enforcement of security policies and https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.3 analytics that track security performance indicators. UB_G4_V1.00_PB-3.pdf

Industrial Internet ENDPOINT PROTECTION. Endpoint Monitoring & Analysis is

Industrial of Things responsible for ensuring the prevention, detection and recovery
Internet Volume G4: from any activity deviant from policy, while Endpoint Configuration &
Consortium Security Management ensures that all changes made to the endpoints are https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.3 performed in a controlled and managed manner. UB_G4_V1.00_PB-3.pdf

Industrial Internet ENDPOINT PROTECTION. Endpoint Data Protection is responsible

Industrial of Things for protecting access and preventing tampering with data-at-rest
Internet Volume G4: and data-in-use on the endpoint through encryption, isolation and
Consortium Security access control. Data protection spans all data on the endpoint, https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.3 including configuration, monitoring, and operational data. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 203
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Industrial Internet COMMUNICATIONS AND CONNECTIVITY PROTECTION.
Industrial of Things Information Flow Protection ensures that only permitted kinds of
Internet Volume G4: messages and content reach sensitive systems and networks by
Consortium Security isolating network flows using network segmentation and perimeter https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.4 protection technologies UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things COMMUNICATIONS AND CONNECTIVITY PROTECTION.
Internet Volume G4: Network Monitoring and Analysis collects network data for analysis
Consortium Security and includes intrusion detection, network access control, deep https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.4 packet inspection and network log analysis. UB_G4_V1.00_PB-3.pdf
SECURITY MONITORING AND ANALYSIS. Monitor. As
determined by the security model and policy, monitoring captures
and aggregates data from each of the sources in the system:
• Endpoints & Communications: Monitoring data is gathered by a
local agent running on each of the endpoints and communications
in the system obtaining information on the implementation of
security controls in accordance with the system security policy.
Industrial Internet • Secure Remote Logging: The sending and receiving of log
Industrial of Things messages using secure communications.
Internet Volume G4: • Supply Chain: Collecting data from all components builders and
Consortium Security integrators in the supply chain to assure that security requirements https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.5 are met. UB_G4_V1.00_PB-3.pdf

SECURITY MONITORING AND ANALYSIS. Analyze. Analysis

uses looks for events (for example, violation of security thresholds)
and trends that may uncover certain system security vulnerabilities
or threats. This phase stores and saves the information for audit or
Industrial Internet other mining purposes. There are two types of analysis:
Industrial of Things • Behavioral Analysis observes the usage patterns in the system
Internet Volume G4: and learns what is appropriate behavior for the system.
Consortium Security • Rule-Based Analysis monitors for violations of predefined policy https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.5 rules that define events that should never occur in the system. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 204
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

SECURITY MONITORING AND ANALYSIS. Act. Having analyzed

events and trends, action must be taken. There are three types:
• Proactive/Predictive attempts to mitigate threats before the attack
begins by observing leading indicators of an imminent attack.
Industrial Internet • Reactive detection & Recovery provides manual and automated
Industrial of Things responses to attacks in progress and tries to mitigate them to
Internet Volume G4: recover and return to normal runtime state.
Consortium Security • Root Cause/Forensics analysis and forensics investigates the https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.5 underlying vulnerabilities and exploits after the attack. UB_G4_V1.00_PB-3.pdf
ENDPOINT INTEGRITY PROTECTION. Measuring the device boot
process enables the validation of its integrity, so we may assert that
a device has powered up in a known good state. Given that devices
may not be rebooted for long periods of time in OT environments,
Industrial Internet both static and dynamic integrity assurance of the runtime should
Industrial of Things also be implemented. Identity material must be properly secured in
Internet Volume G4: the trust roots to maintain its integrity and avoid identity spoofing,
Consortium Security and data integrity must be monitored and maintained to establish https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.7 trust in the data, including both data-at-rest and data-in-motion. UB_G4_V1.00_PB-3.pdf

DATA INTEGRITY. Data integrity assures that data alteration is

Industrial Internet detected. Traditional OT data integrity techniques (e.g. a CRC
Industrial of Things checksum) increase reliability and resilience of a system but are not
Internet Volume G4: effective against some malicious alterations due to their lack of
Consortium Security cryptographic strength. Newer techniques such as digital signatures https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.8.2 provide greater trust in the integrity measurements. UB_G4_V1.00_PB-3.pdf

ENDPOINT MONITORING AND ANALYSIS. Monitoring

mechanisms should also be protected. Endpoint monitoring
Industrial Internet concerns itself with detection of possible tampering with or
Industrial of Things compromise of devices, which would result in incorrect reporting of
Internet Volume G4: events. Monitoring of the endpoint security status may be
Consortium Security performed internally on the endpoint or may be performed https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 8.9 externally to the endpoint. Monitoring of least-capable edge devices UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 205
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
will most likely be executed from another endpoint in the operational
domain.

SECURITY MONITORING AND ANALYSIS. Security monitoring

aggregates and stores a variety of types of data from running
Industrial Internet Industrial Internet of Things systems, enabling analysis into past
Industrial of Things compromises, current security events and the prediction of future
Internet Volume G4: risks. Security analytic tools provide useful feedback to the
Consortium Security organization via parameters suitable for high-level dashboard https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 10 display. UB_G4_V1.00_PB-3.pdf
LOGGING AND EVENT MONITORING. All security monitoring
designs must consider the risk that a successful intruder can erase
all evidence of their activities. Transmitting the most important
Industrial Internet security monitoring data to external monitoring systems in a secure
Industrial of Things and timely manner mitigates this risk. Endpoints must log data
Internet Volume G4: based on both local endpoint events and communications events.
Consortium Security Logging to a network log system can also mitigate attempts of https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 10.3.1 intruders to interfere with the integrity of log data. UB_G4_V1.00_PB-3.pdf
Industrial Internet
Industrial of Things CAPTURING AND MONITORING SECURITY DATA. Monitoring
Internet Volume G4: data can come from many sources, in particular endpoints and the
Consortium Security network. This data should be communicated securely to monitoring https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 10.3.2 and analytics systems. UB_G4_V1.00_PB-3.pdf
Department for Digital, Culture, Media and Sport 206
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
CONFIGURATION AND MANAGEMENT DATA PROTECTION.
Security management maintains the consistency of security over
time, and must not interfere with operational processes.

Security metadata such as connection status and characteristics

Industrial Internet (encrypted or authenticated), and the state of security controls on
Industrial of Things the device should be gathered and shared with operation
Internet Volume G4: management systems so that it can be tracked. The security
Consortium Security metadata should be sent on a separate communications channel https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 11.9 from the operational application data. UB_G4_V1.00_PB-3.pdf
The platform will also provide capabilities for the monitoring of
devices in the IoT system and for anomaly detection. Important to
International these capabilities are additional capabilities for the coordination and
Electrotechnic IoT 2020: Smart analysis of data to determine events. This is half of the observe-
al Commission and secure IoT orient-decide-act (OODA) cycle for detection and response to http://www.iec.ch/whitepaper/pdf/iecW
(IEC) platform 5.2.6 system threats. P-loT2020-LR.pdf
An IoT device user/owner would like to monitor and verify its
Internet operational behavior. For instance, the user might want to know if
Research the device is connecting to the server of the manufacturer for any
Task Force reason. This feature - connecting to the manufacturer's server –
(IRTF) Thing- may be necessary in some scenarios, such as during the initial
to-Thing State-of-the-Art and configuration of the device. However, the user should be kept
Research Challenges for the aware of the data that the device is sending back to the vendor. For
Group Internet of Things example, the user might want to know if his/her TV is sending data https://datatracker.ietf.org/doc/draft-irtf-
(T2TRG) Security 5.6 when he/she inserts a new USB stick. t2trg-iot-seccons/
Connected
Consumer Secure
IoT Security Design Best https://www.iotsecurityfoundation.org/b
Foundation Practice Guidelines N/A K: Logging est-practice-guidelines/
Department for Digital, Culture, Media and Sport 207
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Auditing IoT infrastructure for security-related issues is key when
responding to security incidents. Most operating systems provide
built-in event logging that should be reviewed frequently to make
sure no security breach has occurred. Audit information can be sent https://docs.microsoft.com/en-
IoT Security Best as a separate telemetry stream to the cloud service where it can be us/azure/iot-fundamentals/iot-security-
Microsoft Practices Audit frequently analyzed. best-practices
Object
Management
Group (OMG) Every system must have monitoring of the environment built in so
Cloud that active attacks as well as anomalous behavior is detected and
Standards Security acted upon. Because of the scale of IoT systems, both in the
Customer Monitoring, number of devices as well as the amount of information being https://www.omg.org/cloud/deliverable
Council Cloud Customer Analysis, and processed, there is a requirement for automated response to known s/CSCC-Cloud-Customer-Architecture-
(CSCC) Architecture for IoT Response attacks as well as automatic detection of suspicious behavior. for-IoT.pdf
As more data about people, financial transactions and operational
decisions is collected, refined and stored, the challenges related to
information governance and security increase. The data privacy and
identity management of devices and individual is very important
from the cloud computing point of view. The cloud generally allows
for faster deployment of new compliance and monitoring tools that
Object encourage agile policy and compliance frameworks. Cloud data
Management hubs can be a good option by acting as focal points for data
Group (OMG) assembly and distribution. Tools that monitor activity and data
Cloud access can actually make cloud systems more secure than
Standards standalone systems. Hybrid systems offer unique application
Customer governance features: Software can be centrally maintained in a https://www.omg.org/cloud/deliverable
Council Cloud Customer distributed environment with data stored in-house to meet s/CSCC-Cloud-Customer-Architecture-
(CSCC) Architecture for IoT Security jurisdictional policies. for-IoT.pdf

IoT support sites must implement regular monitoring and continual

IoT Security & improvement of site security and server configurations to https://otalliance.org/system/files/files/i
Online Trust Privacy Trust acceptably reduce the impact of vulnerabilities. Perform penetration nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 4 tests at least semi-annually.2 k6-22.pdf
Department for Digital, Culture, Media and Sport 208
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Do not disclose sensitive information in error responses, including

system details, session identifiers or account information
Use error handlers that do not display debugging or stack trace
information
Implement generic error messages and use custom error pages
The application should handle application errors and not rely on the
server configuration
Properly free allocated memory when error conditions occur
Error handling logic associated with security controls should deny
access by default
All logging controls should be implemented on a trusted system
(e.g., The server)
Logging controls should support both success and failure of
specified security events
Ensure logs contain important log event data
Ensure log entries that include un-trusted data will not execute as
code in the intended log viewing interface or software
Restrict access to logs to only authorized individuals
Utilize a master routine for all logging operations
Do not store sensitive information in logs, including unnecessary
system details, session identifiers or passwords
Ensure that a mechanism exists to conduct log analysis
Log all input validation failures
Log all authentication attempts, especially failures
Log all access control failures
Log all apparent tampering events, including unexpected changes
to state data
Log attempts to connect with invalid or expired session tokens
Log all system exceptions
Open Web Log all administrative functions, including changes to the security
Application OWASP Secure configuration settings
Security Coding Practices Log all backend TLS connection failures https://www.owasp.org/images/0/08/O
Project Quick Reference Error Handling and Log cryptographic module failures WASP_SCP_Quick_Reference_Guide
(OWASP) Guide Logging Use a cryptographic hash function to validate log entry integrity _v2.pdf
Department for Digital, Culture, Media and Sport 209
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Open Web
Application
Security I8: Insufficient
Project IoT Security Security https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Configurability Ensure secure logging is available for security events Security_Guidance
Of course, no matter how well you protect the device, protect the
code, protect the communications, and no matter how well you
manage your security posture, even using the best possible OTA
management framework, some adversaries still have the resources
and capabilities to rise above those defenses. For such reasons,
strategic threats require strategic mitigation technologies. Security
analytics can leverage security telemetry from devices and network
hardware to help provide an understanding of what is happening in
the environment, including detection of stealthier threats.
Equally importantly, “monitoring” and analytics can often be
deployed as an interim solution in environments where upgrading
devices to conform to the first three cornerstones above will take
years. Examples of such environments include legacy devices such
as industrial control systems (manufacturing, oil and gas, utilities)
that cannot be modified until an end-to-end replacement system is
ready, automotive cars already on the road whose deeply
embedded microcontrollers obviously cannot be “torn out and
replaced,” and healthcare environments where suppliers prohibit
hospitals from modifying the equipment to add security. In such
cases, anomaly detection solutions can be extremely valuable. The
deterministic nature of many IoT networks allows the system to be
baselined and deviations quickly identified. The wide variety of
industrial and IoT protocols can make the problem harder, but
newer techniques using advanced machine learning can allow the
An Internet of problem to be solved. Considering that many IoT systems have
Things Security high demands on availability, this solution is less invasive in “detect” https://www.symantec.com/content/da
Reference mode while ensuring that any false positives do not bring down the m/symantec/docs/white-papers/iot-
Symantec Architecture system. security-reference-architecture-en.pdf
Department for Digital, Culture, Media and Sport 210
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Department for Digital, Culture, Media and Sport 211
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Accountability and Traceability. The principle of accountability
and traceability states that it must be possible to trace
securityrelevant actions (i.e., subject-object interactions) to the
entity on whose behalf the action is being taken. This principle
US National requires a trustworthy infrastructure that can record details about
Institute of actions that affect system security (e.g., an audit subsystem). To do
Standards and NIST SP.800-160 this, the system must not only be able to uniquely identify the entity
Technology Systems Security on whose behalf the action is being carried out, but also record the https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.2.4 relevant sequence of actions that are carried out. alPublications/NIST.SP.800-160.pdf
Department for Digital, Culture, Media and Sport 212
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 11 - Make it easy for customers to delete personal data

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

The CEO’s Guide

to Securing the System reset. Every device should include a way to reset it to its https://www.business.att.com/cybersec
AT&T Internet of Things original manufactured clean state. urity/docs/exploringiotsecurity.pdf

Broadband
Internet Reset mechanism. Devices should have a reset mechanism for
Technical Internet of Things IoT devices that clears all configuration for use when a consumer http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and returns or resells the device. The device manufacturers should also _Report_-
Group Privacy provide a mechanism to delete or reset any data that the respective _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.10 device stores in the cloud. nd_Privacy_Recommendations.pdf
Due to the quantities involved with many IoT implementations, it is
likely that many edge devices will be replaced on a regular basis. It
is important to establish policies and procedures for the secure
Security Guidance disposition of devices that have held sensitive information or key https://downloads.cloudsecurityalliance
for Early Adopters material that could provide access to sensitive information. Devices .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of that have held sensitive information should be securely wiped to or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.5.5.1 include removal of key material and certificates from each device. _Things.pdf
Department for Digital, Culture, Media and Sport 213
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Life cycle controls for IoT edge devices require the management
and monitoring of assets to ensure that they are authorized, and
Security Guidance secure and regularly updated with the latest firmware, software and https://downloads.cloudsecurityalliance
for Early Adopters patches. In addition, organization’s must have a documented .org/whitepapers/Security_Guidance_f
Cloud Security of the Internet of method for securely disposing of IoT assets at the end of the life- or_Early_Adopters_of_the_Internet_of
Alliance (CSA) Things (IoT) 5.5 cycle. Define a life-cycle management approach for IoT devices. _Things.pdf
European
Union Agency
for Network
and Security and
Information Resilience of Smart
Security Home The end-user must have a way to securely erase its private data https://www.ENISA.europa.eu/publicati
(ENISA) Environments 7.3 collected by or stored on a Smart Home device. ons/security-resilience-good-practices

GSMA IoT Security https://www.gsma.com/iot/iot-security-

GSMA Assessment CLP11_6 Privacy Considerations assessment/
All Endpoint devices have a lifecycle, as discussed elsewhere in
this document. Some devices must be decommissioned due to a
user cancelling their subscription, while other devices must be
IoT Security decommissioned due to anomalous or adversarial behaviour.
Guidelines Regardless of the reason, the business must be prepared to https://www.gsma.com/iot/wp-
Endpoint decommission the device securely using their TCB and content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_8.10 communications model. v2.0.pdf
We suggest manufacturers prepare a formal plan for users to
sanitize and dispose of obsolete IoT devices. Industry practice in
other fields prescribes a "discard, recycle or destroy" (DRD) policy
with periodic review of the plan to determine which devices require
disposal and how to dispose of them. Some manufacturers
IoT Security encourage users to dispose of products directly through the https://internetinitiative.ieee.org/images
Principles and Best manufacturer. This may be sensible for laptops and servers, but for /files/resources/white_papers/internet_
IEEE Practices 4 IoT devices that may be small and cheap, or that are part of a much of_things_feb2017.pdf
Department for Digital, Culture, Media and Sport 214
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
larger device (like a refrigerator) special accommodations may be
required.

The supplier or manufacturer of any devices and/or services shall https://www.iotsecurityfoundation.org/w

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Where a device or devices are capable of having their ownership

transferred to a different owner, all the previous owners Personal
Information shall be removed from the device(s) and registered https://www.iotsecurityfoundation.org/w
IoT Security services. This option must be available when a transfer of p-content/uploads/2017/12/IoT-
IoT Security Compliance ownership occurs or when an end user wishes to delete their Security-Compliance-
Foundation Framework 1.1 2.4.16.1 Personal Information from the service or device. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/w
IoT Security Where a device or devices user wishes to end the service, all that p-content/uploads/2017/12/IoT-
IoT Security Compliance owners Personal Information shall be removed from the device and Security-Compliance-
Foundation Framework 1.1 2.4.16.2 related services. Framework_WG1_2017.pdf

A device storing personal or operationally sensitive information

IoT Security CyberSecurity integrates data wipe capabilities into its design and architecture for https://www.iotsi.org/iot-cybersecurity-
Initiative Principles of IoT PRINCIPLE 17 standard use and decommissioning scenarios. principles

IoT Security & Disclose if and how IoT device/product/service ownership and the https://otalliance.org/system/files/files/i
Online Trust Privacy Trust data may be transferred (e.g., a connected home being sold to a nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 24 new owner or sale of a fitness tracker). k6-22.pdf

Provide the ability for the user or proxy to delete, or make

IoT Security & anonymous, personal or sensitive data stored on company servers https://otalliance.org/system/files/files/i
Online Trust Privacy Trust (other than purchase transaction history) upon discontinuing use, nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 32 loss or sale of device. k6-22.pdf
Department for Digital, Culture, Media and Sport 216
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Code of Practice: 12 - Make installation and maintenance of IoT devices easy

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Alliance for
Internet of https://aioti.eu/wp-
Things Digitisation of content/uploads/2017/03/AIOTI-
Innovation Industry Policy 3.32 (iii) first bullet Promote products and services which help deliver flexibility and Digitisation-of-Ind-policy-doc-Nov-
(AIOTI) Recommendations point openness in service provision. 2016.pdf
Department for Digital, Culture, Media and Sport 217
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Device support. Device makers should provide online access to

The CEO’s Guide operators’ manuals, access to updates, and updated instructions.
to Securing the Support information should include a clear explanation of the https://www.business.att.com/cybersec
AT&T Internet of Things product’s support lifecycle. urity/docs/exploringiotsecurity.pdf

The CEO’s Guide Contact information and support forum. Vendors should provide
to Securing the contact details or a support forum to which organizations can report https://www.business.att.com/cybersec
AT&T Internet of Things any problems with the device or its software. urity/docs/exploringiotsecurity.pdf

The CEO’s Guide

to Securing the Basic support label. Each device should carry a label that helps the https://www.business.att.com/cybersec
AT&T Internet of Things authorized operator identify it and find support information. urity/docs/exploringiotsecurity.pdf
Atlantic
Council
Scowcroft
Center for Smart Homes and Give owners clear guidance on why and how to configure devices to http://www.atlanticcouncil.org/images/p
Strategy and the Internet of their own particular preferences, and ensure that defaults are ublications/Smart_Homes_0317_web.
Security Things reasonably safe and secure. pdf

Broadband
Internet Clear methods for consumers to determine who they can
Technical Internet of Things contact for support. Manufacturers should provide clear methods http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and for consumers to determine who they can contact for support and _Report_-
Group Privacy methods to contact consumers to disseminate information about _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.10 software vulnerabilities or other issues. nd_Privacy_Recommendations.pdf
Department for Digital, Culture, Media and Sport 218
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

IoT Device Configurations Should Be Tested and Hardened.

Broadband Some IoT devices allow a user to customize the behavior of the
Internet device. BITAG recommends that manufacturers test the security of
Technical Internet of Things each device with a range of possible configurations, as opposed to http://www.bitag.org/documents/BITAG
Advisory (IoT) Security and simply the default configuration. A device’s interface should _Report_-
Group Privacy prevent—or at least actively discourage—users from configuring the _Internet_of_Things_(IoT)_Security_a
(BITAG) Recommendations 7.1 device in a way that makes it less secure. nd_Privacy_Recommendations.pdf

IoT Security
Guidelines https://www.gsma.com/iot/wp-
Endpoint content/uploads/2017/10/CLP.13-
GSMA Ecosystem CLP13_6.8 Uniquely Provision Each Endpoint v2.0.pdf
Industrial Internet
Industrial of Things FROM FUNCTIONAL TO IMPLEMENTATION VIEWPOINT.
Internet Volume G4: Principle of psychological acceptability: it is essential that the human
Consortium Security interface be designed for ease of use, so that users routinely and https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 7.9 automatically apply the protection mechanisms correctly. UB_G4_V1.00_PB-3.pdf
ENROLLMENT PHASE. There are three steps to the enrollment
phase: initiation, entity verification and registration. Initiation declares
the desire to bring the entity under management and give it identity
and credentials. Verification involves proving that the entity is the
Industrial Internet one for which the identity is to be created and issued. Registration
Industrial of Things (see Figure 11-6) means the entity is ready to have credentials
Internet Volume G4: created and delivered, or to have the entity generate the credentials
Consortium Security itself. Always validate that the identity that was registered was the https://www.iiconsortium.org/pdf/IIC_P
(IIC) Framework v1.0 11.7.1 one bound to the credential that was generated for the entity. UB_G4_V1.00_PB-3.pdf

https://www.iotsecurityfoundation.org/
IoT Security The supplier or manufacturer of any devices or services shall wp-content/uploads/2017/12/IoT-
IoT Security Compliance provide clear information about the end user’s responsibilities to Security-Compliance-
Foundation Framework 1.1 2.4.12.12 maintain the devices and/or services privacy and security. Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 219
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link

Security Usability: Devices and services should be designed with

security usability in mind, reducing where possible, security friction https://www.iotsecurityfoundation.org/
IoT Security and decision points that may have a detrimental impact on security. wp-content/uploads/2017/12/IoT-
IoT Security Compliance Best practices on usable security should be followed, particularly for Security-Compliance-
Foundation Framework 1.1 2.4.12.13 user interaction and user interfaces. Framework_WG1_2017.pdf

IoT Security & IoT devices must provide notice and/or request user confirmation https://otalliance.org/system/files/files/i
Online Trust Privacy Trust when initially pairing, onboarding, and/or connecting with other nitiative/documents/iot_trust_framewor
Alliance (OTA) Framework v2.5 23 devices, platforms or services. k6-22.pdf

Build in controls to allow manufacturers, service providers, and

consumers to disable network connections or specific ports when
U.S. Strategic Principles needed or desired to enable selective connectivity. Depending on https://www.dhs.gov/sites/default/files/
Department of for Securing The the purpose of the IoT device, providing the consumers with publications/Strategic_Principles_for_
Homeland Internet of Things guidance and control over the end implementation can be a sound Securing_the_Internet_of_Things-
Security (IoT) practice. 2016-1115-FINAL....pdf
Department for Digital, Culture, Media and Sport 220
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Human Factored Security. The principle of human factored security
states that the user interface for security functions and supporting
services should be intuitive, user friendly, and provide appropriate
feedback for user actions that affect such policy and its enforcement.
US National The mechanisms that enforce security policy should not be intrusive
Institute of to the user and should be designed not to degrade user efficiency.
Standards and NIST SP.800-160 They should also provide the user with meaningful, clear, and
Technology Systems Security relevant feedback and warnings when insecure choices are being https://nvlpubs.nist.gov/nistpubs/Speci
(NIST) Engineering F.2.9 made. alPublications/NIST.SP.800-160.pdf

Code of Practice: 13 - Validate input data

Standard /
Recommendation Recommendation
Organisation Name Number / Section Recommendation Extracted from Linked Source Web Link
Department for Digital, Culture, Media and Sport 221
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Data input validation (ensuring that data is safe prior to

use) and output filtering.

Security is a concern for decision triggers (malware or general

defects). Other possibilities here might be indirect manipulation of
European input values to the trigger by tampering with or restricting the input
Union Agency values. Reliability is a concern for decision triggers (general
for Network defects).
and Decision triggers could be inconsistent, self-contradictory, and
Information Baseline Security incomplete. Understanding how bad data propagates to affect https://www.ENISA.europa.eu/publicati
Security Recommendations decision triggers is paramount. Failure to execute decision triggers ons/baseline-security-
(ENISA) for IoT GP-TM-54 at time may have undesired consequences recommendations-for-iot
Do not trust data received and always verify any interconnections.
Discover, identify and verify/authenticate the devices connected to
European the network before trust can be established, and preserve their
Union Agency integrity for trustable solutions and services. For example, a device
for Network measures its own integrity as part of boot, but does not validate
and those measurements - when the device applies to join a network,
Information Baseline Security part of joining involves sending an integrity report for remote https://www.ENISA.europa.eu/publicati
Security Recommendations validation. If validation fails, the end point is diverted to a ons/baseline-security-
(ENISA) for IoT GP-TM-42 remediation network for action. recommendations-for-iot

GSMA IoT Security https://www.gsma.com/iot/iot-security-

GSMA Assessment CLP12_6.9 Implement Input Validation assessment/

https://www.iotsecurityfoundation.org/
IoT Security wp-content/uploads/2017/12/IoT-
IoT Security Compliance Where the product or service provides a web based interface, Security-Compliance-
Foundation Framework 1.1 2.4.10.1 Strong Authentication is used Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 222
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

https://www.iotsecurityfoundation.org/
IoT Security All data being transferred over interfaces should be validated where wp-content/uploads/2017/12/IoT-
IoT Security Compliance appropriate. This could include checking the Data Type, Length, Security-Compliance-
Foundation Framework 1.1 2.4.10.10 Format, Range, Authenticity, Origin and Frequency." Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/
IoT Security Sanitise input in Web applications by using URL encoding or HTML wp-content/uploads/2017/12/IoT-
IoT Security Compliance encoding to wrap data and treat it as literal text rather than Security-Compliance-
Foundation Framework 1.1 2.4.10.11 executable script Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/
IoT Security All inputs and outputs are validated using for example a whitelist wp-content/uploads/2017/12/IoT-
IoT Security Compliance containing authorised origins of data and valid attributes of such Security-Compliance-
Foundation Framework 1.1 2.4.10.12 data. Framework_WG1_2017.pdf

https://www.iotsecurityfoundation.org/
IoT Security All data being transferred over interfaces should be validated where wp-content/uploads/2017/12/IoT-
IoT Security Compliance appropriate. This could include checking the Data Type, Length, Security-Compliance-
Foundation Framework 1.1 2.4.11.7 Format, Range, Authenticity, Origin and Frequency." Framework_WG1_2017.pdf
Department for Digital, Culture, Media and Sport 223
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

https://www.iotsecurityfoundation.org/
IoT Security All application inputs and outputs are validated using for example a wp-content/uploads/2017/12/IoT-
IoT Security Compliance whitelist containing authorised origins of data and valid attributes of Security-Compliance-
Foundation Framework 1.1 2.4.11.9 such data see NIST SP 800-167 [34] Framework_WG1_2017.pdf

IoT Security Security Design Do not trust data input – sanitize to what is needed and expected https://www.iotsi.org/security-best-
Initiative Best Practices for the function on intake. practices

TR-0008-V2.0.1 Implement secure coding practices that enforce rigorous input data http://www.onem2m.org/images/files/d
Security (Technical validation in system and services, database applications, and web eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.20 services Security-v_2_0_1.pdf

Preventing injection requires keeping un-trusted data separate from

TR-0008-V2.0.1 commands and queries. If a parameterized API is not available, http://www.onem2m.org/images/files/d
Security (Technical escaping special characters using the specific escape syntax for eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.21 that interpreter should be done. Security-v_2_0_1.pdf

Put in place encryption and/or strong session management security

TR-0008-V2.0.1 controls. Implement secure coding practices that enforce rigorous http://www.onem2m.org/images/files/d
Security (Technical input data validation in system and services, database applications, eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.22 and web services. Security-v_2_0_1.pdf

Positive or "whitelist" input validation helps to protect against cross

TR-0008-V2.0.1 scripting. Such validation should decode any encoded input, and http://www.onem2m.org/images/files/d
Security (Technical then validate the length, characters, and format on that data before eliverables/Release2A/TR-0008-
oneM2M Report) 8.2.26 accepting the input. Security-v_2_0_1.pdf
Department for Digital, Culture, Media and Sport 224
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Conduct all data validation on a trusted system (e.g., The server)

Identify all data sources and classify them into trusted and
untrusted. Validate all data from untrusted
sources (e.g., Databases, file streams, etc.)
There should be a centralized input validation routine for the
application
Specify proper character sets, such as UTF-8, for all sources of
input
Encode data to a common character set before validating
(Canonicalize)
All validation failures should result in input rejection
Determine if the system supports UTF-8 extended character sets
and if so, validate after UTF-8 decoding is completed
Validate all client provided data before processing, including all
parameters, URLs and HTTP header content (e.g. Cookie names
and values). Be sure to include automated post backs from
JavaScript, Flash or other embedded code
Verify that header values in both requests and responses contain
only ASCII characters
Validate data from redirects (An attacker may submit malicious
content directly to the target of the redirect, thus circumventing
application logic and any validation performed before the redirect)
Validate for expected data types
Validate data range
Validate data length
Validate all input against a "white" list of allowed characters,
whenever possible
If any potentially hazardous characters must be allowed as input, be
sure that you implement additional controls like output encoding,
secure task specific APIs and accounting for the utilization of that
data throughout the application . Examples of common hazardous
characters include:
Open Web < > " ' % ( ) & + \ \' \"
Application OWASP Secure If your standard validation routine cannot address the following
Security Coding Practices inputs, then they should be checked discretely https://www.owasp.org/images/0/08/O
Project Quick Reference Check for null bytes (%00) WASP_SCP_Quick_Reference_Guide
(OWASP) Guide Input validation Check for new line characters (%0d, %0a, \r, \n) _v2.pdf
Department for Digital, Culture, Media and Sport 225
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Check for “dot-dot-slash" (../ or ..\) path alterations characters. In

cases where UTF-8 extended
character set encoding is supported, address alternate
representation like: %c0%ae%c0%ae/

Open Web
Application
Security
Project IoT Security I1: Insecure Web Ensure that any web interface in the product has been tested for https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface XSS, SQLi and CSRF vulnerabilities Security_Guidance
Open Web
Application
Security
Project IoT Security I6: Insecure Cloud Ensure that any cloud-based web interface has been tested for https://www.owasp.org/index.php/IoT_
(OWASP) Guidance Interface XSS, SQLi and CSRF vulnerabilities Security_Guidance
Department for Digital, Culture, Media and Sport 226
Mapping of IoT security recommendations, guidance and standards to the UK's Code of Practice for Consumer IoT Security

Disclaimer and copyright

The information in this document is for general guidance and is not to be relied upon as professional advice.

DCMS has used reasonable endeavours to ensure that the information in this document is accurate and up to date. DCMS shall not accept liability
for any loss, damage or inconvenience arising as a consequence of any use of or the inability to use any links contained in this document. DCMS
shall not be responsible for claims brought by third parties arising from your use of this document.

DCMS assumes no responsibility for the contents of linked websites. The inclusion of any link should not be taken as endorsement of any kind by
DCMS of the linked website or any association with its operators. Further, DCMS has no control over the availability of the linked pages.
References to organisations do not imply endorsement by DCMS.

Material in this document, including text and images, is protected by Crown copyright and other copyright. The copyright of the original material
quoted in the mapping remains that of the original authors. Use of Crown copyright materials is subject to the Open Government Licence for public
sector information. To view this licence, visit www.nationalarchives.gov.uk/doc/open-government-licence/ or write to the Information Policy Team,
The National Archives, Kew, London TW9 4DU, or email: [email protected].

Code of Practice IoT
No ratings yet
Code of Practice IoT
24 pages
Code of Practice
No ratings yet
Code of Practice
10 pages
IoT Governance Consultation Report
No ratings yet
IoT Governance Consultation Report
26 pages
Secure-by-Design for IoT Manufacturers
No ratings yet
Secure-by-Design for IoT Manufacturers
108 pages
iOT Security Guideline
No ratings yet
iOT Security Guideline
53 pages
I Am The Cavalry - IoT Cyber Safety Policy Database
No ratings yet
I Am The Cavalry - IoT Cyber Safety Policy Database
9 pages
Securing the IoT: Key Principles Guide
No ratings yet
Securing the IoT: Key Principles Guide
16 pages
PG For IoT Security - EN v1.2 (2024.07)
No ratings yet
PG For IoT Security - EN v1.2 (2024.07)
37 pages
Consumer IoT Device Cybersecurity Standards
No ratings yet
Consumer IoT Device Cybersecurity Standards
41 pages
Consumer IoT Security Guidelines
No ratings yet
Consumer IoT Security Guidelines
14 pages
CIT882 (Module 3-Unit 1 To 3)
No ratings yet
CIT882 (Module 3-Unit 1 To 3)
33 pages
Unit 4 Material
No ratings yet
Unit 4 Material
11 pages
IoTSecurity (Sachin)
No ratings yet
IoTSecurity (Sachin)
15 pages
IoT Security for IT Professionals
33% (3)
IoT Security for IT Professionals
15 pages
Unit-3 AIOT Complete
No ratings yet
Unit-3 AIOT Complete
21 pages
Executive Summary: Beecham Research September 2014
No ratings yet
Executive Summary: Beecham Research September 2014
3 pages
Strategic Principles For Securing The Internet of Things (Iot)
No ratings yet
Strategic Principles For Securing The Internet of Things (Iot)
17 pages
Amanreport
No ratings yet
Amanreport
21 pages
Whitepaper Internet of Things 2017 DH v1
No ratings yet
Whitepaper Internet of Things 2017 DH v1
17 pages
EIOT Module 2
No ratings yet
EIOT Module 2
59 pages
Electronics: Discussion On Iot Security Recommendations Against The State-Of-The-Art Solutions
No ratings yet
Electronics: Discussion On Iot Security Recommendations Against The State-Of-The-Art Solutions
32 pages
Privacy Security
No ratings yet
Privacy Security
5 pages
Iot Security Guidelines: Overview Document
No ratings yet
Iot Security Guidelines: Overview Document
43 pages
IoTtoolkit August 2020
No ratings yet
IoTtoolkit August 2020
35 pages
IOT Conferrnce Paper Prabhu
No ratings yet
IOT Conferrnce Paper Prabhu
4 pages
IoT Security Challenges
No ratings yet
IoT Security Challenges
10 pages
IoT Security Guide for Developers
75% (4)
IoT Security Guide for Developers
145 pages
Batch9 DataSecurityInIot
No ratings yet
Batch9 DataSecurityInIot
19 pages
SecurityAndPrivacyIssues IoT
No ratings yet
SecurityAndPrivacyIssues IoT
15 pages
Conference Template A4
No ratings yet
Conference Template A4
4 pages
Kevin IoTSecurity ISOC
No ratings yet
Kevin IoTSecurity ISOC
9 pages
Past Year Papers
No ratings yet
Past Year Papers
26 pages
Ebook - Cybersecurity in The Age of IoT - V1
No ratings yet
Ebook - Cybersecurity in The Age of IoT - V1
17 pages
Security, Privacy & Trust in Internet of Things
No ratings yet
Security, Privacy & Trust in Internet of Things
68 pages
ARM and AMD - Data Management in The Internet of Things
No ratings yet
ARM and AMD - Data Management in The Internet of Things
4 pages
WP2017 O-1-1-2 1 Baseline Security Recommendations For IoT in The Context of CII - FINAL
No ratings yet
WP2017 O-1-1-2 1 Baseline Security Recommendations For IoT in The Context of CII - FINAL
103 pages
IT, Culture, and The Society: Group 5
No ratings yet
IT, Culture, and The Society: Group 5
20 pages
SAC105 The DNS and The Internet of Things: Opportunities, Risks, and Challenges
No ratings yet
SAC105 The DNS and The Internet of Things: Opportunities, Risks, and Challenges
29 pages
Downs Final nts435
No ratings yet
Downs Final nts435
12 pages
Unit-Iv Iot
No ratings yet
Unit-Iv Iot
35 pages
Internet of Things Security Challenges and Best Practices
No ratings yet
Internet of Things Security Challenges and Best Practices
22 pages
IOT Security
100% (1)
IOT Security
28 pages
Managing The Risk of IoT - Joa - Eng - 0517 Hugo
No ratings yet
Managing The Risk of IoT - Joa - Eng - 0517 Hugo
8 pages
IoT Security and Privacy Challenges Analysis
No ratings yet
IoT Security and Privacy Challenges Analysis
4 pages
Design and Implementation of Tools To Build An Ontology of Security Requirements For Internet of Medical Things
No ratings yet
Design and Implementation of Tools To Build An Ontology of Security Requirements For Internet of Medical Things
16 pages
Guide On Security Controls On OT Sustems 1697317571
No ratings yet
Guide On Security Controls On OT Sustems 1697317571
66 pages
Securing IoT: Challenges and Solutions
No ratings yet
Securing IoT: Challenges and Solutions
5 pages
IoT Security Challenges & Solutions
No ratings yet
IoT Security Challenges & Solutions
16 pages
Iot Question Bank For Chapter 4 and 5
No ratings yet
Iot Question Bank For Chapter 4 and 5
3 pages
DCS029 Home Work
No ratings yet
DCS029 Home Work
3 pages
Considerations For Managing Internet of Things (Iot) Cybersecurity and Privacy Risks
No ratings yet
Considerations For Managing Internet of Things (Iot) Cybersecurity and Privacy Risks
44 pages
Unit 1 Material
No ratings yet
Unit 1 Material
32 pages
Essay3 2025
No ratings yet
Essay3 2025
7 pages
FTC: Internet of Things Report
No ratings yet
FTC: Internet of Things Report
71 pages
Iot Conference Report Final
No ratings yet
Iot Conference Report Final
16 pages
Iot Standardisation: Challenges, Perspectives and Solution: June 2018
No ratings yet
Iot Standardisation: Challenges, Perspectives and Solution: June 2018
10 pages
IoT - Policy - Sept26 Ismail Shah
No ratings yet
IoT - Policy - Sept26 Ismail Shah
87 pages
Regulating the Internet of Things
No ratings yet
Regulating the Internet of Things
6 pages
The Contribution of Iot To Economic Growth
No ratings yet
The Contribution of Iot To Economic Growth
22 pages
GSMA Guide to Scaling IoT Solutions
No ratings yet
GSMA Guide to Scaling IoT Solutions
9 pages
MD-X2000-2500 Series Laser Marker Communication Interface Users Manual
No ratings yet
MD-X2000-2500 Series Laser Marker Communication Interface Users Manual
180 pages
CAB UNIT 1 - Merged
No ratings yet
CAB UNIT 1 - Merged
186 pages
Deep Learning-Based Techniques For Video Enhancement, Compression and Restoration
No ratings yet
Deep Learning-Based Techniques For Video Enhancement, Compression and Restoration
13 pages
Short Questions: Download All Free Books From Our Site
No ratings yet
Short Questions: Download All Free Books From Our Site
39 pages
MS Access Exercises
No ratings yet
MS Access Exercises
2 pages
SPPID - Procedure To Create New Line Style
100% (2)
SPPID - Procedure To Create New Line Style
23 pages
GL521M Series @track Air Interface Firmware Update Protocol - V1.00
No ratings yet
GL521M Series @track Air Interface Firmware Update Protocol - V1.00
13 pages
Database Management System
No ratings yet
Database Management System
9 pages
VENKY RESUME - Update - 2years
No ratings yet
VENKY RESUME - Update - 2years
3 pages
Ddr4 Sdram Sodimm: MTA16ATF2G64HZ - 16GB Features
No ratings yet
Ddr4 Sdram Sodimm: MTA16ATF2G64HZ - 16GB Features
23 pages
Mendeley Use in Student Info Management
No ratings yet
Mendeley Use in Student Info Management
16 pages
CH2 Computer Virus and Antivirus
No ratings yet
CH2 Computer Virus and Antivirus
3 pages
Describing The Organisation Data Landscape
No ratings yet
Describing The Organisation Data Landscape
88 pages
AWS Design Handbook
No ratings yet
AWS Design Handbook
158 pages
EECS 489 Fall 2018 Final Exam
No ratings yet
EECS 489 Fall 2018 Final Exam
7 pages
CC 03 - Dsa 101
No ratings yet
CC 03 - Dsa 101
27 pages
Unity Engine Error Log Analysis
No ratings yet
Unity Engine Error Log Analysis
2 pages
Empowerment Technologies Q1 Modules 1 - 2
100% (1)
Empowerment Technologies Q1 Modules 1 - 2
106 pages
Jdegtget - Ole / Jdegtget - Olekeystr: Syntax
No ratings yet
Jdegtget - Ole / Jdegtget - Olekeystr: Syntax
5 pages
Unit-1 Introduction To Big Data
No ratings yet
Unit-1 Introduction To Big Data
33 pages
XP-420B Quick Start Guide
No ratings yet
XP-420B Quick Start Guide
2 pages
EB Manual
No ratings yet
EB Manual
16 pages
Platform Manager
No ratings yet
Platform Manager
30 pages
4007ES Software Release Notes
No ratings yet
4007ES Software Release Notes
2 pages
10.6.11 Lab - Use Tera Term To Manage Router Configuration Files - ILM
No ratings yet
10.6.11 Lab - Use Tera Term To Manage Router Configuration Files - ILM
11 pages
PASOLINK NEO LCT Setup Guide
0% (1)
PASOLINK NEO LCT Setup Guide
16 pages
Data Structures: Heap Sort
No ratings yet
Data Structures: Heap Sort
5 pages
Meig SRT838C Specification v1.4
No ratings yet
Meig SRT838C Specification v1.4
3 pages
VK701 USB 24-Bit DAQ Hardware Specification
No ratings yet
VK701 USB 24-Bit DAQ Hardware Specification
18 pages
Step by Step Exercise Access Clinic
No ratings yet
Step by Step Exercise Access Clinic
14 pages