Handbook for Development

of Cybersecure IoT Products

Revision management
This is the first version of the handbook (published 2023)
and it will be updated on a regular basis.

Steering group Copyright and other rights

Magnus Svensson / Thorbjörn Ebefors, This handbook may, in its complete form, be
Smarter Electronic Systems used and distributed without charge. If figures,
Maria Månsson, Smarter Electronic Systems photos or parts of the texts are used in other
contexts, the following reference shall be used:
Olle Bergdahl, IoT Sweden Handbook for Development of Cybersecure IoT
Products, published by Smarter Electronic
Systems and Internet of Things Sweden (2023).
Process leader and main author
John Lindström, Smarter Electronic Systems
Disclaimer
This handbook is authored based on the working
Participating companies
group’s collective knowledge and experience
and organizations gained from many years within the business.
AFRY Although the working group has iteratively
Atlas Copco industrial technique AB scrutinized the handbook’s contents, the
working group cannot guarantee that there are
Eskilstuna Elektronikpartner AB no errors. The expectation is that the contents
IoT Sweden of the handbook will be useful, however the
Luleå tekniska universitet (LTU) working group does not take any responsibility
for errors or damage which may arise within
Nexus AB the areas or other content that this handbook
Prevas AB addresses.
RISE
Swedish Civil Contingencies Agency Editing: Maria Bergenheim, IoT Sweden
SSF Stöldskyddsföreningen Design: Oh My
Strainlabs AB ISBN: 978-91-985741-5-9
T2Data AB
Uppsala universitet
Weop AB
Xertified AB
Foreword
Smarter Electronic Systems is a strategic inno- will become over its whole life-cycle. Efficient
vation program within the frame of Vinnova’s, collaboration and cooperation results in lower
Formas’ and The Swedish Energy Agency’s joint manufacturing and maintenance costs over the
venture regarding strategic innovation areas. The life-cycle, faster time-to-market, higher quality
program’s objective is to support Swedish industry and cybersecurity-levels.
concerning world class sustainable development The Handbook for Development of Cyberse-
and competitiveness. During the crafting of the cure IoT Products has been crafted by a working
program agenda three main challenges were group of representatives from companies and
highlighted as the most important in order to organizations providing contributions over a
achieve the requirements of the future. These broad range of knowledge and experience. It
three were: leading edge competencies, supply targets managers involved in product design,
and management of competencies, and efficient development, maintenance, and other areas
value-chains. For each challenge, a council was having an influence on product specifications. The
appointed. In the scope for the council regarding handbook, in combination with the “Smartare
efficient value-chains, the work on handbooks Elektronikhandboken 2.0” (The Smarter Electronic
were initiated. The first handbook, “Smartare Handbook 2.0), enables effective knowledge
Elektronikhandboken”, was first published in transfer between participants cooperating to
2018 and has been widely circulated. The hand- develop IoT Products which are cybersecure over
books are maintained by the Swedish Electronics their entire life-cycle.
Trade association. This publication, Handbook
This is the first version of the handbook and
for Development of Cybersecure IoT Products,
we are happy to receive any ideas for improve-
has been written in cooperation between
ments and extensions for the next version.
Smarter Electronic Systems and Internet of
Things Sweden (IoT Sweden). We hope that you will find the handbook usable
in your daily work. It is authored by techies for
The different value-chains involved in the
techies, but we believe that also non-techies
development of IoT Products are complex. There
will find parts worth reading as also business
are many actors involved and they contribute in
and legal aspects of IoT product development
various ways to cybersecure IoT Products put
are included.
into the market. Synergy between object owners,
users, and customers is important. In addition, Please feel free to distribute the handbook
close cooperation within development, manu- among your suppliers and customers!
facturing, test, maintenance/service and support
is also required. This is necessary to deliver The handbook is downloadable from:
innovative, competitive, reliable and cybersecure www.smartareelektroniksystem.se and
IoT Products. Thus, reliability, cybersecurity, pro- www.svenskelektronik.se
ducibility and maintainability must be designed
into the IoT product. In particular, the interface
With Best Regards,
in between object owners and users at custo-
The working group behind the Handbook for
mers, development, research, manufacturing and
Development of Cybersecure IoT Products
maintenance/service, has been acknowledged
as decisive for how successful the IoT product
Summary
The Handbook for Development of Cybersecure generated and stored) the expected life-cycle
IoT Products aims to support both primary and will be shorter. Simultaneously, to require that
secondary stakeholders as the handbook spans protection is raised around, due to non-adequate
the whole life-cycle and thus naturally involves inherent protection and cybersecurity, will result
the stakeholders and actors involved or part of in higher cost and complexity for users. To
the vale-chain from start to finish. To consider raise an extra protection around will likely also
the whole life-cycle demands that requirement increase the complexity to send and receive
gathering/engineering and the design have a data and how remote connections can be made.
wide and deep set of knowledge about how users Thus, there are a lot of things and requirements
at customers will use the IoT product as well as to consider and also necessary is an understan-
about technology from the sensor level to cloud ding for the whole life-cycle together with object
services. Cybersecurity, as well as additional owner’s IT- and OT environments. To note is that
holistic requirements, is a necessary part of the there is a large difference between IoT products
product specification and must be included in aimed for domestic (home) use compared to
the functional requirements posed by product use in professional contexts and critical infra-
manager and users. In addition, it is necessary structures. IoT products aimed for domestic use,
to understand how data and information gene- which often are cheaper than those for use in
rated within and around an IoT product, can be professional contexts or critical infrastructures,
used to create value through functions and ser- still need to have an adequate level of cyber-
vices. It is also likely that such IoT products will security to not cause unnecessary risks. An
need to be monitored, maintained, and optimized additional difference is that in domestic contexts
in an efficient and cybersecure manner. the expected knowledge level is lower in terms
This requires that extraction of data and of being able to accomplish cybersecure installa-
information from the IoT product is enabled tions and configurations.
and that updating, upgrading, re-configuring The handbook encompasses the processes
and optimizing can be made both locally and related to the development of the IoT product,
remotely. To do this, deep knowledge about the focusing on hardware and embedded software.
contexts where the IoT products are to be used What is not addressed are the need for cyber-
needs to be combined with the understanding of security-related structures and processes, at
how cybersecurity and IT- and OT-infrastructures manufactures and other stakeholders or actors
allow data to be sent out and in as well as how within the value-chain, who help to manage the
potential remote connections can be made from IoT product throughout its life-cycle. This will
the outside. Thus, the management of supp- involve aspects of support, service and main-
liers and other stakeholders in an IoT products tenance, backup and restoring of data stored
value-chain may need to find out and clear any centrally, incident response planning, disaster
obstacles to facilitate the above so that the IoT recovery planning, and business continuity
product can create and deliver a good value for management if IoT products comprise server- or
all involved. cloud parts which may affect the operations,
If IoT products create cybersecurity availability or stored data and information. The
problems, or risks in the contexts where they more critical applications and high availability
are used, they will probably not be used for long requirements, which are posed by object owners
regardless of how good they are. Further, if it and customers, the more robust and resilient
also is not possible to raise a protection around these structures and processes must be to
them (as well as the IPR and data/information withstand cyberattacks and operational problems.
PRODUCTION OF SILICON WAFER.
PHOTO: ADOBE STOCK.
Contents
1. Introduction ....................................................................................................................................8
1.1 Stakeholders ............................................................................................................. 13
1.1.1 Primary stakeholders ....................................................................................... 13
1.1.2 Secondary stakeholders ................................................................................... 18
1.2 To certify an IoT product… or not to certify it .............................................................. 21
1.3 Regulatory frameworks and legal requirements................................................................. 23

2. Threats towards IoT products, risks and principles.........................................................................24

2.1 What assets do we want and need to protect?................................................................ 27
2.2 Weaknesses and vulnerabilities ................................................................................... 28
2.3 Common threats........................................................................................................ 30
2.4 Risk analysis and risk mitigation.................................................................................. 33
2.5 Principles for cybersecure design of IoT products .......................................................... 34

3. Prior to starting up a new project ..................................................................................................36

3.1 Early stage................................................................................................................ 36
3.2 Requirement analysis................................................................................................. 37
3.2.1 Industry standards and standards which can be usable
and provide guidance to cybersecurity requirements............................................ 39
3.2.2 Practical functional and environmental requirements related to cybersecurity......... 40
3.2.3 General cybersecurity requirement for IoT products............................................. 44
3.3 Management responsibility ......................................................................................... 47
3.4 Cybersecure development environment and development process.................................... 48
3.5 Requirements on documentation ................................................................................. 51
3.6 Test requirements...................................................................................................... 52
3.7 Maintainability over time ............................................................................................ 53
3.8 Quality-level and what affects the level?....................................................................... 54
3.9 Requirements from industrialization............................................................................. 54

4. Suppliers’ process to pick up all requirements, achieve an adequate

requirement specification and finally to verify all the requirements.................................................56

5. Cybersecure development .............................................................................................................58

6. Post development .........................................................................................................................62

7. Monitoring of the IoT product throughout its life-cycle....................................................................66

8. At the end (or a new start) of the life-cycle .................................................................................... 72

9. Use cases..................................................................................................................................... 74
9.1 Use cases with concrete examples................................................................................74
9.1.1 Use case – domestic ........................................................................................74
9.1.2 Use case – industrial organizations or companies
with production and distribution processes ........................................................ 77
9.1.3 Use case – maritime industries......................................................................... 81
9.1.4 Use case – municipalities ................................................................................ 83
9.1.5 Use case – critical infrastructures ..................................................................... 85

10. Suggested readings ....................................................................................................................88

Handbook for Development of Cybersecure IoT Products

1. Introduction
The idea for this handbook starting as the publi- systems, such as, building automation (control
cation “Smartare Elektronikhandboken 2.0” was systems for water/sewage, heating, electricity,
crafted as the surrounding world experienced an ventilation, locks, etc.) can be affected and in
increased threat against IoT products. The two worst case stop functioning. Further, cars and
handbooks shall be seen as complimentary and garden equipment are nowadays also often
thus it is a good idea to read them both prior to connected and need to be cybersecure in order
starting up new development projects concerning to not cause physical damages or fires due to
IoT products. IoT is an abbreviation for Internet malicious overloading of components or systems.
of Things, and we will use the abbreviation IoT
throughout this handbook.
At work in office spaces – besides that office
The following definition of “IoT product” computers, various IT-systems and networks can
will be used in the handbook: in general, as IoT become non-functioning, also elevators, lock/
products we refer to intelligent and connected alarm systems and building automation control
units who communicate and transmit data over can become affected partly or fully. The confe-
Internet. These units are equipped with processors, rence room equipment can be tampered with
sensors and software in a way that they can and conversations recorded or tapped using the
perceive their surroundings, communicate with microphones in computers, mobile phones or
it, and thus create a behavior adapted to various conference equipment.
situations in order to be able to contribute and
create attractive and helpful surroundings/
environments, products and services1. At work in production/distribution environments
– the IT environment (used by offices and
Regarding the need for this handbook, we
administrative processes) is often connected to
need increasingly cybersecure IoT products due
the OT2 environment (used by production and
to expanding malicious activity among hobby
distribution processes) and these often collabo-
hackers, professional hackers as well as sta-
rate in a manner where what should be done is
te-supported intelligence organizations whose
decided and administrated in the IT environment
purpose are to steal information, make money
and subsequently sent to the OT environment
or disrupt operations/processes, for instance at
where the ordered production/distribution is
critical infrastructures, municipalities or counties,
executed. An OT environment, which commonly
within target countries. This fact can no longer
comprises a lot of IoT products, may, like an IT
be dismissed, and we must all adapt ourselves
environment, be affected by different types of
and our IoT products to these circumstances.
cyberattacks affecting the operation’s availability
Below are some scenarios for different contexts
and integrity, quality of output, or completely
where IoT products may be used and what can
stop/disrupt the operations. Unfortunately, the
be the consequences unless the IoT products
OT environment can negatively be affected in
are cybersecured:
case the IT environment is under cyberattack as
no new order data is transmitted and no feed-
Domestic (homes) – a cyberattack can cause back of production/distribution data are received
for instance connected fridges, stoves, heating back. Thus, the production can in worst case be
systems, TVs and home computers to stop working stopped when the buffered order data has been
or get locked. In tenant buildings, common executed/produced and there is no new data to

1
http://www.swedishembeddedaward.se/register-to-compete/definition-of-iot/#:~:text=IoT%2C%20the%20Internet%20of%20Things%2C%20is%
20a%20collective,that%20communicate%20and%20deliver%20data%20across%20the%20Internet
2
OT – Operational Technology – to compare with IT – Information Technology

8
 Handbook for Development of Cybersecure IoT Products

continue with. There are examples of cyberat- Critical infrastructures 4 (production/distribution

tacks seriously affecting, destroying, or wiping all of energy, water production/wastewater manage-
data within production equipment. Further, some ment, tele communications, roads/railways/bridges/
production/distribution environments can get se- ports/airports, food production/distribution,
rious problems in case of longer unplanned stops etc.) – in a similar way to the above production/
due to material becoming stuck or stale inside of distribution environments it is necessary to have
piping or other equipment, which then needs to collaboration between IT and OT environments.
be fixed or replaced. Examples of such material The difference here is that a stop in these OT
are pre-stages of pulp and paper, plastics or environments can rapidly affect large parts of
food. In addition, there are environments, similar society. However, most of these OT environme-
to OT environments, within health care but are nts should be designed to be able to continue
not there referred to OT but MT3. Further on in to operate, although there is no functioning IT
this handbook, we will use the term OT for all environment present, by using reserve routi-
such environments as the main principles are the nes (and historic data). For instance, if energy
same for all these environments. production/distribution is disrupted for more
than 2-3 days, this will have a large impact as

FIGURE 1 – INCREASING GAP BETWEEN SWIFTLY INCREASING DIGITALIZATION, COMBINED WITH INCRE-
ASED USE OF IOT PRODUCTS, AND THE DEVELOPMENT OF RELATED CYBERSECURITY WITHIN SWEDEN.

3
MT – Medical Technology
4
The Swedish Civil Contingencies Agency defines processes of importance for society where critical infrastructures are used according to:
https://www.msb.se/sv/amnesomraden/krisberedskap--civilt-forsvar/samhallsviktig-verksamhet/vad-ar-samhallsviktig-verksamhet/

9
Handbook for Development of Cybersecure IoT Products

the lack of electricity and electronic communi- a good and well-considered initial design and
cations will affect almost everything in the long planning for further development and mainte-
run. Further, some of these OT environments are nance process so that updates, upgrades, and
very sensitive and thus not connected to the IT improvements can be issued and deployed over
environment (or Internet) and use own networks time. As the cybersecurity-level is improved also
or public ones with high grade security measures the quality of IoT products will get improved due
employed. to new requirements and increased testing.

Unfortunately, there is an increasing need to The primary stakeholders for the handbook, which
cybersecure IoT products to keep all functioning are further described in section 1.1, are:
over time within domestic-, professional- and • Designers and developers (hardware
critical infrastructure scenarios and contexts. and software), project leaders, testers,
Figure 1 outlines that the increasing pace of documenters and consultants
digitalization, combined with increased use of
IoT products, outruns the development of related • Buyers
cybersecurity. Thus, the gap continues to grow • Product owners
bigger. However, the handbook will bring up a
• Produkt managers
number of positive factors which can close the
gap over time. • Object owners
For many years, Smarter Electronic Systems
The secondary stakeholders for the handbook are:
has together with a number of actors created
and issued advice to the electronics industry • Manufacturers
regarding how electronics can be developed and • Installers
manufactured by multiple actors working together
• Crews doing maintenance, service and
in value-chains. The latest piece of advice is
support as well as services for optimizations
available as the Smartare Elektronikhandboken
2.0, which focuses on the interface between • Recyclers
development and manufacturing for to reach
• Authorities – who themselves are users and
efficient collaboration within the value-chain.
potentially also have a regulatory review/
The objective is better products with higher
inspection responsibility
quality-­level, lower manufacturing costs and
faster time-to-market. Currently, we see a
need to expand the advice with a Handbook for Collaboration and communication in between
Development of Cybersecure IoT Products, as groups of stakeholders are essential for IoT
IoT products are an important part of the digi- products to be developed as well as cybersecure.
talization of our society and economy, where All participants involved need to understand
both things and people are connected, can that in addition to cybersecurity concerns, if any
communicate and report about their status and requirements that affect the management of IoT
surrounding context1. Through this handbook, product life-cycles are missing or deficient then
which complements the contents of the Smartare the long term effects will be: higher costs, hard
Elektronikhandboken 2.0, the whole IoT industry problems related to cybersecurity, and unneces-
will be able to improve the level of cybersecu- sary friction between object owners at customers
rity in its products already from the very start. and suppliers. As it is of interest for all involved
Further, the cybersecurity-level shall be possible stakeholder groups that this should not be the
to continuously be improved and augmented case, they all need to collaborate regarding the
throughout the whole life-cycle. This requires set of requirements to enable a rational life-cycle

10
Handbook for Development of Cybersecure IoT Products

11
MANUFACTURING OF ELECTRONIC EQUIPMENT.
PHOTO: ADOBE STOCK.
Handbook for Development of Cybersecure IoT Products

SOFTWARE PROGRAMMING.
PHOTO: ADOBE STOCK.

management for each involved stakeholder and hardware and software designers and develo-
any additional parties involved as well. Some pers (as well as their managers) who are not
of the stakeholders need to understand which experts on cybersecurity. The emphasis will
laws and regulations that apply as well as which be on the T in the IoT products.
industry standards and best practices that are
• The scope will extend to a moderate level of
suitable (or required) to use. The groups of secon-
practical and structural advice concerning
dary stakeholders need to be involved rather early
cybersecurity for development of IoT products.
as well. These need to be informed and trained
The advice shall be easy to read and digest.
in order for them to be able to, during their part
of the life-cycle, be able to manage IoT products • IoT products vary regarding extent and other
adequately and ensure that their cybersecurity- limits, from locally connected with limited
level is correctly commissioned and configured. local functionality to globally connected trans-
A simple way to keep collaboration and commu- mitting data to cloud services, where the data
nication alive is to document all that is of is used for optimization of the IoT product’s
importance (and share it). function as well as the process it is part of.
The handbook will address this as well as how
continuous maintenance of hardware, local
The focus and scope for handbook will be:
software, and configurations/settings can be
• The handbook will address the whole life-cycle made in a rational and cybersecure manner.
of IoT products and cybersecurity requirements
for development of a new IoT product to enable
the life-cycle to be long with high availability. Chapter 10 comprises explanations to technical
terms and abbreviations used concerning IoT
• To provide advice/check lists/standards/
products.
methods/best practices which can be used by

12
 Handbook for Development of Cybersecure IoT Products

1.1 Stakeholders is used, this commonly entails that the develop-

ment team needs to review this manually and
There are many stakeholders participating within using tools to verify that nothing unwelcome has
the value-chains wherein IoT products are deve- been planted. This needs to be verified at each
loped and later used in. Below, a number of the new version, and may be a large undertaking if a
stakeholders, who can have significant impact on lot of open design or open-source code are used.
the set of development and operational requi- Further, hardware components, various chips or
rements used for the design of IoT products, semiconductors, and ready-to-use circuit boards
are outlined. The focus is on the stakeholders which are procured should be tested and verified
(or other actors) who participate from the very so that they only do what they are supposed to
start until the IoT product’s life-cycle ends and do and not have any extra functions (this applies
is decommissioned and recycled. The primary in particular if the development/manufacturing
stakeholder group are designers and developers is outside of EU/USA and made in low salary
of hardware and software. A number of seconda- countries or non-democratic countries). Thus,
ry stakeholders are also outlined. designers and developers need to improve their
testing and verification skills, both for what
they do themselves but also for external hard-
1.1.1 Primary stakeholders
ware or software, add additional cybersecurity
1.1.1.1 Designers and developers,
test cases, as well as try to automate as much
project leaders, testers, documenters
as possible. Automation enables fast testing,
and consultants
coverage, and repeatability. Thus, automation of
As the development of an IoT product has development testing and increased usage of test
progressed so far that a set of requirements suites and/or test rigs simplifies testing/verifica-
has materialized, a suitable group of people is tion of own development as well as development
needed to develop the IoT product. It is common made by externals.
to bring in open-source code and open design
of hardware, which may speed up parts of the
process but also requires that there is enough Developers of services, processes, and other
competence to further develop and assess if necessary supporting structures – the extent of
the potential open-source code or open design an IoT product may vary from just a product with
is safe, cybersecure and applicable for actual warranty up through those based on an advanced
use. The stakeholder groups and sub-groups are and value-creating business model. Developers
briefly outlined below: of hardware and software can contribute to the
development of such services and processes that
together support the structures required for the
Designers and developers of hardware and
IoT products to operate over time. However, the
software – design and development of hardware
development of services and processes differs
and code, as well as using hardware and code
somewhat from the development of hardware
developed by others, ensure that the right func-
and software, and thus other competences may
tionality (based on the requirement specification)
be needed along with an understanding of the
is realized in a way that it all is cybersecure.
whole life-cycle, value-chain, and how these
This is not easy to accomplish and requires
need to be improved within the years to come.
continuous training and intelligence gathering
As a basis for services and processes within the
related to cyberattack progression and cyberse-
supporting structures, a mix of existing tools
curity in general. Failing to do this can result in
and services can be used together with ones
IoT products that may become dangerous or non-­
locally developed. Some examples of services
acceptable among customers as this is revealed.
and processes, which can be conducted on-site
In cases where open design or open-source code

13
Handbook for Development of Cybersecure IoT Products

or remotely, are: support, service, maintenance, is not integrated into the description of the
training/education (for own staff, customers or basic functionality, an option is to add an extra
others in the value-chain), fleet management chapter or appendix to the manuals to outline
functionality with monitoring and additional value how the architecture is set up and how to apply
creation and efficient functions or services (see cybersecurity within and around the IoT product
chapter 7 for more on this). A good and suppor- (if it normally is connected where many other
tive self-help for problem solving, having an FAQ, things and systems operate). It can be a good
instructions, videos, virtual/augmented reality, idea to describe which is the inherent cybersecu-
which can be consumed via the web or an app rity functionality, how to install/commission and
could be valuable in order to save time for both configure it adequately, how to update/upgrade
developers and users. as well as how to verify that the cybersecurity
functionality is correctly configured and working.
For the last mentioned, specific procedures or
Project leaders – a project leader is commonly
scripts may need to be developed and described.
assigned to have responsibility for the develop-
ment of an IoT product based on a requirement
specification and the expected outcome should Consultants – consultants are often added to de-
have a certain level of cybersecurity and qua- velopment teams to strengthen the team within
lity. To do this, a set of resources are assigned design, development of hardware or software,
together with a deadline. To support the project testing, documentation or project management,
leader, there are roles such as product managers etc. Commonly, consultants split their time
and other relevant parts of the value-chain. between different customers (and development
teams), who can be suppliers of IoT products
or similar and be competitors, which requires
Testers – testers are needed not only for the
that some things need to be addressed. The
crafting of test cases pertaining to the basic
protection of intellectual property rights, patent
functionality, which naturally shall be tested
ideas, and patterns/copy right (i.e., IPR) must
(preferably) as a combination of automatized
be performed such that the cybersecurity-level
test and manual tests, requiring the knowledge
is not negatively affected if consultants are team
and ability to craft test cases also for advanced
members or part of maintenance later on. Thus,
cybersecurity. The testers should conduct various
secrecy and confidentiality agreements need to
forms of penetration tests, tests of availability/
be set up and how to implement cybersecuri-
performance and which information that can be
ty and instructions/awareness related to that.
extracted/exfiltrated by different measures such
To consider is also if consultants should be on
as faulty logins. The hackers, who can attack an
premise together with the rest of the team or can
IoT product, use a plethora of tools, ranging from
work remotely. In any consultancy agreement
very simplistic to very advanced, which the tester
there should be requirements that consultants
must be aware of. Potentially, a shielded lab may
have a good knowledge regarding cybersecurity
be needed for such testing using hacking tools.
and when developing IoT products.
Doing this provides a good understanding of re-
ality and for how test cases should be designed
as well as how common cyberattacks are desig- Others – development teams may comprise many
ned, planned and executed. different roles and categories of staff, ranging
from CEO, CTO, development managers, program
management, project management to sales
Documenters – also documenters need to be
representatives who can bring in requirements
able to understand recent and relevant cyber-
from customers to cleaners and janitors who
security for IoT products. Unless cybersecurity
moves around in the development team’s proximity.

14
Handbook for Development of Cybersecure IoT Products

15
CIRCULARITY IS IMPORTANT WHEN DESIGNING IOT.
PHOTO: ADOBE STOCK.
Handbook for Development of Cybersecure IoT Products

For all these, cyber security and protection of and tasks are executed using various forms of
IPR and secrecy must also be set up properly equipment and tools where IoT products may be
alike for any consultants involved. present. In addition, IoT products can be part of
monitoring such functions/processes to ensure
that all work and quality is above the expected
1.1.1.2 Buyers
level. Examples of such are controls for a func-
Initially, it is never easy to foresee the actual use
tion/process and regarding monitoring sensors
of an IoT product although a certain use is ex-
and cameras may be used.
pected and prescribed. The possibilities to solve
new problems, and also old ones, which were not
part of the framing of the initial thought process Technology-/development department – custo-
will always appear and spur the continuous mers often have a department managing tech-
development of an IoT product. To listen to and nology/development matters, who can build
talk to customers and users on a regular basis up production- and distribution lines adapting
is always a good idea in order to keep updated technology for these. The ones working in such
on the needs, how the IoT product is used, what departments often have a good knowledge for
can be improved and what might be missing. both functions/processes and technology, which
With respect to buyers, there may be a number makes them an important part stakeholder to
of part stakeholders involved who are not up-to- discuss and interview.
date and understand how an IoT product should
be used as well as what requirements are posed Operations and maintenance/service – those who
from the surrounding context. In such cases it work in operations and maintenance/service are
may be a good idea to offer help and actively the ones who are in contact most with the IoT
ask questions which reveal answers to what is products. The operations/usage phase is also
needed concerning the IoT product and its future the longest phase of the life-cycle for an IoT
usage. Potential part stakeholders at a buyer product. Thus, among these workers there is a
may be: good understanding for how an IoT product can
be efficiently installed, commissioned, configured,
Procurement – procurers do not always have the updated/upgraded, changed, decommissioned
necessary special knowledge required and follow and in general maintained. This should be made
a simple or limited procurement process. In this easy to execute efficiently, for instance by having
context, support may be needed to ensure that a set of well-working fleet management functions,
also cybersecurity is part of the set of require- to lower the life-cycle cost of an IoT product.
ments from the very start as it is usually hard and A low life-cycle cost makes an IoT product
expensive to add these later on. Unfortunately, interesting compared to competing IoT products
to add cybersecurity requirements later will not and, in particular, if these miss fleet manage-
render as good of a result as if these were part ment functions.
already from the start. A potential development
of procurement processes is to from the very Thus, it may be a prosperous idea to talk to va-
start ensure that all competencies needed within rious part stakeholders at buyers as they all may
IT, OT and cybersecurity are part of the process have small pieces of information to the complete
(in order to avoid the mentioned later difficult the bigger picture. These are also a good source
problems to solve as well as high costs for that). for ideas how to lower the total life-cycle cost for
customers.
Function-/process owners – these roles parti-
cipate in processes and ensure that activities

16
 Handbook for Development of Cybersecure IoT Products

1.1.1.3 Product owners in the form of a roadmap) as well as acts as the

The product owner, i.e., the company which glue between customers, development, sales
owns the IoT product and puts it on the market, representatives and other stakeholders. Further,
has responsibility for, e.g., that the CE mark is it is usual that the requirement specification is
fulfilled and that all legal/regulatory requirements managed and compiled by a product manager.
are met.
1.1.1.5 Object owner
1.1.1.4 Product manager At the buyer side there may be object owners,
On the supplier side of an IoT product, it is a who are responsible for IoT products or have
good idea to have a role who is responsible for budget responsibility to maintain them as well as
the product’s requirement engineering (and other assets residing in production- or distribu-
perhaps also for similar products in a family) tion environments. The object owners have after
throughout their life-cycles and thus is the pro- installation and commissioning the responsibility
longed arm of the product owner. Having a clear to maintain and keep the IoT products up-to-date
responsibility and authorization to manage the until they are decommissioned and end-of-lived
IoT product makes it a lot easier to, already from or are transferred to another object owner. These
the start, get the right requirements into develop- object owners often work closely with function-/
ment and then later add new requirements until process owners, who have larger responsibility,
the end of the life-cycle. Commonly, a product to ensure that what is to be accomplished is
manager manages the requirement engineering executed with right quality, availability and on
and continuous requirement collection as well time. Object owners may not always consider
as strategic planning of the development (e.g., cybersecurity, but they are increasingly forced

RIGHTS AND LEGAL ISSUES ARE CENTRAL THROUGHOUT THE DESIGN

AND PRODUCTION PROCESS ALL THE WAY TO THE END USER
PHOTO: ADOBE STOCK.

17
Handbook for Development of Cybersecure IoT Products

to do that due to necessary planning for access the same levels of physical security and cyberse-
from within, external/remote access, redundancy, curity as any own factories. There is a difference
backup/restore, and logging, etc. if standard components are outsourced compa-
red to if there is IPR, such as hardware designs,
software or knowledge about the production
1.1.2 Secondary stakeholders
process, which must be protected and kept
No chain is stronger than its weakest link. If confidential. Thus, sometimes it is not applicable
there are many secondary stakeholders involved to outsource outside of trusted production
within the value-chains, these will need both facilities and factories or to countries outside the
physical security and cybersecurity. This should EU/USA, where political pressure or involvement
be part of the value-chain agreements and the may endanger confidentiality of IPR.
implementations reviewed on a regular basis
Thus, an assessment of physical security and
as otherwise these can contribute to an incre-
cybersecurity is recommended at least annually
asing risk exposure. Below, there are a number
in order to ensure that the outsourcing is execu-
of potential secondary stakeholders described,
ted in a desired manner and that the physical
whereof some are integrated into the supplier
security and cybersecurity-levels are adequate.
(developing the IoT product) in case the supplier
The outsourcing also requires that any external
has integrated the whole vertical and horizontal
manufacturer contracted is regularly reviewed as
value-chain to the customer. However, it is com-
a whole. This should be part of the procurement-
mon that there are a number of external parties
or supplier review processes.
acting as secondary stakeholders.

1.1.2.2 Distributor
1.1.2.1 Manufacturers
Post manufacturing, an IoT product can be stored
If having the manufacturing internally and in own
and distributed fully or partly by own means, or
factories, it is easier to keep an adequate level of
by using an external distributor or distribution
cybersecurity around and within the production
solution. Regarding simplistic IoT products, this
environment as well as protect the information
is not that complicated whereas for IoT products,
necessary to produce the whole, or parts of, IoT
which may also carry spare parts/components or
product. An IoT product may be very simplistic
software and manuals requiring regular updates,
or have an advanced architecture. Further, the
it can be a good idea to consider this in order to
borderline between when it is an IoT product
be able to keep all this physically protected and
and a cyber-physical system is a bit unclear.
ensure that no unauthorized persons can access
Anyways, the production environment must be
the IoT products, spare parts/components,
protected to enable that all in it is kept confi-
software or manuals. If adding a virus or malware
dential, it is not possible to make unauthorized
to software updates or manuals (if these are exe-
changes in the manufacturing process or process
cutable or readable files), it can cause significant
parameters, and that the processes run without
problems for object owners at customers and the
disruptions and stops as such can negatively
supplier (no matter if the distribution is manual
affect the output quality as well as lowering the
via service/support staff or are downloaded from
output volume. Further, physical security within
a portal or cloud service). Concerning the distri-
and at the perimeters of production facilities and
bution of hardware, software, and manuals, etc.,
factories need also to be adequate to prevent
the processes are required to check/verify that
burglars, theft, as well as sabotage of electric
no unwelcome or extra unauthorized are added.
supply, ventilation systems or water pipelines.
Further, IoT products can have services
If using outsourced manufacturing, these
possible to add, such as maintenance, service,
production facilities and factories need to have

18
 Handbook for Development of Cybersecure IoT Products

support and optimizations. Some of these servi- 1.1.2.4 Crews providing add-on services
ces are executed on premise and some remotely – service, support, maintenance and
using data which may be transmitted to a cloud optimizations
service. If these services engage own staff, Common value-adding add-on services for IoT
external distributors/executers, and if any cloud products, within value-chains, are to provide
services used are hosted at an external cloud support, service, maintenance and optimization
service provider, it is required here to apply the of hardware or software as well as the processes
requirements for physical security and cyberse- where IoT products contribute. Further, add-on
curity. See more on this further below. services, such as, re-engineering of processes
and integrations with other solutions are common.
1.1.2.3 Installers Among the part stakeholders participating within
this scope, here can often valuable ideas be
If the customer or supplier do not conduct the
found for improvements of IoT products as these
installation and commissioning, it is common
are the ones who manages the IoT products
to use external installers. Alike any distributors,
during the longest phase of the life-cycle and
these need to have adequate physical security
can clearly see any flaws and potential improve-
and cybersecurity in case they have a supply
ment areas in combination with the possibility to
in stock and use this to install as well as keep
compare with the competitors’ IoT products and
any needed software in an own portal or cloud
solutions. At the time of service and support,
service. Installers need continuous education
when some IoT products may get replaced, it is
and training on the IoT product and its installa-
important to ensure that sensitive or IPR-related
tion, configuration and commissioning, as well
data or information is wiped or erased. This
as build and maintain a general awareness about
situation is very similar to the one for installers.
cybersecurity (which includes both physical-
A product manager or object owner can have a
and cybersecurity). If the IoT products will be
great exchange of ideas and learn about flaws
installed in sensitive operations or processes,
and potential improvement opportunities regar-
which require very high availability, the installers
ding how IoT products behave while in operation.
must see to that no one else can assess the IoT
products or its various components. Further, Add-on services can be provided on-site or
installers need to know what to do when they partly from distance (using remote access and
decommission and replaces old IoT products tools). If on-site, it must be ensured that no viru-
with new ones or other solutions. Then any ses or malware are brought in, and the providers
potential sensitive data, configurations, control need to together with the customer’s users agree
data, etc., must be wiped or removed so that on how to keep the processes cybersecure. In
no one else can figure out what the IoT product many instances, external lap-tops, USB-sticks/
has been used for or provide data about the old disks or mobile phones are not allowed to bring
operation environment (i.e., networks, IP-addres- in any files or other items from the outside and
ses, connections). Some IoT products may need other secure procedures are needed. The staff at
to be destroyed/destructed completely if it is customers need also to monitor that the servi-
not possible to verify that all sensitive data and ce providers only do what they are allowed to
configurations are completely wiped or remo- do and not collect data or information from the
ved. A product manager or object owner should competitors’ equipment and solutions surroun-
preferably interview the installers about potential ding or about processes and process parameters
improvements of installation, configuration and they should not have access to. It is a trend to
(de)commissioning. increasingly do more from distance (i.e., remo-
tely) through using external connections, such
as low- or high-level VPN, which save time and

19
Handbook for Development of Cybersecure IoT Products

costs as the distances to travel may be long at or upgrades of software, and re-configurations
the same time as the time to provide the service are often carried out this way too. Some custo-
relatively short. Thus, customers need to main- mers want to have their own local servers in own
tain strong control of whom are allowed to get data centres (on-premises) and not use external
access from distance and have a standardized cloud services or the supplier’s central servers.
way to provide such access. Such a standard However, this depends on factors such as: who
may encompass time limitations, access only owns the data, who can do what with the data,
during normal business hours, and removal of who has access to the data, which all should
inactive user accounts. At acute problems, there be part of the agreement set up. In the future,
can be a fast activation process for external ownership of and access to data will become
connections with a short life span. Further, it is increasingly important and central to data-driven
common that suppliers collect data in a central business models. Thus, the locations where the
cloud service in order to be able to help part data and information are stored must have ade-
stakeholders at customers with analyses of pro- quate physical security and cybersecurity. This
cesses’ outcomes or the processes’ operational goes for whether storage is local, within a cloud
details, optimization of processes and process service or at the suppliers’ servers.
parameters, to find signs of wear and tear as
well as maintenance needs or replacement of
equipment. In addition, maintenance, updates

CLOUD TECHNOLOGIES AND SERVER DATA PROCESSING

PHOTO: ADOBE STOCK.

20
 Handbook for Development of Cybersecure IoT Products

1.1.2.5 Recyclers The Swedish Post and Telecom Authority, The

IoT products need to be partly or fully recyclable National Electrical Safety Board and Swedish
as they near the end of their physical life-cycle. Civil Contingencies Agency whereas examples
Instructions for how to do this should be in the of those who use IoT products are The Swedish
user manual as well as marked on any initial Transport Administration (road network, railways,
packaging. As IoT products are to be recycled, and waterways), Swedavia (airports), municipa-
they firstly need to be wiped or emptied of lities (road network, water and sewage systems,
any data and information and some parts even buildings, and health/elderly care) and counties
destructed or destroyed physically. This is due to (health care, buildings, and a lot more).
that there are different types of memories and
disks that can be hard to wipe/erase completely. 1.2 To certify an
Further, no IPR of high sensitivity or value
should end up at competitors or those who wants
IoT product… or not
to hack their way in. In such cases, memories or
to certify it
disks need to be shredded or crushed. If doing A question that often arises is if there is any
so, remember to facilitate for the next step with reason to certify an IoT product? There are obvious
recycling. Thus, it can be a good idea to have reasons such as legal or regulatory requirements,
a clear instruction and also refer to any similar e.g., GDPR and CE-marking within the EU (as
rules, instructions or policies of the object owner well as the upcoming EU Cyber Resilience and
or users’ organizations regarding management of Cybersecurity Acts), or industry requirements
data or information at the end of the life-cycle. which are expected in order to be able to market
See also section 3.5 and chapter 8 for more on the product. Further, the UK, which is a large
this matter. Commonly, object owners and users market within Europe but outside of the EU, there
have a process for recycling and if there are any will be a requirement for UKCA-marking for
deviations from a normal process or instructions products from the 31st of December 2024 alike
– it needs to be brought up with management. the EU’s CE-marking. There are more on these
To remember is that if an IoT product is left in a industry requirements in the bulleted list further
general bin at a recycling facility, the control of it below. Further, certain customer segments may
ends. If necessary, additionally cybersecure and have specific requirements or more or less have
protected storage may be required prior to the to buy certified products in order to be able to
recycling starts. show that they fulfill the requirements posed in
the next step of a value-chain (from authorities
1.1.2.6 Authorities – who themselves or customers). In addition, boards of directors
are users and/or have regulatory and owners of businesses or organizations has
review responsibility started wake up and sometimes initiates various
Authorities may have a dual role in contexts cybersecurity-related certifications, e.g., ISO
where IoT products are used. They can be 27001 or IEC 62443, for the own business or
users in for instance various forms of critical organization. Subsequently, they need to review
infrastructures as well as that they can be the which equipment, IoT products, software, etc.,
regulatory reviewer who visit and review actors that they use themselves as well as market/
where IoT products are used in processes. provide and which certifications that may be
Thus, they need to have a good knowledge in required pertaining to these. Thus, a certain
cybersecurity both regarding the IoT products measure of proactivity has been sparked with
as well as the contexts wherein these are used. the intention to provide advantages within business
Examples of such authorities within Sweden are development and marketing, and that later on
The Swedish Food Agency (water production), their offering is not to be early filtered out in the

21
Handbook for Development of Cybersecure IoT Products

sales process (or disqualified as offer) due to a • Health care – IEC 81001-5-1, and MDCG
too low level of verified cybersecurity. 2019-16 (medical technology equipment)
To certify an IoT product costs both time, • Food and beverage including production and
work effort, and money. Thus, this needs to be distribution of clean water – IEC 62443 3–3,
thought through for to provide more output value 4–1 and 4–2
than what is input to this process. A good prac-
tice is, prior to starting any certification efforts, • Financial – PCI-DSS
to query colleagues and friends within the same • Vehicles – ISO 21434
business as well as the certification auditors (for
• Municipalities, counties, and government
the standard of interest) how much a certifica-
agencies – Swedish Association of Local
tion may cost as well as how much calendar time
Authorities and Regions/RISE, (KLASSA för
that can be expected.
IoT), SSNF Robust och säker IoT (stadsnät i
The certification of an IoT product may provide Sverige), Traficon (Finish transport and com-
advantages as some tasks or processes can be munications networks)
minimized or eliminated. Examples of such are sets
of queries from customers, as part of qualification • Critical infrastructure – IEC 62443 3-3, and
steps or pre-procurement information collection, ISO 27019
as the procurers can themselves easily read or • General:
get simple information about which certifications
• ISO/IEC 27400 (IoT security and integrity),
the IoT product has. Just this step can minimize a
SSF 1120 (theft protection for connected
work effort of commonly 10-100 hours each time
IoT products), SSF3523 (digital locks),
as the sets of queries are not identical. Further,
ioXt Alliance (certification program for
if having certificates of standard certifications to
secure IoT products), and IEC 62443 3-3
show customers and other stakeholders, well-
selected and appropriate standards provide a clear • EU Cybersecurity Act, which is a fra-
view of the cybersecurity status. mework comprising cybersecurity require-
ments for certification

Below are some examples of standards for • EU Cyber Resilience Act, which poses
cybersecurity that are applicable for IoT products requirements of the inherent cybersecurity
within a number of businesses or segments: of a product during its whole life-cycle
• Domestic/consumers – ETSI TS 103 645/ • EU Radio Equipment Directive (RED),
TS 103 701, ETSI EN 303 645, and SSF which will apply for all IoT products that
1120-1 can (wirelessly) communicate electronical-
ly August 2024
• Intelligent cities and buildings – Swedish
Association of Local Authorities and Regions, • ISO 27017/18 (security for cloud service
Informationsäkerhet inom fastighetsområdet environments as data generated by IoT
& IoT, Arkitekturgemenskapens Referensar- products are often stored in such services)
kitektur för IoT (till smart stad och digitala • ISO 27032 (guidelines for Internet security)
tvillingar)
• Industry – IEC 62443 3-3, 4–1 and 4–2 Within the scope of this handbook, we will keep
• Marine applications with class actions some standards, which are adequate and provide
required – DNV-RU-SHIP Pt.6 Ch.5 and support during an IoT product’s life-cycle, close
Lloyd’s Register Cyber Safe for marine (these and use these for support in for instance chapter
are both based upon the IEC 62443 3-3) 3 and its requirement analysis.

22
 Handbook for Development of Cybersecure IoT Products

1.3 Regulatory frameworks • RED – Radio Equipment Directive. Concerns

and legal requirements primarily requirements on equipment with any
kind of radio communications technology.
The EU NIS Directive, i.e., Directive on Security • MDR/IVDR – EU regulation concerning medical
of Network and Information Systems, became technology products and medical technology
Swedish law during 2018 and will get updated products for in vitro diagnostics.
to “NIS2” at the latest in 2024. The foundation
for the directive is requirements put on organiza- • Machine Directive – Requirements for
tions, delivering services that are of importance ensuring that machines in any form not are
for society, to have systematic risk- and cyberse- dangerous to use. This directive will also in
curity efforts where any security-related incidents the future address cybersecurity, usage of AI
are to be reported and managed adequately. The and other technical challenges within the area.
current version of the directive poses require-
ments on obviously critical operations within for
Among these, it is most likely that the NIS2,
instance health care, clean water production
CRA and RED are applicable for IoT-technologies
and distribution, digital infrastructure, etc. The
within many areas. In cases where IoT is used as
new version will increase the scope considera-
part of a machine, also the Machine directive will
bly and also includes district heating, sewage
likely be applicable. Medical technology products
and wastewater management, food, chemical
are highly restricted having strict cybersecurity
production, as well as a number of branches
requirements. NIS2 and the others put a lot
of manufacturing and production industries. In
of focus on creating cybersecurity within the
coordination with NIS2, there are a number of
supply-chains and putting requirements on one’s
other new and updated regulations and directives
suppliers. In practice, this entails that all parties
from EU (see example in Figure 2). Many of
who expect to provide products and services
these has direct connections in between. Thus,
to NIS2-organizations need to adapt to the require­
it is needed to make a thorough analysis of all
ments although the own organization is out of
these frameworks, directives, and acts, in order
scope for NIS2 requirements. Additional require-
to create a unified set of requirements to move
ments highlighted by NIS2 are incident response
on with.
management, resilience to issues/disruptions,
coordination with authorities who have regulatory
Some examples of such complimentary to the review responsibilities, vulnerability manage-
NIS2 are: ment, ability to measure the efficiency of cyber-
• CER – Critical Entities Resiliency Directive. security efforts, management responsibility, and
Requirements on organizations involved the need for competence at management level.
in operations that are critical for society. The NIS2 has a scope for sanctions towards
Overlaps with the NIS2. operations who does not comply with up to 2%
• DORA – Digital Operational Resilience Act. of global turnover or 10 M Euro.
Requirements for resilience within the
financial industry.
• CRA – Cyber Resilience Act. Requirements
on technical equipment and there are many
overlaps/connections with NIS. Further, it is
relevant for IoT products in general.

23
Handbook for Development of Cybersecure IoT Products

2. Threats towards
IoT products, risks
and principles
Below, we will assign IoT products and the Within professional environments and critical
data and information which need to be pro- infrastructures, IoT products are by many profes­
tected in various environments the label sionals seen as one of the largest threats to their
“assets”. These assets may be within the operations. Thus, it is of great importance that
actual IoT product or in direct proximity IoT products further on get an inherent good,
and thus be affected by the function of the or very good, level of cybersecurity so that this
IoT product or the possibility to launch a labeling can be removed.
cyberattack through it. This will be further
Figure 2 indicates how overarching legal
outlined in section 2.1.
requirements to voluntary good ideas and
experiences can affect an IoT product except the
IoT products can be used in a lot more contexts requirements posed by object owners at customers
and applications not foreseen. The handbook and the supplier itself or other stakeholders in
mainly addresses IoT products used in the following the value-chain. The IoT products shown are put
contexts although there are many others such as into the different categories of domestic (homes),
airspace, space, and military ones: professional environments and critical infra-
structures. There are of course many more, but
Domestic (homes) – connected home electronics these are not brought up here. The point is not
ranging from smart building automation systems that there are more, but to understand that there
and lock/alarm systems, toasters, fridges/freezers, are requirements not only originating from the
TV, gaming platforms, watches/clocks, to modern object owners at customers as well as different
connected vehicles. groups or types of IoT products from very
simple ones to extremely advanced, which may
be connected or not to networks. In addition,
Professional environments – building automa- the cybersecurity and availability/resilience
tion systems and lock/alarm systems, industrial requirements may differ significantly between IoT
production/distribution, maritime environments products targeting domestic use compared to use
with function of vessels or platforms, health care in professional or critical infrastructure contexts.
ranging from acute care to elderly care, food and Thus, a customer must be prepared to pay more
beverage production/distribution, remotely by for IoT products targeting professional or critical
humans driven or completely autonomous vehicles infrastructure environments compared to those
used in various transport processes, etc. targeting domestic use. Further, to install IoT
products aimed for domestic use, because they
Critical infrastructure – functions or services are “cheap” and “solve the problem”, into the
critical for society5. other mentioned environments is not a good idea
and will likely not either be particularly cheap or
value-creating in the long run.

5
See for example: https://soff.se/samhallssakerhet/vad-ar-samhallsviktig-verksamhet/

24
 Handbook for Development of Cybersecure IoT Products

FIGURE 2 – IMPACT FROM INTERNATIONAL AND NATIONAL LEGAL FRAMEWORKS AND

REGULATIONS, INDUSTRY REQUIREMENTS/GUIDELINES/STANDARDS AS WELL AS BEST
PRACTICES AND EXPERIENCES ON IOT PRODUCTS IN DOMESTIC (HOME) CONTEXTS,
PROFESSIONAL ENVIRONMENTS AND CRITICAL INFRASTRUCTURES.

25
 Handbook for Development of Cybersecure IoT Products

26MANY ASSETS IN THE HOME THAT NEED PROTECTION.

THERE ARE
PHOTO: ADOBE STOCK.
 Handbook for Development of Cybersecure IoT Products

2.1 What assets do we times various sensor readings or a triggered alarm

want and need to protect? have, if sensors function and are activated, and
if sensors can be shut down when wanted. There
Section 3.2 outlines different areas, or rather are many examples of why IoT products or solu-
consequences, which are commonly discussed tions, often referred to as smart products, used in
as assets are to be protected: confidentiality, domestic environments must be both physically
integrity, availability, trust and traceability. There secure as well as cybersecure
are more of these, but the ones mentioned are
enough to start with. All of these are good to
Professional environments
keep in mind while considering and mapping out
Professional environments comprise many assets
which assets, who are within the IoT products or
needing protection, such as data about: various
in their proximity, and needs to be protected in
processes where IoT products are used as well
order to avoid probable consequences. Below,
as process parameters and configurations/recipes,
there are several such assets described in brief.
buildings and their support systems, the topology
of the network and which equipment that are
Domestic assets installed in the network. Further, there may be
Which domestic assets are worth protecting? a lot of details about an operation’s processes,
Besides destroying the building, by causing fires what is produced and distributed as well as how
or floodings, there are data about the residents this is executed. The last mentioned can be
which can be accessed via microphones/speakers open IPR or IPR which needs to be kept secret.
and cameras and that data is wanted to be kept In addition, for most operations it is vital to run
confidential with the integrity ensured. During production and distribution processes without
the cold part of the year, electricity and heating disruption in order for what is produced to keep
systems need to function so that water piping does the wanted quality and that nothing extra is
not freeze and cause water damages. Further, added (unwanted software or components or
during the whole year, water and sewage, venti- other types of ingredients). Information about
lation as well as the electric system and internet how well production or distribution processes
connection etc. should also function well. Poorly operate, or do not operate, can provide infor-
protected equipment used for internet connec- mation that can affect markets and thus must
tion may provide access to various systems and be protected. IoT products which are faulty
potential sensors, information about the home installed, or erroneously configured, are a great
network’s set up, and further information about concern for many cybersecurity professionals in
more or less everything that is connected to the professional environments, and such IoT products
home network. If a fridge and freezer, which are without adequate cybersecurity-level will get
not protected from water leakage, are unnoticedly highly dependent on that the cybersecurity-level
turned off it may cause water damage. Further, a in the surrounding network is kept up conti-
low-quality connected toaster, which is kept going nuously over time. The function of an operation’s
continuously, may cause a fire. In addition, based IoT products and processes can be related to
on the data collected about the residents it can the trust of object owners at customers in the
be analyzed if they are at home or not. To do this, supplier’s ability to deliver and the supplier
data from water and electricity meters and the brand. This trust is in some cases extended to
fridge can be used unless these are cybersecure. authorities who have regulatory review/inspection
In worst case, this may lead to unwanted visitors responsibilities. The trust can probably take a hit
when the residents are out of the house. If there or two, but in the short term some sales may be
is an unsecured alarm system, it can be tested missed. A larger hit to the trust can be harder to
if it is activated, used to reveal what answering cope with in the long term.

27
Handbook for Development of Cybersecure IoT Products

FIGURE 3 – EXAMPLES OF A SUB-SET OF INFORMATION AND DATA WHICH CAN BE

SENSITIVE AND NEED EXTRA PROTECTION IN RELATION TO THE WHOLE SET OF
INFORMATION AND DATA.

Critical infrastructures through instructions and processes in combi-

Critical infrastructures comprise a lot of assets nation with functionality in order to achieve the
needing protection and these assets are subject wanted level of protection and cybersecurity. It
to national laws and regulations and must have is a must to understand which are the legal
an adequate physical protection and cybersecurity- and regulatory requirements which directly or
level. The assets may hold highly interesting data indirectly have impact now and in the future.
and information about the processes, facilities Further, what to protect and secure must be
and networks they are used in. Commonly, these understood and turned into development requi-
processes must operate at very high availabili- rements. Additional structures and processes
ty, often around the clock, and the integrity of may be required to develop in order to reach the
processes, recipes, configurations, etc., must be adequate protection and cybersecurity-level.
upheld and not be possible to change by unau-
thorized persons. Critical infrastructures require 2.2 Weaknesses and
a high level of confidentiality as well although vulnerabilities
availability and integrity are paramount.
Figure 3 asserts the need for mapping out Assets may have inherent weaknesses and
which data and information that are sensitive vulnerabilities already from the very start, or
and must be particularly protected. Further, there these can arise later on due to poorly develo­
may be a need to map out which processes, ped updates or upgrades or that combinations
systems and services which must keep a high of issues are discovered. The weaknesses and
level of availability and integrity. IoT products are vulnerabilities may reside within the hardware,
often part of a larger scheme than only the IoT or its potential firmware, operating system, and
product itself the code or applications which are run on top
of these. Further, various processes used to
To sum up, all mentioned contexts, ranging
manage and maintain IoT products may cause
from domestic to critical infrastructures, must
weaknesses or vulnerabilities through inadequate
consider which are their assets to protect. The
remote access solutions, e.g., low- and high-
common answers are: data and information,
level VPN (virtual private network – which is an
availability and integrity of various equipment
encrypted tunnel from one point to another), or
and processes, the trust of object owners and
that updates or on-site maintenance bring in
partners, brands, etc. Thus, a supplier of IoT
non-controlled software and equipment causing
products needs to understand its customers’
a virus or malware to get in. It is usually easier,
contexts and develop an adequate protection

28
 Handbook for Development of Cybersecure IoT Products

at a later stage, to fix security weaknesses and not adequate, is to force the change of standard
vulnerabilities in software than hardware. configurations and passwords during installation
In domestic contexts, unfortunately it is and commissioning. Unless these are changed it
common to have almost no, or poor, protection of is unfortunately rather straight forward, if the IoT
equipment connected to Internet as well as poor product can be accessed by unauthorized persons,
segregation of networks (i.e., separation and seg- to take over the IoT product and potentially use
mentation) used for building automation, children, if for unwanted activities. Such activities may
work, alarms, etc. A segregation of the network(s) include: creating disorder; extortion by encrypting
makes it harder for virus and malware and can the data, information and systems; cause systems
also, besides provide improved security, enhance and IoT products to be inaccessible; use IoT
the bandwidth needed if there are high load on products as parts of bot-nets for DDOS-attacks
the network. targeting Internet-based services such as banks
or payment systems (SWISH and BankID) or
IoT products aimed for domestic contexts
web sites for booking of train tickets. If there are
are often able to update themselves, in terms of
unprotected IoT products for domestic use that
firmware and software, if this is configured at the
comprise microphones, speakers, or cameras,
installation. Else, there is a need to manually
it may be good practice to ensure these do not
update firmware and software on a regular basis.
comprise weaknesses or vulnerabilities and that
Further, it is unfortunately common that IoT
these cannot be used to collect data/information
products for domestic use have poor design of
about the residents and whether they are at
cybersecurity or initially lack it within hardware,
home or not.
firmware or the software run on top of this. An
area where improvements are made, but still is

THERE ARE MANY ASSETS IN THE HOME THAT NEED PROTECTION.

PHOTO: ADOBE STOCK.

29
Handbook for Development of Cybersecure IoT Products

There are many commonalities between IoT rule of thumb is that the lower the inherent level
products for domestic use and these aimed for of cybersecurity is the higher protection level
professional environments or critical infrastruc­ around it is required.
tures. In the latter ones, it is however much more
important to not open up weaknesses or vulne-
rabilities through poorly designed functionality
2.3 Common threats
and too low level of cybersecurity. The level of Commonly, different threats are categorized as
cybersecurity also goes for the networks, external less malicious, e.g., hobby hackers, and malicious
connections needed, and the processes related ones such as professional hackers and actors
to installation, configuration, commissioning and supported by national states, whose purpose is
later support, service and maintenance until the to make money, steal information and IPR, or to
decommissioning and deinstall. It is essential disrupt or destroy operations. Unfortunately, the
that in professional environments and critical latter two categories have significantly increased
infrastructures to also ensure that information their malicious activities at the same time as the
about the networks and network equipment, level of sophistication has increased substantially
wherein the IoT products are used, is not revealed during the last five years with the projection to
through poor design or cybersecurity. Such infor- increase furthermore. Cyberattacks or attempts
mation is often used as part of cyberattacks. to intrude are launched around the clock and
TO NOTE! If there is an interest to learn more are largely automated in order to the malicious
about weaknesses, vulnerabilities and what is actors to find out where they can get in and what
actually exposed to the outside (i.e., the Inter- they can do there. Following, these actors make
net), a possibility is to use the web browser TOR a (business) plan, and depending of purpose/
in combination with the search tool Shodan (this intent, they craft a schedule for what to attack
should not be made from a computer within a or what to infiltrate for collection of information
secure network). Then it is easy to view, within over time. Professional hackers and national
different geographic areas, equipment that are state supported actors have very good knowledge
obviously exposed and potentially unsecured and and is in many cases well ahead of many IoT
thus possible to connect to. If doing this, a large product suppliers as well as their suppliers of
amount of web cameras, sensors, and building firmware and operating systems etc.
automation systems, etc., can be listed. Unfor- Another threat, mainly posed by professional
tunately, there are many good and cheap tools hackers or national state actors, is to hack into
available for various types of hackers both on the an IoT product’s development environment or
Internet as well as on Darknet. See more on this somewhere in its distribution chain with intent to
further below. plant a hostile piece of code or hardware compo-
A general weakness for many IoT products nent and thus provide a way in (i.e., back-door)
is that the user manual (or other documentation later on as the code is distributed to the target
provided) outlining how to install, configure and environments at the users. This is often denoted
commission, does not comprise anything about as a “supply-chain attack”. Another way to plant
how the cybersecurity around the IoT product hostile code is through the use of open-source
should be set up as well as how to install, confi- code (there are various frameworks), which have
gure or commission the IoT product in a cyber­ not been adequately reviewed prior to addition to
secure manner. Further, also missing is often how the code base. There should be responsible lead
to maintain an IoT product’s cybersecurity-level developers who review the open-source code, its
during the whole life-cycle. Thus, it can be good continuous updates, and accepts these prior to
to add this either integrated into the user manual addition and use. The origin of the ones behind
or make an extra appendix at the end of it. A the open-source code should also be reviewed

30
Handbook for Development of Cybersecure IoT Products

CLOUD COMPUTING31CONCEPT.
PHOTO: ADOBE STOCK.
Handbook for Development of Cybersecure IoT Products

and no open-source of unclear origin should be be purchased on Internet, Darknet or from firms
used. Later, it is very hard for developers, who specialized in providing such tools to actors like
use the open-source code adopted, to find any police, intelligence services and others who can
hidden back-doors or code that send out selected pay. Thus, the relation between what it costs
data about the users, process and environment/ to raise a cyberattack to what the impact may
networks. If the open-source code, or code pac- be, is that with a small amount a large impact/
kages procured from vendors, are signed and all loss/cost can be caused. Further, owners of IoT
look good, it is quite a demanding task to review products or owners of organizations where IoT
all (and do it continuously) also with the help of products are used, need to ensure that their IoT
review tools. This is very hard for the ones that products are not part of bot nets or other hostile
install and use IoT products to detect, in particu- campaigns.
lar if the update or upgrade packages distributed There are IoT products which are connected
are signed and all look OK in testing pre-installa- in different networks but do not communicate
tion. One problem is that sometimes the hostile outbound, these which communicate outbound,
code can be time activated and dormant or just as well as these that are installed in isolated
opens up a window to the outside and enables islands and disconnected from the network
hostile actors to decide what, how and when to where they are used. The ones, residing in
do hostilities. The usage of open design concer- isolated islands, may sometimes have a mobile
ning hardware has the same type of problem and connection outward to be able to transmit data,
open designs need to be reviewed and any as- get updates or upgrades, get remote support or
sembled components/circuits should be carefully maintenance. In such cases, it should be consi-
reviewed and tested as well prior to usage. dered whether to have a process for opening up
Further, an additional threat is the own staff remote access and not keep such open conti-
(or inhouse consultants) and the ones involved nuously. It is rather common to put “problema-
in the whole value-chain around an IoT product tic” equipment in islands if they are old, non-up-
until it is decommissioned and deinstalled. Com- dated and have a too low level of cybersecurity
monly, it is mistakes or a too low level of compe- to be allowed in the organization’s network. A
tence that may open up weaknesses or vulne- vulnerability which can be used by various actors
rabilities and allow these to remain surrounding is the support, service and maintenance of IoT
the IoT product. Rarely, it is disgruntled staff products and find ways to get hostile code,
who consciously disrupt processes, do sabotage malware or viruses planted. Thus, the processes
or steal data, information or IPR and sell it to for support, service and maintenance must be
hostile actors. Unfortunately, the latter occurs reviewed in order to ensure that these do not
although the first mentioned, with mistakes from open up such weaknesses and always ensure
own staff (or inhouse consultants), are more that any new updates, upgrades, components or
frequent. spare parts brought in are verified to be “clean”
In addition, there are multiple threats, and prior to installation. Examples of where verifi-
these must be thoroughly considered and outli- cation can be needed are downloaded software
ned in a risk analysis. packages, external lap-tops, USB-sticks or disks.
Thus, there must be cybersecured support, service
The threshold for threats is low and it is rela-
and maintenance processes at the supplier of
tively cheap to rent hackers or buy time slots in
the IoT product and at other involved parts of the
cloud services or bot nets intended for hacking
value-chain.
or disrupting organizations and their processes.
To buy hacker tools cost from a few dollars to
thousands of dollars, all depending on what can
be accomplished with the tool. Such tools can

32
 Handbook for Development of Cybersecure IoT Products

2.4 Risk analysis and product will start to learn what works, what
risk mitigation does not work, and what can be improved.
Consequently, suitable actors in the value-chain
Risk analysis, which involves to estimate/calculate participating in installation, support, service and
the probability of and the potential impact from maintenance should get involved as well as if
how an asset, by using its weaknesses/vulne- there are any part stakeholders of interest at the
rabilities, can be used within the scope of the customer (where the IoT product is used). At pro-
threat. Thus, a risk analysis potentially needs to fessional customers, object owners, maintenance
involve many actors in a value-chain. At an initial leaders and OT-security responsible staff collect
stage, it is likely that the IoT product supplier’s feedback, experiences and potential improve-
development organization will be most involved ments, which a product manager can transform
in risk analysis efforts and at that stage also try into requirements for the further development
to foresee how the rest of the value-chain may of the IoT product. For both professional and
affect the IoT product. Hopefully, this will lead domestic customers, user groups or similar can
to a number of functional- and cybersecurity be a good source for new requirements to deve-
requirements as well as test cases for the lop. To listen to customers is also a way to avoid
product manager to consider. After some time discontent users or stakeholders, who may post
in use at customers, the value-chain of an IoT their discontent on Internet if nothing happens

FIGURE 4 – INFORMATION AND DATA IN IOT PRODUCTS. RISK LEVELS FOR DIFFE-
RENT USE CASES (SEE CHAPTER 9) SEEN FROM A LARGER PERSPECTIVE.

33
Handbook for Development of Cybersecure IoT Products

RISK ANALYSIS SHOULD BE MADE ON A REGULAR BASIS

DUE TO CHANGES IN THE SURROUNDING ENVIRONMENT
PHOTO: ADOBE STOCK.

in terms of development and improvements. can result that the overall risk is not accurate.
Further, some suppliers pay those who finds Further, risk analyses are to be executed on a
weaknesses/vulnerabilities to prevent that these continuing basis (at the start of all development
end up in hacker groups on Internet or Darknet projects at IoT product suppliers and at least
to make money there instead. annually at the customer) and more often if the
Figure 4 provides an example for how different surrounding world, i.e., the risk profile, drastically
organizations’ data and information can be seen or fast changes to the worse.
in risk levels and roughly what impact a potential
exposure of these can render in a larger perspec- 2.5 Principles for
tive. The potential impact of the risks regarding
for instance availability or integrity is not part of
cybersecure design
the Figure 4.
of IoT products
There are simplistic and complicated There are supporting principles for many aspects
methods to use for a risk analysis. It is probably of design and development of products. There
better to start up with using a simplistic method is general as well as specific ones targeting IoT
and make it further sophisticated later on products. The design-for-x or x-by-design
as needed. Examples of such methods can thinking has been around for a long time and,
be found in books and standards/guidelines in particular, involving mechanical product
addressing risk assessment/analysis/mitigation: development, and these principles have been
ISO-27005 and 31000, NIST risk management developed as demanding business models have
framework and CIS risk assessment method. To transformed mechanical products to become
remember, nevertheless which method is used, IoT-fied or transformed to further extensive
is to involve all parties, stakeholders and actors cyber-physical systems or even larger systems
who need and can contribute. Unfortunately, it (e.g., systems-of-systems). Examples of such
is common to bring in too few of these, which business models are: products with loosely coupled

34
 Handbook for Development of Cybersecure IoT Products

services, products with integrated services, Another, but not new, principle or paradigm
PSS (Product-Service Systems) and functions or is the micro-services paradigm, which has started
functional products. These should all be of inte- to be used a lot as many suppliers of IoT products
rest for suppliers of IoT products. Pertaining to and larger systems have realized that keeping all
cybersecurity, EU and ENISA have since a while software code in one or a few blobs is not efficient
launched the principles of security-by-design and as that causes the costs for maintenance and
privacy-by-design. The foundation for these is testing to be unnecessarily extensive and time
that cybersecurity requirements shall be part of consuming (as all code need to be tested even at
the initial set of requirements, as otherwise the small changes). To lessen this problem, “contai-
later added-on cybersecurity will become more ners” or similar is used to put small and indepen-
expensive and likely not as good too. Further, dent micro-services (which should be easy to
personal information (which is processed, stored replace and have well-defined service descriptions)
and/or communicated) shall be protected already which collaborates with other such micro-services
from start to end of the personal information’s using well-defined protocols and interfaces. The
life-cycle within that system. This concerns strategic thinkers have added common base
mainly general software and systems, but also functionality for cybersecurity, administration and
IoT products. There are additional design prin- fleet management in an underlying platform which
ciples of interest, such as Stallings and Brown6 all micro-services use. The idea is here that if one
who prescribe to minimize the attach surfaces changes one micro-service, it is only that one that
of networks, software, people and via physical needs to be thoroughly tested as well as that it
access. Stallings and Brown outline 13 principles works as it should with the others via the defined
including for instance: least level of rights/autho- protocols and interfaces. Thus, there is no need to
rization, separation of rights/authorization (i.e., test all code, i.e., all micro-services, if you change
that a single user can only do certain tasks alone one or a few of them. If there are changes to the
where some tasks requires that two users are underlying platform, it needs to be tested as well
involved), least number of common mechanisms, as a number of selected micro-services depending
isolation, encapsulation, modularization, use on what the changes are related to. However, to
layers/levels, and open design. The zero-trust keep developing IoT products and keep all software
model, which is frequently used, also needs to code in one or a few blobs is not efficient nor a
be considered as it encompasses that each part profitable way forward. There is a risk that not
of a system shall have its own adequate level of doing this will impair the innovation speed and tie
cybersecurity and not be dependent on any other up resources for no good at all. There are many
parties’ level of cybersecurity. Thus, here goes such underlying platforms for IoT and automa-
the slogan ”never trust, always verify” and that tion, and the hard thing to do is to select which is
no one shall trust anyone else prior to a success- currently good as well as in the future. If the code
ful verification. An IoT product can, or should is developed in an adequate way, it is of course
if needed, be divided into different trusted possible to change the underlying platform and
zones. Of course, this depends on which parts if having a common underlying platform within a
or components that the IoT product comprises. development organization it can potentially render
However, to be able to create a separation and good scaling effects as knowledge and automated
keep up a high level of availability and protect test suites can be re-used for new projects and
data/information, such separation into zones can IoT products.
be necessary. Chapter 3 will bring up more on Regarding the hardware, there are similar
this aspect and if the requirement engineering ways of thinking as for the software, as when it is
during development of IoT products uses the possible and suitable to break down larger parts
contents from chapters 2 and 3 - both the above into exchangeable modules and components which
design principles will be considered. Chapter 3 have well defined interfaces and standardized
brings up a number of standards, whereof most functionality (i.e., compatibility).
addresses at least the security-by-design7.

6
Stallings, W. and Brown, L., Computer Security: Principles and Practice, 4th edition, Pearson, USA, 2018
7
https://www.enisa.europa.eu/news/enisa-news/how-to-implement-security-by-design-for-iot

35
Handbook for Development of Cybersecure IoT Products

3. Prior to starting
up a new project
This handbook aims to cover the whole life-cycle • Monitoring of IoT products during its
for an IoT product and this affects the require- life-cycle. Usually, this phase is also long
ment analysis and the potential infrastructure and
• At the end of a life-cycle
processes as well as structures needed around an
IoT product. There are quite a few aspects that
need to be considered prior to starting up a new 3.1 Early stage
project as well as already from the very start of – business development, ideas,
the life-cycle. Unless these aspects are well-consi-
and concept development
dered, there is a risk that the initial development/
project cost looks fine whereas the whole life-cycle At an early stage, it is necessary to keep sensitive
cost and profitability will not look good. planning and decision-making concerning an IoT
product’s business protected and confidential.
This does not directly impact on an IoT product’s
In brief, the following will be addressed
final level of cybersecurity but the start to get
in this chapter:
there. Thus, needed to protect are: information
• Early stage with business development, ideas,
and sketches/drawings as well as notes which
and concept development
are related to business development, ideas that
• Requirement analysis – collection and analysis hatch into concepts, selection of concepts and
of functional and holistic requirements, laws/ concept development, potential prototypes or
regulations, industry standards and voluntary demonstrators, concept evaluations, etc. This
standards, best practices, design principles should be kept within as a small group as pos-
(see section 2.3) etc. sible in order to maintain confidentiality prior to
the next steps to take.
• Management responsibility – to provide the
necessary conditions required
Therefore, cybersecurity is needed in an organi-
• Development environment and development
zations IT-environment and development environ-
process
ment to be able to protect data and information
• Documentation related to:
• Testing • Early business development and later stage
business development with business model-
• Maintainability over time
ling considerations
• Quality-level
• Idea generation, concept generation and
• Industrialization selection of concepts to continue with
• Development • Concept development – protection of ideas,
• Post development – maintenance/service/ sketches, and drawings as well as business
updates and support as well as optimizations modelling/planning
and training packages. Commonly, this phase • Prototypes and/or demonstrators
is the longest in a life-cycle

36
 Handbook for Development of Cybersecure IoT Products

• Protect the early requirement analysis’ results, • I (Integrity) – how to prevent unauthorized
which may be generated out of prototypes changes in the IoT product or the data/
or demonstrators as well as the experiences information residing in it?
made out of these
• A (Availability) – what are requirements for
availability, robustness and resilience
Further, it is needed, for all involved, to not talk (i.e., be able to continue to operate in case
or discuss the early stage’s contents or results of serious problems or issues)?
but act responsibly and handle such information • T (Trustworthiness) – what is required to
with adequate protection at visits at customers, uphold the trust, concerning the IoT product,
in the car from work to home when stopping from customers, the surrounding world, and
to shop groceries, while travelling in the line the own organization?
of duty, or commuting to and from work using
public transport. Thus, all this may require that • P (Provenance) – traceability (i.e., provenance)
such information is encrypted and protected by regarding the data/information which reside
additional means both within the organization’s in the IoT product and potentially later is
environments as well as when it is outside the transferred to other systems for storage and
premises carried around inside of lap-tops, analysis? The IoT product’s configurations and
mobile phones, and USB-disks or are e-mailed. settings may be affected here as well. Any
changes made to the IoT product’s hardware
and software need to be traceable in the deve­
3.2 Requirement analysis lopment environments by for instance using
– collection and analysis of func- “tag” in software code and version numbering
tional and holistic requirements or similar arrangements.
from stakeholders, laws/regula-
tions, industry standards, etc. Within IT environments, the order of importance
for the starting triad is commonly CIA whereas
There are a number of general and governing
within OT environments and critical infrastructures
requirements for cybersecurity, i.e., the CIA+TP
the order of importance is often AIC and the TP
which are further described below, that may
attached at the end. Thus, it is of importance to
impact the whole IoT product’s design and
know/learn if the IoT product will be used in IT
adapt­ation to various circumstances during the
or OT environments alternatively within critical
life-cycle. Specifically, the developer of an IoT
infrastructures.
product needs to understand the surrounding
contexts, processes and data/information that will Regarding the data/information, which will
be present during the usage. It is advisable to ask be generated within or around an IoT product,
users at the customers which level of availability and that have a potential value for analytics or
(e.g., potential availability classification) is wanted add-on services and extra functionality pertaining
and what data/information that will reside within to maintenance/monitoring/optimizations, it is
the IoT product. Examples of data/information advisable to firstly analyze business-related,
security categories are: open, internal, confidential, legal and contractual matters such as:
strictly confidential as well as if personal data or • Who will own the data that will reside within
data about critical infrastructures/state security the product?
will be part of the scope. • Where will this data be stored? Are there any
legal or other aspects to consider?
• C (Confidentiality) – what needs to be protected/ • What may the data be used for?
kept confidential and how?
• Who may use which data and when?

37
Handbook for Development of Cybersecure IoT Products

THE CYBER SECURITY THOUGHT PROCESS MUST START ALREADY WHEN YOU START PLAN-
NING A NEW PRODUCT AND IS NOT SOMETHING YOU SOLVE ONLY IN THE END-USER PHASE.
PHOTO: ADOBE STOCK.

Depending on the outcome of above questions, • Maintenance-related data, which pertain to

it is anyways a good idea to separate different wear and tear and need for maintenance of
types of data in order to facilitate so that the IoT products and its surroundings, and are
above questions can be answered clearly and collected via sensors, cameras, counters, etc.
also prepare for future business development This is something that IoT product suppliers
(which may take off as everyone understands the commonly provide as add-on services as well
possibilities of using data for different purposes). as collect data about their fleets in order
An example of such a separation is: to find if there are any general problems or
• Data related to persons (due to for instance weaknesses that need to be designed out
GDPR within the EU). If this data are kept or corrected through improved maintenance
separate, it is much simpler to develop func- processes, etc. Additional related functionality
tionality needed to follow up compliance to may be to enable reduced load (graceful
various laws and regulations. degradation) or emergency shutdown capability
to prevent a complete breakdown.
• Process and quality data which concerns the
activities or processes where IoT products are
used. These data can for instance be used for
optimizations of functions and quality-level
within processes (by measurements on the
processes’ input and output – broken down to
sub-processes and/or whole processes).

38
 Handbook for Development of Cybersecure IoT Products

3.2.1 Industry standards and • Patient data laws

standards which can be usable • National safety/security protection laws
and provide guidance to cyber-
• The EU NIS/NIS2 directives which concern
security requirements
critical digital services related to (an
Laws and regulations can pose obligatory
extended) society
requirements whereas other requirements may
be voluntary or posed by the industry an organi- • UN Resolution MSC.428(98) concerning
zation is active within. All this can be the base marine/shipping sector
for general and physical security requirements • Swedish law 2018:1174 concerning infor-
as well as cybersecurity requirements. Some mation security for digital services critical
physical security requirements may be related, for society
or linked to, cybersecurity requirements by that
an IoT product may need an outer physical • Industry standards – some examples are as
security protection/perimeter or that it is locked follows:
into for instance a cabinet/room preventing physical • ETSI TS 103 645/TS 103 701 (IoT security
tampering without authorized access and for consumers)
authorization level. Further, there are a number
• ISO/IEC 27018 (protection of personal
of best practices which can, in an efficient
data in cloud services)
manner, provide others’ past experiences and
not having to repeat these spending unnecessary • Healthcare - IEC 81001-5-1, MDCG 2019-16
efforts and costs. Such best practices can be a (medical technology devices)
source for cybersecurity requirements pertaining • PCI-DSS (protection of credit/payment
to the own IoT product. Below, there is a summary card data)
which may provide a high-level guidance into
these. However, all product development groups • SSF 1120-1 (IoT – connected devices –
need to do their homework and find out what requirements and testing)
is required and applicable for their IoT product • SSF 3523 (digital locks – classification,
within the contexts and industries requirements and testing)
of interest.
• IEC 62443 3-3 (pertains to automation/
control systems in various industries)
• Product rules/regulations and laws –
• ISO 21434 (cybersecurity in vehicles)
CE-marking including for instance RED and
other type approvals as well as extended • ISO/IEC 30141:2018 (reference architecture
warranty. This is often a requirement within for IoT)
EU, USA, Australia and Asia
• ISO/IEC 27400 (IoT security and integrity)
• Laws about safety/security/cybersecurity
• NIST Cybersecurity for IoT
• GDPR (and Schrems II) or similar laws/
• IMO’s MSC-FAL.1/Circ.3 guidelines for
regulations in other parts of the world
cybersecurity in marine/naval environments
• The nearing EU Cyber Resilience Act (concerns class action related to vessels,
(cybersecurity requirements posed on crafts and platforms). DNV-RU-SHIP Pt.6
products throughout the whole life-cycle) Ch.5 and Lloyd’s Register Cyber Safe for
marine (both these are based on IMO’s
• The nearing EU Cybersecurity Act
guidelines and are also based upon IEC
(framework for cybersecurity certification)
62443 3-3). See also IACS E26/27

39
Handbook for Development of Cybersecure IoT Products

• Swedish Civil Contingencies Agency’s • Microsoft (cloud and IoT) – search their
recommendations for industrial control global web site for top-10 lists and best
systems and IoT as well as cyber-physical practices
systems (critical infrastructure). The • Google (cloud and IoT) – search their
Swedish Food Agency’s recommendations, global web site for best practices
which are based on the ones from Swedish
Civil Contingencies Agency, are used at • IoT Security Institute (regarding smart
regulatory audit/review of production and cities and critical infrastructures)
distribution of for instance clean water
• ENISA’s recommendation regarding IoT/ 3.2.2 Practical functional and
cloud/critical infrastructures and deve- environmental requirements
lopment and used of these (industry and related to cybersecurity
critical infrastructures) If functional- and environmental-related require-
• Swedish Association of Local Authorities ments do not have any relation to other matters,
and Regions’/RISE’s KLASSA för IoT and can be considered as stand alone, they
are easier to manage. However, there are many
• Swedish Association of Local Authorities such requirements which have relations to other
and Regions’ Informationsäkerhet inom matter alike cybersecurity. To manage the latter
fastighetsområdet & IoT ones, the design principles and modularization
• Swedish Association of Local Authorities can be used as well as standardized compo-
and Regions’ Informationssäkerhet i nents/parts and micro-services as the require-
fastighetsorganisationen ments are broken down into smaller pieces.
Functional requirements concern what the
• Swedish Association of Local Authorities
IoT product is to be able to do and preferably
and Regions’ Vägledning för IoT-tjänster
these shall be practical and well designed to
• ioXt Alliance (certification program for facilitate an efficient management throughout
secure IoT products) the life-cycle and to optimize the life-cycle cost
• SSNF’s Robust och säker IoT (stadsnät) as much as possible. To develop functional
requirements into functionality, that is complicated
• Traficon (Finnish transport and communi- and expensive later on, such as poor service
cations networks) and maintenance functions will discourage many
• Best practices and more – examples are customers and their users from buying additional
as follows: ones or replace IoT products whose life-cycles
end. Thus, this is important to consider for
• GOV.UK (Consumer IoT Security)
suppliers of IoT products. An example of this is
• IoT Security Foundation – search their global recent cars where it is very hard to, by one-self,
web site under the “publications” part replace a front lamp.
• OWASP IoT Verification Standard (advise
for development of cybersecure software Practical functional and environmental require-
and the most commonly used weaknesses/ ments are for example as follows:
flaws used by hackers)
Operations environment – the environment where
• Cloud Security Alliance (cloud and IoT) an IoT product operates impacts on the design
– search their global web site under the regarding both outer protections combined with
“research” section cybersecurity. A tough/rough industrial environ-
• IBM (cloud and IoT) – search their global ment poses its requirements as well as if an IoT
web site for best practices and advise product will reside in a more or less unmonitored

40
 Handbook for Development of Cybersecure IoT Products

and unprotected environment outside, indoors be lower, and it is possible to avoid scrapping or
or at domestic environments. Thus, both physical destruction (i.e., re-purposing or down-cycling).
attacks as well as cyberattacks may lead to However, the IoT product needs to be emptied
unavailability or destruction in exposed environ- and all data, information or configurations, etc.,
ments. Physical access may also lead to risk for properly wiped prior to that the IoT product
cyberattacks by connecting through unsecure/ continues with a new life-cycle elsewhere.
unprotected interfaces or just being able to
remove a hatch and be able to access electric
Information flows – it is likely that data and infor-
contact points or memory cards in the interior
mation will flow through the IoT product during
of the IoT product.
its life-cycle and considerations are necessary
regarding where the flows shall be stored or
Hardware requirements – there are often, also in buffered on its way to any potential processing.
what appears to be a secure environment, a need This needs to be made in a cybersecure way.
to protect the IoT product from physical access Previously, there is an example for how to segre-
and destruction and to not be possible to open gate the data and information in an IoT product
up easily. The least that is needed is for instance regarding personal data, process- and quality-
to use a seal or sticker on any openable hatch related data, as well as maintenance- and fleet
above memory cards and/or interior with electric management-related data, in order to facilitate
contact points. An alternative is to recommend transparency pertaining to: who owns the data,
that the IoT products should be installed in a who can do what with the data when and how.
fully controlled environment with physical locks If cloud services or the suppliers’ own central
(i.e., within a locked room or cage/cabinet). servers are used for storage of data and informa-
To just have a simple plastic cover, which is tion, it becomes a bit more complicated compared
simple to bypass, may cause that a break-in is to if the storage is at the customer’s site in a
not detected within soon. To prevent this, there data warehouse or local server. Anyways, there
can be a built-in function that sends an alarm are a lot of interesting business development to
and potentially also deactivates the IoT product do now and in the future based on data and
at a physical attack or destruction attempt (in information. Thus, this should be considered well.
particular, if the IoT product can be used to
launch a larger cyberattack into a network).
Interoperability and compatibility – how should the
IoT product vulnerable and unprotected should
IoT product fit into different object owners’ target
reside in a network that is not connected to the
environments and which requirement will this
main network. Examples of such are connected
pose on the design? Potentially, the design can be
car heating poles at parking lots, external alarm
affected by: how can the data/information be exfil-
systems, external lock systems without monito-
trated through networks and firewalls, how should
ring, etc.
data/information be stored/shared in a cybersecure
manner, what data formats and communications
Related to environment – the possibilities to be protocols are needed, should data and information
able to exchange/replace old worn or torn hard- be possible to export to different formats except
ware components or freshen them up again in that backup and restore (import) shall be simple
order to be able to continue to use (i.e., re-fur- to do, how should authorized persons be able to
bishing or re-manufacturing) should be consi- connect in from the outside and which functionality
dered for the IoT product’s life-cycle. When the do these need, etc.
primary life-cycle for an IoT product reaches the
end, it is often possible to find a new life-cycle
in other contexts, where the requirements may

41
Handbook for Development of Cybersecure IoT Products

Knowledge in the operations environment – if the

IoT product is simplistic, the knowledge required
to operate it should be acquired via some
training. In case of that the IoT product and its
function is complex, there may be a need for
extra knowledge provided from the supplier or
some other actor within the value-chain. Potentially,
depending on context, support and service can
be provided from distance through a cybersecurity
connection or on-site. Further, training and
education packages can be provided. In addition,
externals can participate through a cybersecure
video link, and a virtual/augmented reality (VR/
AR) can be used for training and trials prior to
doing the real activities.

Cybersecurity in the distribution chain – how

should an IoT product and its components/parts
simply and effectively be distributed to customers
initially and then later during the life-cycle
without compromising the IoT product’s physical
or logical contents? Consider this and ensure
that the IoT product and spares or components
are intact at arrival at the customers and users.

Efficient installation, configuration, and

commissioning – if this is considered properly,
a lot of time and travelling can be saved. Such
a process, which commonly have several steps,
need to cybersecure. Consider if it is possible
to automated parts or whole steps by using
fleet management functions with plug-and-play,
autoconfiguration of local settings and network
connections, through already prepared central
settings which are fetched combined with
automatic or manual commissioning. There are
a lot that can be achieved here and if able to
cut costs for customers and users, having many
IoT products, using a high degree of automated
process steps - the IoT product becomes very
attractive. Some of the advantages using
central management, or fleet management, are
less errors and it is easier to change a lot of
IoT products fast if or when needed.

42
Handbook for Development of Cybersecure IoT Products

43
SYSTEM ADMINISTRATION IS PERFORMED BY A SPECIALIST..
PHOTO: ADOBE STOCK.
Handbook for Development of Cybersecure IoT Products

Cybersecurity during the potential operation and look at the structure provided by the standard
maintenance phase – an IoT product needs to be IEC 62443 part 3-3 and the security level 1 (out
designed to be able to be operated and maintained of 4 where 4 is the highest). An industry can
in a cybersecure manner until the end of the have enforceable requirements for components
life-cycle. Usually, data and information about and systems which are critical and can have
the process, quality outcomes and maintenance impact on the environment. Such an example is
need are needed to do this somewhat optimized, the maritime industry with class action, which
but the IoT product also need to be designed goes for new contracted vessels and installations
so that this can be executed effectively either from 1-Jan 20248. It is likely that other industri-
on-site or from distance (i.e., what is possible to es, also on shore, will start to do similar actions.
do or prepare remotely) combined with what can However, some industries such as transports,
be automated. air and space already have some cybersecurity
requirements and regulations.
Cybersecurity at the end of the life-cycle – at In IEC 62443 part 3-3 and its lowest security
some point in time, an IoT product and its parts/ level 1, which in general applies to cybersecurity
components need to be de-commissioned, of components, there are a number of groups
potentially destructed and re-cycled without comprising requirements according to below.
compromising any IPR, data and information Please observe that this is only an example to
(settings, recipes/programming, operational data outline what already exists, mainly for professional
such as IP-addresses, etc.). For such situations, environments, and what is possible to certify
a fleet management function can be provided towards if there is a need or requirement to do
and used for de-commissioning and at the same so. Regarding additionally critical environments,
time also securely remove any IPR, data and the security levels 2-4 can be applicable and
information. Further, if physical destruction of interest to review. Within Sweden, different
is necessary, it needs to be according to the industries have various industry specific guidelines
customers’ policies and their users. However, and sets of requirements (see for instance
as a supplier, it is a good idea to have an in- Swedish Civil Contingencies Agency ’s Swedish
struction for how to best do this unless there is Association of Local Authorities and Regions’
a producer responsibility to do the destruction publications in chapter 10 and section 3.2.1)
and re-cycling. In case of such a responsibility, which may provide a foundation to start with.
there should be an internal supplier instruction Below, briefly outlined on a high level are what
in order to properly ensure adequate destruction the security level 1 comprises. This is worth
and re-cycling. to check out and then to also consider what is
relevant for the specific context:
• Identification and authentication controls with:
3.2.3 General cybersecurity
requirement for IoT products • Identification of users.
Each IoT product and the contexts where such • Authentication levels and which level of
are used pose specific cybersecurity requirements. authentication that different user groups
This needs to be discussed and analyzed, in or roles have (e.g., users with the right to
terms of impact, together with customers and view, user with the right to change, admi-
users combined with understanding the surroun- nistrators). Furter, administration from an
ding world in terms of threat environment, wars unsecure or external network may require
and war conditions, laws and regulations. To 2- or multifactor authentication.
provide an insight into what can be categorized • Identification and authentication of
as general cybersecurity requirements, we will software processes and devices.

8
Look on the web about IACS UR E26/E27 - https://iacs.org.uk/news/
iacs-adopts-new-requirements-on-cyber-safety/

44
 Handbook for Development of Cybersecure IoT Products

• User management. • Audit logging (time stamped, what is

• User groups/roles. relevant to log and needs to be logged
according to requirements based on laws,
• Ability to change and manage authentica- standards, or object owners at customers).
tion method.
• Ensure there are adequate storage left
• Management of wireless access. for audit logs (depends on amount and
• Requirements for ability to be able to duration of logging).
change strength/length of passwords and • Ability to control who can access audit logs
whether passwords shall be visible or not and ensure that these are protected (and
at login. cannot be altered by anyone).
• Ability to manage how non-successful • Required actions to take in case of audit
login attempts are to be handled (how logging failure – what to do and how to get
many are allowed, temporary lock, only attention to rectify it?
administrative accounts are locked and
need to be enabled again, mange length • Time stamping of each log entry.
of time-outs prior to new login attempts • System integrity including:
can be made or a number of attempts
have been made during a certain period • Integrity of communications in unprotected
of time). networks (in order to notice if any com-
munications are altered).
• Be able to manage and change system
messages. • Have protection against dangerous/mali-
cious code (everywhere or at points with
• Be able to allow or disallow access from
incoming or outgoing communications).
untrusted/unsecure networks.
• Ability to verify that the cybersecurity
• Management and control of usage through: functionality work (i.e., to have a set of
• Requirement for authorization (who has functions, procedures, scripts or similar
rights to do what) regarding human users that can be executed to show/verify that
according to the principles of division of all work as it should work).
responsibility and least privileges. • Validation of input.
• Control/management of wireless usage and • Have ”fail-to-safe”-functionality if normal
access. operations is not possible due to a cyber­
• Control/management of potential portable attack (and ability to return to a failsafe state).
or mobile devices (in connection to the IoT • Have integrity protection of sessions
product or its networks). (e.g., use of unique sessionIDs for each
• Ability to limit the usage of dangerous/ session).
malicious mobile code (such as java script, • Data confidentiality including:
Active X, PDFs, etc.)
• Protection of the communications and
• Ability to lock sessions (e.g., time-based or
storage confidentiality (through encryption).
user controlled).
• Apply authorization for access/read.
• Ability to terminate any remote connections
(time-based, inactivity, or by a local super- • Have requirements for updated and ade-
vising user via a button). quate encryption algorithms, key lengths,
certificates, processes for management of
• Ability to manually approve any remote
keys and certificates.
connections and terminate such.

45
Handbook for Development of Cybersecure IoT Products

• Ability to upgrade algorithms and keys • Response times at events through:

with additions if/when there will be toug-
• Having audit logs that are readable (read
her requirements.
only) for authorized users (humans or tools).
• To limit data flows through:
• Ensure availability of resources through:
• Have segmented networks (logical/phy-
• Have protection towards DOS-attacks or
sical or both) where the IoT product is
similar problems – the IoT product shall
operated.
be able to operate in degraded mode also
• Have zone protections with ability to mo- during such attacks.
nitor and control the communications at
• Have resource management – the IoT
the border of the segment (i.e., compart-
product shall reserve adequate system
mentalization) and have “deny-by-default
resources for security-related functions in
and allow-by-exception” as well as that it
order to prevent that all system resources
should be possible to manually stop the
are occupied (i.e., at maximum load) by
communications in between zones. Fur-
the other functions.
ther, possibility to operate in island mode.
• Have backup functionality – backups of
• Ability to hinder “peer-to-peer” commu-
critical data and audit logs shall be made
nications or similar solutions (i.e., only
without affecting the normal operations
have approved communications within the
(and be stored at a location that is available
solution and in/out of segments).
but not on-line, i.e., de-linked).
• Partitioning of application/services/data
• Have functionality for restore and recovery/
(in order to achieve independence and
restart – the IoT product shall be possible
protected zones).
to restore and recover/restart at a known
and safe state after a disruption or error.

CYBER SECURITY CONCEPT, CYBER CRIME ON THE INTERNET.

PHOTO: ADOBE STOCK.

46
 Handbook for Development of Cybersecure IoT Products

• At high requirements for availability pro- (TPM)). As the IoT product starts up, the bootup
vide extra power source inlet (i.e., possi- software (i.e., boot firmware) checks the signature
bility to have two or more different power for the start manager (i.e., boot loader) using the
sources plugged in) and a change from stored keys. If the signature is valid, the start
primary to secondary power source shall manager is allowed to execute. Subsequently, the
not affect the IoT product’s cybersecurity start manager repeats this process for the opera-
functionality. ting system and all other software being loaded.
• Ability to configure and change settings Thus, a secure boot prevents that malicious code
or configurations of networks and security is started on an IoT product, as it verifies the
level – the IoT product shall be possible software prior to loading and execution, and
to configure (via an interface) so that ensures that only trusted software can be executed.
its network and security parameters are This can help to protect against malicious
aligned with recommendations from the software, boot kits and other types of threats
supplier (may be executed locally or cen- which depend on being able to execute its code
trally via a cloud service). on a device (i.e., the IoT product).
Thus, there are quite a lot that already exist
• Apply the principle of least functionality
to bring in and consider, and then use that to
– unnecessary functions/services, ports,
decide what is relevant for the IoT product to be
protocols, etc., shall be disabled, forbid-
developed (or for the improvement of existing
den or removed from the IoT product.
ones). It is not necessary to come with up all
by oneself and one can get far by reading and
If an IoT product has an own, or connects to one considering all that already exist in written form.
external, cloud service or server at another loca-
tion for to store data, fleet management func-
tionality, updates, report function, optimization
3.3 Management
functionality, etc., there will be additional requi- responsibility
rements to protect these. If these are available – what matters need to be
via Internet, it is possible to get an overview of clarified and sorted out?
potential cybersecurity requirements from Cloud
The management of organizations developing
Security Alliance, Microsoft, IBM, etc.
IoT products has a number of matters to at-
Further, there can be a need to be able to tend and take on responsibility for and also
manage which software that may be executed ensure that the other actors or stakeholders in
on the IoT product (i.e., device) via secure or the value-chain are onboard as well regarding
trusted boot and “chain of trust” from hardwa- these matters. This may include customers and
re, via operating system to apps. In such cases, their users as well. One matter to address is for
additional hardening, such as ”secure boot”, can instance what makes the IoT product function
be needed. This is a method designed to ensure well, both short- and long-term, with an adequate
that a device only executes trusted software. The level of cybersecurity. It is hard for a develop-
method verifies the integrity of software which is ment team to collaborate with many actors and
loaded during the boot up phase. Commonly, stakeholders, in a value-chain, about require-
secure boot is implemented as part of an IoT ments crossing organizational borders. Thus,
product’s boot up software and is based on management needs to step up and address these
using cryptographic keys to verify the integrity/ matters to avoid expensive and insecure surprises
origin of software before loaded. Preferably, at a later stage.
cryptographic keys are securely stored in a hard-
Some requirements affect all involved and
ware module (e.g., a trusted platform module
are often referred to as holistic requirements that

47
Handbook for Development of Cybersecure IoT Products

cross all borders, and that certain infrastructure • Who shall be authorized to access parts of
needs to be available or that existing such must the development environment (on-site or
become interoperable or compatible, and finally remotely)?
that certain processes and set ups of assets/
• Who shall be authorized to access the
equipment need to be made in a standardized
development environment and which tools
manner. Examples of such assets/equipment
are they allowed to use there?
are: the IoT product, cloud service(s), certificate
infrastructure with a root certificate and revoca- • Is it needed that all can access the
tion lists, federation of identities (provide ability software code, hardware designs or service
for an authorized identity to log in to multiple designs, and in particular if one is outside
services as the organizations behind trust each of the organization’s internal network and
other and adds that user identity to their list of outside of normal work hours (e.g., week-
authorized users), and access, etc. days between 08.00-19.00 o’clock)?
The management should also start to think • Is it needed that there is access to the de-
in terms of total life-cycle cost instead of initial velopment environment from other countri-
development cost. This affects the requirement es than Sweden (and if it is possible to
collection/analysis/engineering, decision-making open up specific temporary access in case
and design and may result in a higher initial there is a need for such remote work)?
development cost which should later on in the • Who are authorized to check out all code
life-cycle provide improved profitability. Such and can check in code to the main branch
long-term savings may originate in that the IoT or make changes to drawings or blueprints
product is initially prepared and that the mana- etc.?
gement has considered future development plans
• Is there a requirement to have a code
and architectural decisions. The use of design
review or design review prior to that any
principles in the requirement collection/analysis/
code, drawings/blueprints, service- or
engineering may provide better future results too.
process descriptions are checked in to the
main branch?
3.4 Cybersecure develop- • Is there a need for specific protection of
ment environment and devel­opment documentation and other
development process materials such as product/service/process
Two questions to start with are: documentation, IPR/drawings/blueprints,
documentation of production process/method
• What IPR do we have that should/needs to
(if this needs to be confidential and is consi-
be protected?
dered as confidential or strictly confidential)?
• Why should we make an effort and develop
• Are there any cybersecurity requirements for
IoT products if others then just can take our:
collaboration tools, i.e., secure communica-
blueprints; documentation; descriptions of
tions and sharing of documents, protection
services, processes or structures; the code;
level for documents, requirements for authen-
or plant a virus or malicious code alternatively
tication levels, etc.?
designs that later will destroy all?
• At some point in time, a decision or selection
If the above two questions are relevant, some of development process/methodology suitable
additional questions need to be raised about what for the problem to solve need to be made.
the development environment comprises (i.e., Here, it is important to consider cybersecu-
development, test and documentation) and who rity from the start. It is a good idea to use a
can access what and do what with: development process that ensures that the

48
 Handbook for Development of Cybersecure IoT Products

A GOOD CYBER SECURITY DOCUMENTATION PROVIDES BETTER SUPPORT IN THE INSTALLATION,

CONFIGURATION AND UPDATES OF IOT PRODUCTS.
PHOTO: ADOBE STOCK.

initial set of requirements is adequate prior to other sub-process due to design choices made.
starting up the development in order to avoid Here, it is possible to anticipate parallel
costly mistakes. The set of requirements will sub-processes for: hardware, software (local,
likely change a bit during the course, as in central and/or cloud-based), services and
most projects, and evolve through a structured processes (ranging from service, support,
change management process. To use the maintenance to optimization functionality
same development process/methodology to based on data), management of operation
all problems may not results in an optimal (need to build up the structures and infra­
outcome and having knowledge and expe- structure needed by the IoT product to
rience from using several such development operate in a long term and to make incre-
processes/methodologies can be beneficial. mental improvements of performance and
This is due to the complexity of developing availability). It is an advantage if as much as
IoT products, which potentially comprise possible of what is relevant is in the initial set
hardware, software, services, processes, of requirements and avoid poorly designed (or
cloud services, data/oral communications, impossible) additions later on.
and data analytics.
• What requirements should be posed on • What requirements are posed on the develop-
the development process/methodology? It ment/test environment and selection of test
needs to be able to run a number of parallel data in general?
sub-processes but still be able to coordinate
these so that they progress timely and not
run ahead and close the design room for the

49
 Handbook for Development of Cybersecure IoT Products

TESTING 50
AN IOT PRODUCT IS IMPORTANT BOTH FOR THE SAKE OF FUNCTIONALITYAS
WELL AS TESTING THAT THE LEVEL OF CYBER SECURITY IS GOOD.
PHOTO: ADOBE STOCK.
 Handbook for Development of Cybersecure IoT Products

It is always advisable to manage and control both • How to complete a cybersecure installation,
physical security and cybersecurity around deve­ configuration, and commissioning?
lopment environments. To develop something,
• How to transmit any data outwards?
putting in a lot of effort and funding, and then
learn that someone else launches something very • Do the customers and users need to make
similar is not joyful and, in particular, knowing firewall openings (i.e., which ports, protocols,
that it was we that developed and funded it all. etc. are needed for the operation) and what
Those who develop services, processes and are the requirements for authentication and
other structures needed, may take advantage of secure communications posed by the IoT
the same development environment as where the product? All this needs to be explained in the
hardware and software is developed. If doing so, documentation. If 2-factor authentication or
these developers can benefit from the existing other types of multi-factor authentication is
model for set up of access rights, authorizations, required, for instance pertaining to adminis-
who can make changes, version management trators, this may require that such solutions
backup, etc. are installed and possibly acquired if there is
no such available.
• How to verify that an IoT product’s cyberse-
3.5 Requirements on curity is correctly set up and configured? Is
documentation there a specific function, procedure, script,
– various user guides and manuals or other way to verify this? This is a common
requirement part of certifications.
It is necessary to include the cybersecurity-­
related matters of IoT products in the documen- • Will support and maintenance be provided
tation. However, this is often not the case. from distance via Internet or other networks?
Further, this is also necessary in case the IoT Is it possible to build in maintenance/update
product is to be certified, but if not anyways a functionality within the IoT product, which is
good idea for all target contexts from domestic initiated for instance as the IoT product con-
to critical infrastructures. A balanced documen- nects to a cloud service to transmit out data
tation including cybersecurity may comprise: and fetch any configuration changes made
centrally? Another option is to have an external
• The IoT product’s function outlined. Provide
VPN-connection, which must be authorized
a comprehensive view of the whole “system”
and set up according to the customer’s policies.
and how the cybersecurity (plus any needed
physical security surrounding) should be set • Is local cybersecure support and maintenance
up in a schematic way. Which roles will log in, needed on-site? If so, it must be ensured that
to where, and what will they do? cybersecurity is not compromised by bringing
in any malware/viruses at updates of software
• Recommend that customers and their users
or via the use of an external lap-top, mobile
cybersecure their operations environments
phone or USB-disks, etc. For such purposes,
– how can that look like? Is an own physical
there is a need to have a cybersecure process,
and logical network segment needed as rele-
ensuring that no malware or viruses get into
vant protection (e.g., firewall/gateway having
the target environment, complemented with
buffering of data) or is it just a part compo-
trainings of the service engineers carrying out
nent of another system?
the on-site service and maintenance.
• What goes if the IoT product is operated in
a non-recommended environment – who is
responsible for this?

51
Handbook for Development of Cybersecure IoT Products

Thus, there is a need to have appropriate docu­ Thus, various forms of automated test suites,
mentation, including cybersecurity, to provide and test rigs, etc., should be requirements part
the necessary guidance at installation, configu- of the initial requirement specification. Further,
ration, commissioning, and updating, etc., during the test suites and rigs need to be continuously
the whole life-cycle. A further benefit is that the improved during the IoT product’s life-cycle.
support technicians will get less questions and Finally, all functional requirements as well as
can focus on what requires a support technician’s cybersecurity requirements shall be testable.
full attention instead. Various types of tests need to be compiled
At the end of the life-cycle, or the cease of together to achieve a solid and stable IoT product
use by a customer’s object owner, required are as the outcome. Below, there are a number of
instructions for how to delete and wipe IPR and potential groups for test requirements, which
data/information, and how for instance replace may be considered while drafting a test speci-
this with factory settings or other void contents. To fication and test plan, to reach as a good test
have a function in the IoT product that does this, coverage as possible:
including providing a verification note at the end • Planning and overview of test coverage
that all data and information etc. is deleted/wiped – will the IoT product comprise different
and/or replaced is appreciated by all involved. configurations of hardware, software, and
Further, an instruction for how to recycle the IoT potential cloud services/servers or other
product is needed in case some parts may need additional services?
to be destructed or separated from each other.
Observe that this all goes for all locations where • How large test matrix is required to
IPR and data or information etc. are stored. This achieve an adequate coverage?
may include not only the IoT product itself, but • Porting to various platforms – are the
any cloud services or servers and any intermediary target platforms similar or different?
steps used for transmitting data from the IoT pro-
• Functional testing
duct. Users at customers commonly have IT- and
OT-policies with rules and an information security • Testing and review/walk-through of potential
life-cycle management scheme which together additional services, processes, and structures
stipulate how to decommission and end of life
• Tests to ensure that all functionality (and
various assets within the IT- and OT environments.
services, processes as well as structures) are
In some cases, full physical destruction may be
cybersecure
required of memory cards, disks or other parts in
order to ensure that nothing valuable in terms of • Performance and scalability
IPR, data or information, are exfiltrated to compe- • Test of documentation – are the set of
titors or other parties. documentation complete and correct?
• Test automation – test suites for cybersecuri-
3.6 Test requirements ty, functional requirements, and performance/
scalability/overloads
The testing of an IoT product is important for the
functionality and that the cybersecurity-level is • Test rigs – what is needed to efficiently execute
adequate. It should be possible to plan, depen- the tests? Can the test rigs have prepared
ding on available competencies and knowledge, configurations which automatically can be set?
so that developers and testers cooperate and • Penetration tests – for this an external party
tend to that some matters are built into the can be advisable – penetration tests are
development and test environments (which may needed on a regular basis to ensure that the
require some development efforts and time).

52
 Handbook for Development of Cybersecure IoT Products

IoT product’s cybersecurity protection level is titive edge to have an IoT product, which can be
hard to penetrate and adequate for the targeted supported, serviced, maintained, and updated in
operational environments an efficient and cybersecure manner, not only in
terms of self-preservation but also to enable the
• Vulnerability scanning – exposed parts of the
whole value-chain to be profitable and keep the
IoT product and potential cloud services etc.
IoT product’s total life-cycle cost interesting for
should be regularly scanned for vulnerabilities
all involved. In order to do all this, a training and
• Regression tests after bug fixing and chang- education package may need to be developed for
es. If automating, using test suites and test both internal and external use. Further, training
rigs, this will be faster and more efficient and education for users at customers can be
considered as an add-on service. In case there
If penetration tests and vulnerability scans disco- is a high attrition rate of employees, the training
vers issues, this should generate a requirement and education package becomes even more
for development or be managed through mainte- important.
nance or upgrades. Well-considered test automa- To maintain an IoT product is not always
tion enables to test fast and that it is possible straight forward to do and may require to be well
to repeat tests many times and that manual considered to be both efficient and cybersecure
testing can focus on test cases which are hard to for the target contexts. If an IoT product comprises
automate. The result of that is a good test cover- hardware, software in various shapes/forms and
age and that there is time to do a lot of testing levels, an underlying software platform, a cloud
during a development cycle. If an organization service/central server, and a variety of
uses a platform to build IoT products upon, a manual or automated services and processes
sub-group of the testers can focus on testing which are executed as a mix on-site and remo-
the platforms base functionalities allowing the tely – all this together provide a complexity and
testers of the IoT product to focus on that and requirements for maintainability.
not the underlying platform. There are a number For an IoT product to operate and function
of publications regarding development of cyber- well during the life-cycle, it will need either al-
secure interfaces and API’s, and large cloud ser- ready from start to have adequate capacity hard-
vice providers and OWASP, with its Top-10 lists, ware-wise in terms of processor, memory and
share a lot of relevant readings and publications storage, so that it is possible to later on add and
on their web sites. These can provide relevant in- upgrade firmware, operating system, platform,
put for developers and testers to craft test cases any software packages used, and open-source
and test suites through the provided descriptions software which grows and application code. New
of common cybersecurity problems, weaknesses extended demands on cybersecurity, which occur
and cyberattack patterns. with regular intervals, will likely require that the
hardware need to be able to endure significant
3.7 Maintainability more load compared to the initial situation. An
over time alternative is to have the hardware as exchang-
eable modules, but then this will require that
– planning for updates, upgrades
there are enough such modules later as they are
and migrations
needed. Many manufacturers stop production a
Commonly, the longest phase of an IoT product’s few years after the initial model is introduced on
life-cycle is when it has been installed and the market and move on with new products and
commissioned at the customers’ users until it is modules. Thus, this must be planned for and to
de-installed and potentially recycled or continues start with a hardware configuration which barely
its life in some context elsewhere. It is a compe- meets the current capacity requirements will

53
Handbook for Development of Cybersecure IoT Products

probably cause more problems and costs com- big deal in case the quality-level deteriorates due
pared to if a hardware with better capacity had to poor maintainability and inefficient or too late
been selected from start. maintenance and updating. The cyber­security,
As an inspiration, in particular from mechanic/ which is closely related to maintenance and
electronic product development, there are sometimes also time-critical updates, is a part
concepts regarding “design for maintenance” of the perceived quality-level. Thus, if the cyber-
together with a number of related “design for security-level is or gets too low, the usage of the
X”-concepts, such as “design for manufacturing”. IoT product is disqualified in a number
In case it is hard and complex to plan for and of contexts.
execute maintenance and updates, etc., this Further, a weak ownership of object owners
will likely get unnecessarily costly and the IoT or no budget for maintenance at customers
product will lose competitiveness. If maintenance affects the quality-level, directly and fast, of an
and updates are fast and straight forward to do, IoT product (in case there is a need to mainte-
any stop times in the operation environments nance and updates etc.). Unfortunately, there are
will be shorter (unless there are redundancy to many IoT products, and other production assets,
provide continuous operation). which has a harsh life-cycle with no or little
Something that is often forgotten in early IoT attention and care leading to fast deterioration
product development is the data and information that may cause disruptions within product- and
generated and stored for a long time. What data distribution processes or other types of operations.
formats to use, and how can data be extracted In addition, a neglected IoT product may hold
and move to another supplier’s cloud service/ weaknesses for a long time, which in worst case
server if the object owner at customers (i.e., the can be used by any form of threat and cause
contractual party) own the data and information disruptions, data leakage, malicious encryption
and in the future wish to move it elsewhere? To of the IoT products data and information, etc.
then require a hefty fee will not render any good- Similar to object owners not caring enough
will and nice comments as customers and users for IoT products, a weak ownership by the pro-
meet at industry meetings, conferences, or trade duct manager at the supplier may also transition
fairs. If an IoT product has good functions for an IoT product from being a premium choice
migration from one data format to another and to be among the last ones in the procurement
it is possible to extract and exfiltrate data and processes’ lists of ratings and only be selected if
information (with help of meta data) to another the price is the lowest.
context – then there will be good or excellent
remarks.
3.9 Requirements from
industrialization
3.8 Quality-level and
what affects the level? To industrialize, or prepare an IoT product for
more or less large-scale manufacturing, and
The quality-level of an IoT product is affected by further get the rest of the value-chain (needed to
many factors in relation to expectation from those add value to customers) going is not easy. As a
of the users at customers and the price of the matter of fact, it is pretty hard to do all com-
IoT product. In this handbook, the IoT product’s pletely right from start and usually this requires
life-cycle is central and thus the quality-­level a bit of trial and error to pave the way. During
needs to be kept at an adequate level, above the the industrialization, there are many steps and
customers’ expectations, until the end of the actors/stakeholders involved and this exposes an
life-cycle. Thus, it is not the quality-level after IoT product. Thus, physical security and cyber-
the installation and commissioning that is the security is a must and having reliable technicians

54
 Handbook for Development of Cybersecure IoT Products

and production workers is a hard requirement for instance a test rig and/or test suite. To only
too. In case there are many involved, this will be manually test a few, such as 3 out of a 1000, is
hard. A question to pose now is what to do by not a good strategy and it is better to automate
ourselves and what should the other actors in the final testing and cover all. Then one knows
the value-chain do to achieve efficiency without that all IoT products that meet the customers
risking the IPR developed as the IoT product is and users are OK. If the volumes are small
about to enter the market and meet the users. If or mainly made by hand, the test automation
too many have access to sensitive information or is not as important as at large volumes, if
secrets, this is not likely to remain confidential the manufacturing/production is rational and
for long. A further question to pose is if the simplistic and causing less defects and thus
value-chain can be outside of Sweden and EU lower level of scrapping or time-consuming
from both physical security as well as cyberse- post operations to rectify defects. Unnecessary
curity reasons, and if there are dependencies to complexity in the manufacturing/production and
suppliers that may cause time-delays for manu- testing of IoT products costs bot money and
facturing/production (i.e., supply-chain problems efforts. Thus, try to simplify and, if possible,
or transportation squeezes alike during the automate as much as possible to achieve the
COVID years). potential benefits. Further, this is a must if the
The requirement analysis should comprise competitors do it.
some kind of design for manufacturing
requirements to ensure that the IoT product is as
easy as possible to manufacture, assemble, to
quality test (post manufacturing/assembly) using

THE IMPORTANCE OF GOOD STRUCTURE ON THE REQUIREMENTS OF CYBER SECURE IOT PRODUCTS.
PHOTO: ADOBE STOCK.

55
Handbook for Development of Cybersecure IoT Products

4. Suppliers’ process to
pick up all requirements,
achieve an adequate
requirement specification
and finally to verify all
the requirements
To consider, if they can bring any value, are the cycles and what major requirements/changes these
numerous groups of requirements as well as will comprise. Such a roadmap should be dynamic
specific potential requirements brought up in the and kept updated depending on what happens
previous chapter. To address requirement engine- within: technology development, the own vision for
ering with collection and analysis of requirements the IoT product, customers’ needs and expecta-
in an ad hoc manner increases the likeliness that tions, and the surrounding world. The roadmap is
important aspects and requirements are missed a good tool to use when regularly communicating
out. Thus, it is necessary to have a clear and with important stakeholders in the value-chain so
structured process at IoT product suppliers (and that they know about the main planning and what
perhaps also at the rest of the value-chain) which to expect. Further, use of a road map can facilitate
regularly brings back feedback on how the IoT allocation of budgets and procurement planning at
product is performing and fulfilling the expec­ customers’ object owners.
tations of customers and users. To collect a
complete set of requirements is not easy and this
Feedback and verification
is outlined in the previous chapter as well. There
Some industries have developed frameworks,
are many aspects to consider and often there is a
processes or instructions (and may also be
need for prioritizations if the initial set of require-
subject to specific laws or regulations) to enable
ments is larger than the capacity (and timeline) of
requirement engineering. If the product managers
the first development cycle. Therefore, a process
and others involved in the requirement engine-
for structured collection and analysis of require-
ering have a homogenous group as customers
ments is necessary and that requirements which
and users, it may also be possible to get feed-
not are selected for a development cycle is kept in
back and verifications of roadmaps at a regular
the process for the next cycle or minor upgrade/
basis. There are various methods for feedback
patch. In order to support a product manager and
and verification, ranging from focus groups with
all involved in the development of an IoT product,
current users, user group meetings at regular
a roadmap can be used to visualize, on a timeline,
intervals, meetings with strategic/important
for instance the coming three year’s development

56
 Handbook for Development of Cybersecure IoT Products

customers as well as new potential customers. Public procurement

Further, there are examples of handy frameworks Concerning public organizations and operations
in chapter 10 (for instance for municipalities, within EU, procurement of IoT products and
counties, and national states as well as marine potential add-on services requires that the laws
users). It is likely that additional industries will regarding public procurement are applied (if the
do similar frameworks, etc., in order to craft total amount exceeds a limit or the own decided
common requirement processes and enhance limit). A procurement process made according to
the quality-level of such. Within Sweden, the the public procurement laws will make it more
Swedish Civil Contingencies Agency has crafted difficult for IoT product suppliers as this hin-
a high-level guide for critical infrastructures, ders and slows down an often-needed frequent
which may be applicable for any IoT products dialogue between procurement specialists and
targeting such contexts. EU and ENISA has also those who will install and later use IoT products.
crafted a number of useful guides regarding Thus, the necessary feedback and verification of
cybersecurity for IoT and automation/control requirements will initially be hard to execute in a
systems as well as critical infrastructures. These rational and effective manner. As an IoT product
guides target both the private and public sectors. is procured and is to be further developed, these
The frameworks and all other publications initial barriers are not a significant problem
are great reads. However, what is required anymore and it is possible to conduct a frequent
is thorough and elaborated work by product dialogue between the parties. Preferably, this
managers and others involved for to pick up should be stipulated in the procurement contract
as a complete set of requirements as possible. as it benefits all parties. Seemingly, it is easier
Further, needed is also to prioritize and scope for standard IoT products than for specialized
the set of requirements timewise on a timeline. IoT products where additional development is
There are no short cuts, but there is some help needed for to reach the requirements stipulated
such as this handbook to grasp the picture and in the procurement. Due to the sometimes costly
to work in a structured and systematic manner. and demanding public procurement process,
Often, it is good for organizations to have a com- smaller suppliers of IoT products may opt out
mon process to enable structure and a systemic to the advantage of larger suppliers. However,
way of working as many of the involved can have smaller suppliers can join others and, in that
different perspectives. This will improve the way, lessen the own costs and efforts required to
ability to capture the big picture and achieve as complete a public procurement process.
a good set of requirements as possible. Lone See chapter 9 for concrete examples of set of
heroes, no matter if these use a process or not, requirements and background information related
will get a tough time and will not be able to meet to different use cases.
all stakeholder and persons of interest to collect
the requirement input needed.

57
Handbook for Development of Cybersecure IoT Products

5. Cybersecure
development
The actual development of an IoT product is just Besides to work efficiently, an environment
a small, but important and recurring phase, in as in the photo also needs to be cybersecure.
the IoT product’s life-cycle. Usually, there are a The cybersecurity is needed as otherwise why
number of development iterations over time, for would we make an effort and spend a lot of
to make improvements and manage problems, funding if someone else just can steal/copy
resulting in regular new versions and updates/ the ideas, blueprints/drawings, patterns, code,
patches. This will continue as long as the IoT documentation, additional IPR and patent
product generates income and is possible to applications. Further, not wanted things or code
maintain and further develop. As the profitability can unauthorizedly be added, data stolen, the
is down or negative, the suppliers commonly raise development process disrupted and later on also
the maintenance fee for customers (for to conti- the customers’ processes disrupted or equipment
nue the support/maintenance) and make an end of encrypted/destroyed. Thus, a development
life plan. The product owner or product manager environment must be protected and the security
then communicates the plan to object owners at level depends on what is in it and, of course,
customers. how much it costs to develop and what profits
that can be generated. There is a big different
for an IoT product which is projected to gene-
The development of a complex IoT product may
rate revenue of a few million SEK compared to
encompass a number of parts, such as earlier
another one with billions of SEK, as well as the
mentioned: hardware, software on different levels
target operation environments are domestic or
(firmware, operating system, applications, data-
critical infrastructures. An analysis is required
bases and more frameworks on top of this), cloud
to map out what needs to be protected, what are
services/servers, manual or automated services
weaknesses, threats and risks (see sections
conducted on-site or remotely, and various pro-
3.4-3-6). Based on the analytic result, the cyber­
cesses and structures needed. Of course, there
security-level for the development environment
can be a lot more. However, all this puts require-
can be concluded. Common ingredients are
ments on the development process regarding the
segmented networks, encrypted communications
coordination of a number of commonly parallel
and data, access control, multi-factor authen-
development sub-processes whereof some need
tication, and authorization schemes for what
to have loose or very tight integrations. Unless
different roles can do and if certain tasks require
these are well coordinated or have clear deve-
the four-hand principle (i.e., being two persons
lopment contracts or standardized interfaces
together to avoid collusion). Sometimes, deve-
regarding how they shall fit together and function
lopment environments are divided into separa-
together, it is likely that there will be problems
ted physical environments to be able to better
later on with poor results, drifting costs and low
protect the individual parts being developed.
value created. The photo shows a development
However, this requires hands-on coordination
environment comprising measurements and test
and development contracts/interfaces for the
tools for IoT products with focus on hardware-
parts with integration need. Anyways, this is just
and software integrations.

58
 Handbook for Development of Cybersecure IoT Products

PICTURE FROM A DEVELOPMENT ENVIRONMENT.

PHOTO: MARIA MÅNSSON.

the simplistic part and the harder part remains develop cybersecure design, code, ability
in the form of: to craft test cases for cybersecurity and
• To work in a cybersecure manner by not automated test suites/test rigs including
revealing any secrets to unauthorized persons security tests (for such purposes OWASP’s
and not opening up weaknesses or vulnera- top-ten lists may be a good starting point
bilities through mistakes and poor cyberse- together with similar ones from major
curity awareness. IPR in the form of code, software or hardware providers).
documents, manuals and blueprints/drawings • Ensure to have control of which require-
should have adequate protection and only be ments or limitations there are in potential
accessible and changeable in a controlled open-source code or open design to be
manner by authorized personnel. In some used, and store copies of such locally for
cases, changes should only be committed future use if they disappear from Internet
post an approval process or review (such as (as well as to have control of which version
for software code or blueprints/drawings). is in the IoT product).
To achieve the above, the following may • Efficient testing of functional and holistic
be needed: requirements (i.e., cybersecurity, digital
• Train the development teams in cyber- preservation, quality/stability, availability,
security and cybersecure development usefulness) as these often are connected
– know how to protect the own IPR and as the holistic ones cut through all – this

59
Handbook for Development of Cybersecure IoT Products

requires a wide technical competence and development and improvements, or is it

understanding of test requirements (see dead code?
earlier in the handbook) and scalability of • Have a cybersecure test environment that
the testing. It should be considered how a no externals can change and make test
lot of testing can be completed with few results look good although they are not
persons involved through the use of smart (i.e., falsify test results and reports).
test matrices and automated testing (test
suites, test rigs, and test robots, etc., • Use cybersecure collaboration tools for
to cover all test cases and performance/ sharing of documents, instant communica-
load testing too). Naturally, security test tions and online meetings.
tools should be part of the automated The above will require a bit of work, effort and
testing, which will result in that more cost compared to if neglecting cybersecurity.
security tests are executed during the However, the positive effects may be increased
whole development. Some of the tests can efficiency in testing and improved test coverage
be executed during night time or in other as well as less problems and unnecessary costs
time zones in order to shorten the total incurred later on during the life-cycle. Further,
test time in calendar days – which makes such a set up and structure can be re-used
to the whole development process faster. for other development projects related to IoT
• Use cybersecure development tools and products.
review open designs, frameworks, libraries If there are flaws, errors or dangerous code
or open-source code that are used. Any pieces found in open-source code, procured
open designs and frameworks should be software components, or open designs for
analyzed and tested prior to being inser- hardware, this should be reported so that it can
ted and used, and may further need to be corrected. Many suppliers of components,
monitored over time as the quality tends open-source code and open designs are happy
to become lower and the contents get to receive flaws, errors and bugs found and may
additional contributors (which increa- in some cases have monetary rewards to the
ses the risk of poor and dangerous code reporting party (e.g., bug hunters).
additions to the code base). This is not an
easy task and is a large task over time –
thus, resources to do this are needed. One
should always map out the background
of open-source code and open designs in
terms of history, how much updates are
made and by whom, is there continuous

60
Handbook for Development of Cybersecure IoT Products

61
CLOUD-BASED CYBER SECURITY SOLUTIONS.
PHOTO: ADOBE STOCK.
Handbook for Development of Cybersecure IoT Products

6. Post development
– cybersecure support, service, maintenance
and additional supporting processes and services
A driver for cost and also a potential cybersecu- utility applications that can be distributed along
rity problem is if support, service, maintenance, the IoT product. Helpful figures, which comply
additional supportive processes and services, with the accepted cybersecurity standards and
such as optimization of hardware, software guidelines, should be part of the documentation
and operations, are not well thought through as they help all involved. To consider is that if
and there is low knowledge regarding the tar- an IoT product has its own network or network
get environments for the operations of the IoT segment and is connected to a larger network
products. A supplier of IoT products may need to at the customer’s users, then the larger network
have a few options to manage the most common should have the same (or higher) level of protec-
operations environments and use these to make tion required by the IoT product. Else, additional
any special adaptions needed using professions cybersecurity protection (i.e., controls) may be
services (i.e., consultancy services). A few things necessary to add. Further, it is necessary to
to consider are how this all shall be managed – outline the communication channels and which
do it all on-site, mix on-site and remote work, do protection level for those that are needed/recom-
most of the work remotely except exchanges of mended, what and whom that can have access
hardware and potential mechanical maintenance? to the IoT product as well as what those with
See section 3.7 for additional information on access are authorized to do (see example on
these requirements. such requirements in section 3.2.3).
It is a good idea to provide object owners The forthcoming EU Cyber Resilience Act
and users at customers a recommendation for a will likely pose requirements on monitoring as
cybersecure operations environment, to emp- well as continuous monitoring if the IoT product
hasize the importance of this if their current (or offers where such are involved) developed is
knowledge on this area is low and focused on or becomes vulnerable. A potential consequence
the operation’s processes. This should start of this is that, during the whole life-cycle, there
already during the business development/sales is a need to provide updates to mitigate any vul-
phase and will normally not be a problem but nerabilities and that these updates can be distri-
on the contrary this signals responsibility and buted and installed in a cybersecure manner.
professionalism. If not bringing this up, or hiding To monitor an IoT product, or potentially a
it, for object owners and users at customers, whole fleet of IoT products installed at customers,
this will later create problems for those who will is becoming more common in order to collect
be involved after the development phase of the requirements (and learn what works and not
life-cycle. Preferably, the documentation of the works) and/or as an add-on service for predictive
IoT product (see section 3.5 for requirements or condition-based maintenance and optimiza-
regarding this) should comprise cybersecurity tions. As earlier mentioned, it is a good idea to
within the running texts or brought together in an separate/segregate the data pertaining to how
appendix. Besides the installation and setup, it an IoT product is used and further potential data
should be described how to verify the cybersecu- collected about processes and quality-levels. To
rity-level using instructions, procedures or small get such data, which can be used within fleet

62
 Handbook for Development of Cybersecure IoT Products

management functions and provide an overview and the rest of the value-chain concerning who
if there are any weaknesses in the design, speci- owns what data or groups of data, where the
fic components, the whole concept or recurring data can be stored and processed, who can use
problems (such as manufacturing flaws from a what data for what, etc. To achieve this after-
certain production site or too harsh handling) is wards is hard, and this discussion with customers
an important part of cybersecurity but also to get should be at an early stage. The next step is to
specific understanding of stability/robustness, be able to extract data from an IoT product in an
availability, what is worn/torn at different usage efficient and cybersecure manner and transfer it
levels in various contexts. The level of wear/tear to storage and processing for various purposes.
for an IoT product may not cause the same need If data, changed configurations or optimiza-
for maintenance if it is used in a constant damp tions shall be retrieved by the IoT product from
and dusty mining environment compared to usage a cloud service/server, it can be made using a
in an outside environment at a road or railway communication channel opened up by the IoT
where the weather changes. Thus, the data set product as it sends data outwards (this enables
should be considered and if different groups of to keep a good and simple cybersecurity with
data will be generated that can create value for less connections initiated from the outside). The
the customers’ users as well as the stake­holders data from an IoT product can, depending on
and actors in the value-chain. Based on the data needs and cybersecurity requirements, as well
situation, an information model can be crafted. as what is acceptable by the object owner at
Further, there needs to be a suitable agreement customers, be stored within the IoT product (that
or contract with the object owners at customers will require RAM-memory and disk or memory

PEOPLE PROTECTING PRIVATE INFORMATION WITH ANTI-VIRUS SOFTWARE.

PHOTO: ADOBE STOCK.

63
Handbook for Development of Cybersecure IoT Products

card), in a local server at the object owner, in data is transferred out to also fetch any data,
a central server at the supplier or other part of configuration changes, software updates/upgrades,
the value-chain, or in a cloud service. If wanted etc. If this is not possible, more things must be
is to use an external cloud service, operated by done on-site and this also requires routines to
for instance Microsoft or Amazon, the cyberse- ensure that no viruses or malware are brought in
curity-level needs to be set up and configured along with the software and equipment physically
correctly as well as regularly verified. A verifica- brought in to object owners at customers. The
tion should always be made prior to starting to object owner decides how data potentially can be
use a new clod service, or instance of such, and exfiltrated, and it can be good to have for instance
then on a regular basis so that applicable laws, three options for how to do that in case one or
regulations, and recommendations are OK and two of these are not acceptable for the object
aligned with what is wanted. Unfortunately, many owner. To have a continuously open connection
cloud service instances have flaws in the cyber- for exfiltration of data is commonly not acceptable
security due to wrong configuration and set up in unless it is required for very quick reactions or
combination with the cybersecurity-level is not changes. Further, some operations environments
regularly verified. cannot have continuous connections open but
Further, during the design phase it is neces- only open connections at regular intervals. Thus,
sary to consider and investigate how support, various middle-steps and buffering of data (for
service, maintenance and reconfigurations as instance using a buffering gateway having some
well as fleet management functions can be con- firewall functionality above the IoT product or
ducted in a cybersecure manner. In addition, to built-in buffering into the IoT product itself)
also consider is what must be conducted on-site, combined with different data transmission
a mix of on-site and remotely, or if a majority mechanisms (for instance FTP, secure email,
(except what must be made physically regarding IoT-hub, local or global data ponds that export
maintenance and repairs) can be conducted data after filtering and approval, mobile) and
remotely. It is helpful wo draw up and visualize secure transfer (for example SFTP/FTPS,
these processes to find out any collaborations SMIME/PGP, HTTPS (XML/JSON), secure MQTT,
and data sharing required. If the process caring secure OPC-UA, mobile text messages, or other
for distribution, fetching and installing software protected transmissions) crossing various types
updates can be executed smoothly and automa- of networks and topologies may be needed to
ted (without any virus or malware infections), it achieve a robustness and not lose any data while
will be a great benefit for all. It is common that in transit. Commonly used industrial protocols9
some customers have a test environment where for collection of data and/or automation/control
all updates and upgrades are tested prior to functionality are Profinet, Profibus, Modbus,
being installed in the operations environment. OPC/OPC-UA, etc. OPC-UA is being developed
These tests are often from a week up to six in terms of cybersecurity and also has an infor-
months long. Some customers allow that opera- mation model which can be used to standardize
ting systems and firmware are updated without for developers and object owners at customers.
testing if the supplier of these is trusted and The smaller number of middle-steps and buffe-
have a solid track record without mishaps. ring, the better and easier to maintain availability
However, it is recommended to find the facts and the cybersecurity-level. All middle-steps and
about this and draw up the processes needed buffering need to be monitored to detect any
and involved. If a customer’s policies do not stops or problems. Further, customers do often
allow any external connections from the outside, not want, within sensitive operations environ­
it gets more complicated, but an option then ments, to have any mobile communications using
is to use the same communications channel as SIM-cards as this can open up for cyberattacks.

9
Some examples of relevant book summaries: https://www.sciencedirect.com/topics/computer-science/industrial-protocol

64
 Handbook for Development of Cybersecure IoT Products

This should be possible to find in the customer’s • Authentication level (password, certificate,
policies and internal standards. If using mobile two-factor or multi-factor authentication).
communications, this needs to be managed by
• Authorization (what the user is allowed to do
for instance keeping this in a separated “island”
and with what tools etc.).
in the network or having equipment (such as a
diode) ensuring only outgoing network traffic. • Should the access be on a low or high level
In case it is OK to use controlled connec- – what is necessary for to be able to conduct
tions, initiated from outside of the network, what is needed? To limit low-level access
these need to fulfil the customer’s policies and is harder (e.g., IPSEC VPN) compared to
standards regarding cybersecurity (this goes pro- high-level access (e.g., SSL VPN). Many
bably for both IT and OT as a connection likely solutions for external connections from the
will traverse both the IT- and OT environments). outside often comprise both the low- and
Preferably, the best is to be flexible to use the high-level ones, and to only have low-level
customer’s standard external connection options is not to recommend. Thus, suppliers of IoT
and not limit this to a specific own solution. products need to aware of this and prefera-
Then, if it is possible to access/reach the IoT bly not depend on having such a low-level
product after using the customer’s solution for access solution but also be able to cope with
external connections or there is a an additional a high-level one.
gateway or firewall with an extra VPN-connection • Cybersecurity-level of the device that is used
– it is usually possible to get it to work. The to connect (e.g., end-point-security).
customers often limit the external connections.
• Time limitations for access. The access
It is necessary to limit the possibilities for exte­
should be time limited and require a renewal
rnal connections, in particular if initiated from
within 1-12 months. If not renewed, they
the outside, and it should be swift to shut down/
shall be automatically inactivated and remo-
terminate an external connection, for a specific
ved (to clean out old access set ups).
user, or for a group of users. For suppliers of IoT
products to be aware of, these are common con- • If all the above is OK, should an external
figuration parameters for external connections connection be possible to establish or does it
initiated from outside: firstly need approval and be opened up every
• Requirement for fulfilled process for identi- time (e.g., by a user at the customer who
fication of user and set up of user account clicks a box in an interface and approves)
(i.e., enrolment) and potentially additional and that it is possible to, whenever during an
requirement on having passed a training on active connection from outside, terminate it?
cybersecurity (i.e., with approved test result) • Time limitations for sessions – common is
to allow a user to use an external connection to maximize the session time for external
from outside of the network. connections to 30-60 minutes unless other-
• Time-based access (when during the day and wise is needed. It is risky to have unlimited
what weekdays are access enabled). session times and it is not recommended.

65
Handbook for Development of Cybersecure IoT Products

7. Monitoring of the
IoT product throughout
its life-cycle
Although already mentioned a few times, the A proposal, earlier mentioned too, is to clearly
monitoring of an IoT product’s general status and divide up/separate different types of data, which
need for maintenance is important enough to have are stored in the IoT product prior to being trans-
its own chapter. As a supplier, or if it is another ferred/exfiltrated further on using different tables
stakeholder or actor within the value-chain that as- in the database or even different databases.
sumes this responsibility, it is a great advantage to Probably, the simplest to do is to use different
be able to follow up on an IoT product over time. tables in the IoT product as an IoT product may
However, this requires that some pre-conditions not have the processing capacity to run too many
are met. One pre-condition is to agree with object processes in parallel. Other impacting factors are
owners at customers to be able to get the data the cost for potential licenses, if it practical and
needed, be able to exfiltrate it, and be able to (and doable, and if there are any such requirements
allowed to) use the data for this purpose. A way among object owners at customers. Who owns
to start is to craft an information model and map the data, who can do what with the data, and
out the processes where the data will be used what the data may be used for, are questions to
prior to proposing an agreement regarding this manage in an agreement or contract between
with the object owner. If prepared, it is easier to the sales representative and object owner or
explain which data are needed for what purposes another adequate role at the customer. Further, a
and this helps object owners to see the value and division/separation also enables to have different
may prevent a reaction that “our data” shall not cybersecurity-levels (e.g., encryption algorithms
be exfiltrated and used by others. Process- and and key lengths) for the groups of data and also
quality-related data is something else, although be able to improve access rights and authoriza-
add-on services such as monitoring of processes tion of what can be done with the data.
(i.e., process parameters) and quality-levels (e.g., At the cloud service or server side (e.g.,
tolerances for input materials, measurements a local server operated at the customer or a
during and after process steps, and tolerances on central server operated at the supplier) there are
the output) as well as optimizations can be offered some matters to consider as well. Is it OK to mix
based on if there is access to such data. Figure 5 customers’ data in the same database and tables
comprises an example where different groups of (often referred to as “one-tier” or “multi-tenant”)
data have been separated and the supplier own or do all or certain customers have their own
what is related to monitoring and status of the instance in the cloud service or servers (if it re-
IoT product, the object owner or other suitable sides at the supplier)? The latter is often referred
stakeholder at the customer owns what is related to as “multi-tier” or “single-tenant” solutions
to processes and quality, and the last is person-­ and increases the complexity and costs for ope-
related data which needs to be handled according rations and licenses. However, if it is required by
to the GDPR within EU and corresponding privacy the object owners at customers and they pay for
laws in the USA, India, China, Australia, etc. it – it may be necessary to have.

66
 Handbook for Development of Cybersecure IoT Products

FIGURE 5 – EXAMPLE OF SEPARATION OF DATA WITHIN THE IOT PRODUCT, LOCAL SERVER OR POTENTIAL
MIDDLE-STORAGE STEPS DURING DATA TRANSFER, AND CLOUD SERVICE/CENTRAL SERVER, WHERE THE
SUPPLIER OWNS THE MONITORING DATA, OBJECT OWNER AT CUSTOMERS OWNS PROCESS- AND QUALITY
DATA, AND PERSON-RELATED DATA IS KEPT APART FROM THE OTHER TYPES OF DATA.

There are fine opportunities to capture new cases, there can be a need for instructions or
requirements to develop new versions or gene- training of installers and users that are needed
rations of IoT products if focusing on monitoring instead of design changes if these damage the
and the data pertaining to general status and IoT product through harsh handling or it is in-
maintenance need. However, the necessary ag- stalled in the wrong places. Another aspect is to
reement and pre-conditions are needed to be in also put limitations for the usage so that an IoT
place. The progress can be made through finding product cannot break itself doing certain opera-
what works and not works, if there are common tions or movements. Thus, the monitoring need
problems, and if there are problems related to to be structured so that the collected data can
the same root causes of an IoT product. If fin- be analyzed efficiently. Further, the data collec-
ding such root causes, the product manager and ted from those who conducts support, service,
object owner can, together with the development maintenance and repairs should also be collec-
team and other suitable stakeholders, analyze ted to complement the data collected from the
what needs to be done to get a further value-cre- IoT product. To simplify the data management
ating and sustainable IoT product. In some and analysis of the human-generated data, it can

67
Handbook for Development of Cybersecure IoT Products

be handy to have an application where data can Fleet management as a concept is being de-
be grouped into standardized groups and areas, veloped further. Additionally advanced business
which can then be complemented with free text models, where it is required that the supplier-­
at the entry of the data. To only have free text side can keep monitoring and control of what
reports will make the analysis and data manage- happens with what is installed at customers’
ment harder and require a lot of effort as then it users, will increasingly rely on fleet management
is required to categorize and harmonize the data functionality. It may not be an IoT product that
using some common measurability or scale (i.e., is sole, but a product integrated with services, a
normalization) in order to be able to make useful Product-Service System, or a function that has
analytic results and comparisons. been sold with an agreement regarding con-
The monitoring and follow-up on IoT pro- tractual parameters as: subscription, promised
ducts can be extended further and it is only level of availability, promised level of improved
the imagination of the own development team’s productivity, risk sharing and revenue sharing
abilities that limit what can be achieved. The from the IoT product’s improved value-creation
monitoring and follow-up can be extended with above a certain threshold. To be able to pull off
for instance self-tests and self-diagnostics, all this, it is needed, besides ability to monitor
which are run regularly to check up on all com- and follow-up, to improve what can be accom-
ponents, parts, all mechanics, as well as that plished remotely except what is required to be
all functions are working, and tolerances are executed on-site such as physical service and
within the wanted ranges. As a complement to maintenance (often referred to as MRO – mainte-
the physical and functional, use of automated nance, repair, and overhaul). Further, to consider
and built-in test suites can be used to verify that are also potential later re-use and reinstating,
the cybersecurity-level of the IoT product is OK through re-manufacturing or re-furbishment, of
or not. Further, procedures executed by humans parts of or whole IoT products. This can improve
can verify this, but it is better to automate as the profitability and sustainability at the same
much as possible. The data and results genera- time as lessening the environment impact.
ted by self-tests, self-diagnoses, test suites, and Commonly, the fleet management functions grow
procedures should be collected, stored and be organically with time as needs and possibilities
used for further analytics and follow-ups. are discovered. Below, there are some examples
of potential fleet management functions for
A possible next step is if the requirements
monitoring, follow-ups, administration, and confi-
on availability-levels are extreme and it is hard to
guration from distance:
physically access an IoT product for humans. For
such situations, the concepts of self-healing or • Prepare, at the supplier of other suitable sta-
self-repairing IoT products or parts can be use- keholder, installation and initial configuration,
ful, in combination with redundancy. Examples either for an individual IoT product or a group
of such situations are if the IoT product is built of such with plug-and-play. This requires that
into structures, is situated below water (or far the IoT product needs to be aware about some
under the surface level), is in the air or space. To matters already from the start as it arrives to
consider is if there is a possibility to use robots the customers’ operations environment. A pre-
or drones (unmanned aerial vehicle - UAV) which paration with installation/configuration should
can do or assist in the repairs, service, or main- be made at the supplier or the other stakehol-
tenance, unless humans can be present or if it der of the value-chain. Further, the IoT product
too dangerous for humans. Likely, there will be a should be prepared with where it can automati-
lot of non-human interactions with IoT products cally fetch/download, in a cybersecure manner,
in the future. the full installation and configuration.

68
 Handbook for Development of Cybersecure IoT Products

• Remote administration and configuration or a group of customers that are part of the
– centrally be able to change settings and fleet. The last functionality should require
configurations in one IoT product or group of that more than one administrator do it, i.e., it
IoT products and initiate the change. Further, should require cooperation of 2-3 people with
updates and upgrades can be initiated this adequate authorizations to minimize mistakes
way too and be synchronized with various asset and any sabotage. Further, there should be a
management functions below. verification notification (and logging) as such
operations are completed. Read more on this in
• Emptying/removal/wiping of data and deinstal-
the following chapter.
lation – the ability to remotely, at the end of
the usage in the customer’s operations environ- • An IoT product’s functionality and operations-
ment or end of the life-cycle, empty/remove/ level should be possible to limit in case of pro-
wipe IPR and data from all parts where such blems (e.g., graceful degradation) to lessen the
are or have been stored (i.e., applies to the IoT load or in worst case automatically initiate a
product, any middle-steps and middle-stora- shutdown to avoid serious and costly damages
ges, in cloud services or server parts). It should or breakdowns. Depending on context, such
be possible to control if this applies to only one decisions may sometimes require a human
IoT product instance, a group of IoT product decision, but a high level of automation of such
instances, one/some/all at a certain customer decisions can save dear expenses or in worst

CODE DATA ON A MONITOR.

PHOTO: ADOBE STOCK.

69
 Handbook for Development of Cybersecure IoT Products

70
TECHNOLOGY NETWORK BACKGROUND
PHOTO: ADOBE STOCK.
 Handbook for Development of Cybersecure IoT Products

case to have to buy a new IoT product. If iden- • Configuration management – store confi-
tifying such problems at an early stage, using guration data to know what hardware and
the fleet management functions, the users/ components each IoT product has, which
operations at the customer can then make versions of software, and when updates/
decisions for how to handle it or if a temporary upgrades/patching are made to what ver-
replacement is needed until the primary one is sion of such. This can save a lot of time
good to go again. and facilitate planning of updates/upgra-
des/patching and also enable searches at
• Collection of feedback and complaints from the
ongoing cyberattacks when there is a need
customers’ users on the IoT product – if there
for finding out if there is a certain software
are no other channel to the product manager,
and what version. An example is the recent
for instance via a web site, social media or user
log4j issue.
groups, for to collect feedback and complaints,
the fleet management functions can potenti- • Obsolescence management – this pertains
ally be used here as well. The feedback and to planning of storing of and how many
complaints can generate new development spare parts/components and old versions
requirements or ideas for improvements as well of software that need to be available and
as the correction of errors or unclarities. The for how long. This is expensive and binds
use of a standardized input for different areas capital, which is not certain to convert
and functions (using normalized measurement to revenue, and may also require a lot of
data and estimations) with possibility for free space (which also may cost a lot). The
text input can be beneficial to enable this data obsolescence management can be a good
to be matched with the data from support, and profitable part of the business if ma-
service, and maintenance. naged adequately and optimized.

• Asset management – be able to monitor what

IoT products the customers have and where the To get a good overview and basis for deci-
IoT products are installed and operating. An sion-making, there is a need for a summary of
overarching asset management system should that the status is, what happens and if there are
be connected to the below potential systems/ any acute matters to take care of. A fleet mana-
functions pertaining to change/configuration/ gement system or function can have a cockpit or
obsolescence management as the asset mana- management view, from where it is possible to
gement is hierarchically above these: drill down to further detailed operator views for
those who continuously monitor and manages
• Change management – store data about
problems within the fleet of IoT products.
planning, execution, and results from
changes in the operations (e.g., re-confi-
gurations and set-ups plus the context of
operation).

71
Handbook for Development of Cybersecure IoT Products

8. At the end (or a new

start) of the life-cycle
– cybersecure decommissioning and destruction
of data/information in the IoT product and potential
cloud services etc.

Prior to the start of the operational phase of economy, but lately also the concept elliptic
the life-cycle, it is hard for suppliers of IoT economy , where the life-cycle’s usage phase
products to foresee how the actual use and is extended further to lessen the consumption
operation will be as well as which users that will of the world’s resources, has emerged and is
use/operate the IoT products. Further, it is also being investigated by suppliers. To be able to
hard to foresee new areas of use and potential reach such sustainability, a supplier should also
extensions of requirements, etc., that materi- consider which existing/improved/new business
alize and can be capitalized upon in terms of model to use, how should the foundational and
business, social, or ecological sustainability. In cybersecurity infrastructure look like, and what
addition, it is rather common that object owners knowledge and training packages are needed.
at customers wish to extend their agreements/ Thus, the below should be considered:
contracts far longer than the supplier would like • Application of plus-1 strategy, which may
to. This is due to that the object owners find the entail that one or a few functions are added,
IoT products to work well and still create value in and other features are improved a bit so that
an environment where new investments mostly the IoT product can continue its life-cycle
are made as assets break down or cause to high and be sold a few more years to create value
risks or physical danger. To extend the life-cycle at object owners at customers. In particular,
and offer support, service, and maintenance for this can made for satisfied object owners.
an IoT product will cause an extra load on the Such a strategy has often been used by for
supplier and value-chain. To compensate for this, instance personal car manufacturers, where
it is common to raise the price for object owners some models have been sold up to 20 years
to reflect the extra load and costs as well as the or more.
possibility to have less focus on the recent IoT
products. • Application of re-manufacturing or re-fur-
bishment, and extend the life-cycle through
As the world’s resources are used up, new
exchanging worn/torn parts or components
forms of thinking and concepts are getting
and potentially combining this with upgrades
adopted among suppliers and value-chains,
or parts or components required to improve
which manages some sort of physical product or
the IoT product’s functionality further on.
system. In order to improve the resource mana-
A similar concept is re-conditioning, which
gement and optimize the usage, with increased
encompasses cleaning up and potentially
sustainability as a result, there are some potential
restoring surface layers and test that all are
variants for how to extend an IoT product’s
OK. Sometimes a few parts can be exchang-
life-cycle. This is often denoted as circular
ed, but that is commonly not part of the

10
https://www.ltu.se/research/Framtidsomraden/creaternity/Aktuellt/Elliptisk-ekonomi-annu-mer-hallbar-an-cirkular-1.224542

72
 Handbook for Development of Cybersecure IoT Products

re-conditioning. Re-conditioning is applied by At the very end of the life-cycle, the docu­
suppliers of used servers, network equipment, mentation/user manual should comprise instruc-
cars and mobile phones that are in good tions for how to prepare the IoT product and
condition. its parts for end of life/scrapping/destruction/
re-cycling without compromising any IPR or data/
• Application of re-purposing, which may com-
information (such as configurations, set-ups,
prise using the IoT product for applications it
recipes/programming, operational information
was not initially intended for, and where an ol-
as IP-addresses, etc.) to unauthorized persons.
der version of an IoT product will be adequate.
Thus, all mentioned need to be emptied/wiped
• Application of down-cycling, which means regarding IPR and data/information as well as
that an IoT product can be continued to use that it should be possible to verify.
in markets or contexts that have lower requi- To observe is that the emptying/wiping is
rements, or the capacity to pay is lower, than applicable for locations where IPR and data/
the primary market but the business volume information are stored, which may include a lot
is still of interest. An example market is deve- more than just the IoT product. Cloud services,
lopment countries. servers and middle-step storages used should be
included too – and be possible to verify. Thus,
The above requires that, at the end of the it is favorable to have a function which empties/
primary life-cycle, an IoT product is emptied/ wipes all IPR and data/information at all places,
wiped regarding IPR and data/information or that concerning one IoT product, a group of such, one
such is replaced with factory settings or dummy customers’ IoT products, a group of customers’
contents. The picture below shows a part of the IoT products, or all customers’ IoT products, at
re-cycling process of electronics and metals, the very end of the life for an IoT product.
where IoT products should have been emptied/
wiped prior to being input to such a process.

RECYCLING OF ELECTRONIC COMPONENTS AND METALS.

PHOTO: ADOBE STOCK.

73
Handbook for Development of Cybersecure IoT Products

9. Use cases
It is hard, at an early stage, to get an understanding • Other – here is what else that can be of interest
for and capture a complete set of requirements for which is not already brought up
an IoT product, as when it starts to be used new
ideas and experiences are generated. To facilitate 9.1.1 Use case – domestic (home)
the capturing process, the usage of adequate and
• In a domestic setting, the use case ranges
relevant use cases may provide a better initial
from apartments in multi-tenant buildings to
understanding of the set of requirements for all
townhouses, houses and cabins. The domestic
involved in the development process. Chapter 9
context gets an increasingly improved standard,
is a continuation of chapter 4 and provides a few
which also applies to infrastructure in the
examples of use cases. Prior to starting up the
form of Internet connections via fiber, cable-TV,
development process, such use cases should be
or mobile networks. Most households have
complemented with additional information regar-
a low level of cybersecurity awareness and
ding the operations/usage of the IoT product.
related knowledge about how to cybersecure
the household and reach a hygiene level for
9.1 Use cases with cybersecurity.
concrete examples • Many persons spend a lot of time in the
household and use a variety of connected
Below, there are five different use cases ranging
products, machines and systems. There are
from domestic (home) to various professional
requirements for sustainability/recyclability,
environments. The purpose of the use cases is
energy efficiency and cybersecurity. Further,
to enhance the understanding that the various
there are also mandatory requirements
contexts’ requirements on cybersecurity are not
for electric safety and type approval with
the same. The more cybersecurity needed, the
CE-marking, and recently added also for
more it will cost to develop, test, certify, etc.,
personal data (GDPR), IoT-security for consu-
later on during the IoT product’s life-cycle. Fur-
mers (ETSI TS 103 645/TS 103 701) and the
ther, the more functionality the more effort will
forthcoming EU Resilience and Cybersecurity
be required later on as well for further develop-
Acts comprising expected requirements for a
ment and maintenance.
hygiene level of cybersecurity within digital
To outline the use cases, a common structure
consumer and professional products.
has been used to make it easier to compare them.
The structure is as follows: • In a domestic setting, there is an ongoing
replacement of unintelligent home electro-
• Organizational type – brief description.
nics and appliances, machines and systems
• Operations/processes – introduction of the to increasingly smarter and connected IoT
operations/processes to understand the set of products such as: refrigerators, washing
requirements for the IoT product. The require- machines, toasters, baby monitors, TV and
ments may emancipate from: customers/users, media equipment, smart watches with pulse
laws/regulations, industry standards and other meters and GPS, mobile phones, home
stakeholders. computers/pads, game consoles, Alexa- or
• Type of IoT products and how these are used. Nest-like devices from Amazon/Google/Apple,
heating/cooling systems, building automation
• Cybersecurity requirements around IoT systems, lock- and alarm systems, cars and
products.

74
 Handbook for Development of Cybersecure IoT Products

75 DIFFE-
MANY PEOPLE SPEND A LOT OF THEIR TIME AT HOME AND USE MANY
RENT CONNECTED PRODUCTS, MACHINES AND SYSTEMS..
PHOTO: ADOBE STOCK.
Handbook for Development of Cybersecure IoT Products

A PROCESS ENGINEER.
PHOTO: SHUTTERSTOCK.

armatures/lighting. All these increasingly destroy IoT products, learn if the habitants
smarter IoT products are used to increase are at home, access alarm/surveillance
the comfort, ability to remotely monitor and system cameras, be able to open locks or
control functions or control per automation disable alarm systems, plant encryption
(e.g., control by energy cost level), be able to viruses, or use the IoT product as part of
learn the status of locks- and alarm system bot-nets. The hygiene level comprises having
including water leakage. Thus, all this should a competent firewall/router at the Internet
improve the daily life and simplify as much connection and to preferably also segregate/
as possible. There may also be instances of segment the network or networks. If there
e-health or home care, which use sensors and are individual IoT products that need a higher
safety alarms. In such cases, the personal level of protection due to sensitivity, such
data and its integrity plus availability are of as alarms, cars, mobile phones, computers,
great importance. building automation, these should be extra
protected. Above the network, there should
• The domestic context requires cybersecurity
also, if possible, be protection by anti-virus
considerations regarding what the habitants
or anti-malware solutions, local firewalls, etc.
want to protect. Usually, there are plenty
However, some current IoT products may not
of personal data, which should only be
have the capacity for that and will therefore
accessible by whom are concerned, which
be vulnerable. At high requirements for avai-
implicates that also mobile phone security
lability, for instance at instances of e-health
must be part of this. There are many apps
or home care as well as for alarm and monito-
that collect and transmit data or information
ring systems, extra measures may be needed
as well as what various sensors, microphones
regarding the cybersecurity-level as well as
and cameras pick up. A hygiene level, or
possibly having a redundant Internet connec-
baseline, for cybersecurity is needed to
tion via fiber, cable-TV or mobile networks.
protect from cyberattacks and intrusions.
Further, hardening of the network and IoT
Preferably, the protection should be made in
products should be considered to improve the
layers starting from the Internet connection
cybersecurity-level. Hardening encompasses
and inwards to prevent malicious actors to:

76
 Handbook for Development of Cybersecure IoT Products

that not needed services are removed or 9.1.2 Use case – industrial
inactivated, the communications is limited to organizations or companies
only authorized and needed communications with production and distribution
(i.e., not needed communication ports should processes
be closed and, if possible, only the needed
• Within manufacturing- and process industries
protocols allowed on the open ports and in
there are often an administrative environment
between network segments). Concerning har-
(IT) and another environment where the
dening, it would be good if the supplier had
manufacturing/production is (OT). Further,
already from start hardened the IoT product
distribution processes are sometimes connected
and if needed it can be opened up at com-
to the OT environment with the manufacturing/
missioning (i.e., secure-by-design). The main
production but are commonly partly or wholly
issue for households is the cost level, as an
separated. Previously, in many cases only
adequate level of cybersecurity costs, leading
the IT-environment was connected to the
to that many households spend too little
Internet. However, now it is common that
and get a poor hygiene level which in turn
OT environments are also connected and
is not maintained over time. Another large
possible to connect to from the outside.
issue is if the supplier has not developed an
Some OT environments still do not have any
adequate level of cybersecurity, as it seldom
connection, or a poor one, to Internet. The
gets improved over time. Further, it is good
cybersecurity awareness and maturity have
practice to enable automatic updating/upgra-
always been satisfactory in parts of indu-
ding and get cybersecurity updates installed
stries. However, the awareness and maturity
timely (i.e., fast) and that a warning is issued
need to be strengthened among almost all
in case there is something that are or seems
employees and the industries must organize
not to be OK.
their cybersecurity for both the IT- and OT
• In addition, a common sense of cybersecurity environments as these are usually connected
hygiene and basic knowledge what to do and to each other.
not to do, are necessary. This should include:
• Many industrial companies and organizations
to not click on unknown links or files sent by
have their processes operating outside of normal
unknown persons, to not open up attached
working hours, often run multiple shifts or
files which have not been checked by an
around the clock, having only stops during
anti-virus solution, to not get conned/frauded
one or a few weeks per year. The increasingly
by strangers calling on the phone, or by text
continuous the operations is, the harder it
messages/emails with links. This is also refer-
is to make any changes in the production
red to as cybersecurity awareness. Further, all
processes and this requires detailed planning
new procurements or re-installations of an IoT
for all changes or new installations to be able
product’s basic configuration should require
to complete these within the planned stops.
mandatory changes of: device name, user
Further important is to be able to re-start and
account names, passwords, network addres-
be operational as soon as possible again after
ses and IP-masks. There is often a possibility
the planned stop – preferably without problems
to apply a high level of cybersecurity, but this
or disruptions. For efficiency reasons, it is
may require that the basic configuration is
getting more and more common that suppliers
walked through, following reading the in-
and consultants need to be able to connect in
structions, and be elevated using for instance
from the outside in order to provide services.
stronger encryption algorithms and authenti-
Further, many IoT products need to share data
cation level.
with both internal and external recipients.
There are a number of sustainability requirements

77
Handbook for Development of Cybersecure IoT Products

posed on IoT products, for instance related to the most important. Further, the integrity of
the surrounding environment, to have a the processes must be kept high and avoid
robust and stable function, as well as being variations, stops or disruptions, to ensure that
recyclable, energy efficient and cybersecure. the resulting output have an even and wanted
In addition to workplace environment require- level of quality. There are large amounts of
ments, electric safety requirements and type information in such processes, whereof some
approval with CE-marking, there are the EU can be confidential encompassing knowhow
GDPR and the forthcoming EU Cyber Resilience regarding processes and implementations,
and Cybersecurity Acts with requirements methods, recipes/patterns, programming, etc.
for a hygiene level of cybersecurity for digital Just to know if a manufacturing/production
consumer and professional products. process is operational or not can be valuable.
Thus, IoT products, such as sensors, measu-
• Within the manufacturing/production environ-
rement equipment, monitoring systems, and
ment, there is often a wide variety of IoT
maintenance systems, need to have proper
products with for instance sensor solutions
physical protection combined with a wanted
for monitoring and control of processes and
least level of cybersecurity hygiene. If there
production equipment. Further, common are
are weak areas, these are where problems
also alarm/lock systems, building automation
mostly occur. Regarding a hygiene level, the
with ventilation/heating/cooling, maintenance
first to do is to segregate the networks into IT
systems that monitor the condition of produc-
and OT and further to divide up/segment the
tion equipment and assets, measurement
OT environment into smaller segments to keep
systems for piles of production input materials
the processes apart and isolated to protect
(i.e., raw materials), warehouse systems pro-
these from problems and only allow authorized
viding bar-codes for production output, etc.
communication in and out of the segment (as
Distribution processes also use IoT products
well as between the segments). Besides the
to keep order of where output is and that the
above, the users should only be allowed to do
output quality is kept at a wanted level (e.g.,
what they must (and not more) and any external
moisture, cooling or keeping the right tem-
connections should be controlled and that
perature) until delivered. Within distribution
data is shared only with the right recipients.
environments, the physical security is often
In addition, monitoring of networks, patch
lower than in the manufacturing/production
routines, incident management, backup and
environment and this must be considered
restore processes, etc., are necessary to have.
properly. Manufacturing/production and
Unfortunately, many IoT products have poor
distribution environments can be tough on IoT
inherent cybersecurity and it is not possible
products concerning physical protection (i.e.,
to upgrade or replace in a rational way. Thus,
environmental protection for water/dirt/dust/
some IoT products should not be connected
cold/heat, impacts and physical intrusion at-
into the OT-networks but be in islands.
tempts trying to connect to internal networks
via the IoT product) and cybersecurity.
Another issue in OT environments is to manage
• Within industrial companies and organiza- third parties (i.e., suppliers/vendors and consul-
tions there are protectable information in tants) moving around in the environment, and
both the IT- and OT environments. As most to ensure that these do not bring in any virus/
of the value is created in the manufacturing/ malware or connects “things” without having
production environment it needs to function proper authorization from the OT-security
and operate well. Thus, aspects such as responsible to do so. Distribution environments
availability, robustness and stability within the often comprise IoT products that are exposed
manufacturing/production processes are often and can be used as entry points to get access

78
Handbook for Development of Cybersecure IoT Products

INDUSTRIAL TECHNOLOGY CONCEPT. COMMUNICATION

NETWORKS. FACTORY AUTOMATION.
79
PHOTO: SHUTTERSTOCK.
Handbook for Development of Cybersecure IoT Products

to networks and spread viruses/malware. Thus, strial organizations and companies is often lack
these IoT products need physical protection and of competence and clear rules on this, which
there should be control who can communicate may cause cybersecurity problems within the OT
with these too. Thus, the cybersecurity must environment as a result. Another problem is that
be considered and kept up over time as well as the cybersecurity in OT environments is underin-
at decommissioning when these may otherwise vested compared to the IT-environment, which is
be thrown away in public recycling containers somewhat strange as most value is generated in
together with their packaging box. the OT environment. An additional, but smaller
In addition, IoT products should be hardened. problem, is that suppliers’ function warranties
This entails removing or inactivating not needed require that upgrades and patches must be app-
services, and limiting the communication to roved/authorized prior to installation and that this
only what is needed on specific ports, applica- often lags in time causing open vulnerabilities.
tions and protocols. The supplier should do this
hardening as part of the basic configuration, and • Else, in general, needed is a good cyber
that if wanted or needed some things can be hygiene and knowledge on what to do and not
opened up during the installation. General basic do. For instance, mobile phones must not be
configurations for hardenings should be applied charged via USB-ports on equipment, to not
as general practice. The main problem for indu- use non-controlled media (USB-disks), to not

CYBER SECURITY RISK ANALYSIS TEAM REDUCES RISKS..

FOTO: ADOBE STOCK.

80
 Handbook for Development of Cybersecure IoT Products

install unauthorized/uncontrolled software, • Many maritime industries have around the

to not click on unknown web-links, or open clock operations and only stops the produc-
attached files from unknown senders or which tion during one or a few weeks per year. The
have not been checked for virus/malware, to further continuous the operations are, the
not be a victim for social engineering initiated harder it is to make changes and, in such
via phone to get access to login information. cases, all changes or new installations must
Further, all new procurements or re-installa- be planned so to ensure that they all get
tions of an IoT product should entail that all completed during the stop and then can be
factory/basic configurations must be changed smoothly moved back into operation again
in terms of device name, user accounts, without any disruptions. Due to reasons of
passwords, network addresses and IP-masks. efficiency, it gets more and more common
The cybersecurity-level should be set to the that suppliers and consultants need to
same or a level exceeding the hygiene level exfiltrate data from IoT products to be able
decided. to plan for activities and optimizations (and
potentially also make external connections
from the outside to provide services remotely).
9.1.3 Use case – maritime Thus, there is an increasing need for to be
industries able to exfiltrate and share data from maritime
• Within maritime industries, spanning vessels, IoT products for both internal and external
platforms and harbours, there is commonly an usage. However, this requires an Internet
administrative environment (IT) and another connection which is not always available, and
for the production (OT). This differs a bit the bandwidth may be very low as well as
from the land-based settings as the maritime expensive (if using satellite communications).
industries, including parts of their distribution Mobile networks get improved coverage but
processes, are most often situated in ecologic still do not cover many remote places on
sensitive areas. The distribution processes earth. IoT products for maritime use have a
are sometimes connected to the OT environ- number of requirements pertaining to sustai-
ment of the production, for instance if there nability in terms of the environment they are
are pipelines from oil/gas platforms, but used within, a robust and stable function,
usually they are separated by having vessels that they are recyclable, energy efficient and
caring for the transport and having their own cybersecure. Besides common workplace
IT/OT environments (which may be connected safety regulation, electric safety requirements
to the Internet to share data or fetch updates and type approval, there are also the UN’s/
etc.). Previously, only the IT-environment has IMO’s/IACS’s requirements for cybersecurity
been connected to the Internet but more and (if class action and based on IEC 62443
more OT environments get connected (which 3-3), EU’s GDPR and forthcoming EU
requires a high cybersecurity-level depending Cybersecurity and Cyber Resilience Acts
on type of operation, criticality and risks concerning cybersecurity for digital consumer
perceived). The cybersecurity awareness and and professional products. Regarding vessels
maturity within parts of the maritime indu- which travel the world, there are a number
stries have been good for a long time, but of additional legal frameworks to cater for as
now it needs to be strengthened also for well as physical security and cybersecurity
almost all employees and these companies in harbours, to prevent nothing unwelcome
need to organize their cybersecurity for both getting aboard.
the IT and OT environments.

81
Handbook for Development of Cybersecure IoT Products

• In production processes aboard, there are a to know if a production/distribution process

number of IoT products for monitoring and functions or not may be valuable if it can
control of processes, production equipment affect for instance stock market prices.
and propulsion. Further, there are commonly IoT products, e.g., sensors, measurement
IoT products used in steering/navigation and equipment and systems, monitoring systems,
communication systems, physical security operation systems, control/navigation/plan-
(warnings, evacuation, fire extinction sys- ning systems, communications systems, and
tems, etc.), alarm/lock systems, automation maintenance systems, thus need to have an
for ventilation/heating/cooling, measurement adequate physical protection in combination
systems for cargo and tanks, etc. In addition, with an approved level of cybersecurity. The
distribution processes use IoT products in level needed depends on what operations
similar ways as in production processes but and context as well as which class a vessel
also to keep track of where output/products or platform have. The level is often conside-
are and that their quality is kept intact (e.g., rably higher than for land-based industries.
pressure, moisture, cooling, keeping within The basic level commonly requires that the
the right temperature range). Within distri- IT- and OT-networks are segregated, and that
bution environments, physical security often the OT environment is divided into smaller
depends on the age of the vessel and may segments so that different processes are
require improvements so that unauthorized isolated and protected from others and
persons cannot get access to IT and OT. having only authorized communications
Production- and distribution environments can inside the segment as well as in between
be tough on maritime IoT products in terms of segments. Besides that, there is need to
physical endurance/protection (environmental ensure that users only can do what they are
protection in terms of water/dirt/dust/cold/ supposed to do (and not more), have control
heat, resist impacts, sabotage and physical of any external connections and how data
intrusion attempts to connect to the networks can be shared with the right recipients/partner
via the IoT product) and cybersecurity. in a secure manner, monitor networks, ensure
patch routines, have an updated incident
• Within maritime industry, there are a great
management, and ensure that backups and
deal of information in both the IT- and OT
restore works. Unfortunately, many older IoT
environments which need to be protected
products have a poor inherent level of cyber-
as most of the value is created in the pro-
security, which is not possible to upgrade or
duction- and distribution environments.
replace in a rational way, and this leads to
Thus, value creation requires a high level of
that these are not allowed to be connected
availability, robustness, and stability in the
into the OT-network but will reside in isolated
processes. Further, the integrity of the
islands. In January 2024, there will be
processes needs to be kept high and even,
tougher requirements and some older IoT
and stops and disruptions should be avoided,
products may need to be replaced and may
for to achieve output with an even and
not be allowed to be installed in new builds.
wanted level of quality. Significant variations
Another issue is how to handle third parties,
in production processes may cause danger
vendors and consultants who are moving
in many ways. There are large amounts of
around in the OT environment and ensure
information in a production process, whereof
that they do not bring in any virus/malware or
some may be of secret nature, such as pro-
connect “things” without having authorization
cess and implementation knowhow, methods,
from the OT-security responsible.
recipes/patterns, programming, etc. Further,

82
 Handbook for Development of Cybersecure IoT Products

There are often, within maritime distribution 9.1.4 Use case – municipalities
environments, IoT products which are exposed (which are affected by the laws
and can be used as a steppingstone to get into of public procurement)
networks and spread virus/malware. Thus, there
• Swedish municipalities have operations with a
is a need for physical protection, to keep control
wide range and varying extent, where certain
of whom can communicate with them, as well as
parts are very similar to critical infrastructures,
to consider how to maintain the cybersecurity-­
industrial organizations and companies, and
level over time and what happens at the end
healthcare, while other parts are oriented
of the life-cycle. Further, hardening of maritime
towards administration. There are only a few
IoT products are necessary. The hardening
very large municipalities, some middle-sized
encompasses to remove or inactivate services
and most are small with a population of a few
not needed, strictly limit the communications to
thousands to ten thousand. The small number
only the ports, applications, and protocols where
of populations in most municipalities, and
authorized traffic should pass. The supplier
if situated in rural areas, causes a negative
should make the hardening, as part of basic
effect on the possibility to find adequate
or factory settings, and if needed this can be
competence within IT, OT, IoT products and
opened during the installation. Base configura-
cybersecurity in general. Some parts of the
tions for hardenings are good to use to minimize
operations are further challenging than others,
human error. The large problem for the maritime
e.g., the primary and secondary schools
industry is often lack of enough competencies
where almost all pupils are connected as well
and organization as well as locally implemented
as public locations such as libraries, sport
rules, which may cause, as a consequence,
arenas, busses and squares all having public
cybersecurity-related problems in the OT
municipal Wi-Fi-connectivity.
environment. A smaller problem is that the
suppliers’ function warranty commonly needs • A municipality is commonly divided into
approval by the suppler prior to upgrades and administrative districts/areas, such as: public
patches can be installed. Unfortunately, the service, primary and secondary school, social
suppliers take some time to do their own testing care, recreational activities, culture, environ-
required and this leaves a time gap where the ment and construction/building, digitalization,
IoT product is vulnerable. rescue services, harbours, etc. In addition,
• In general, required are to have a high level of there may be election and guardian districts/
cybersecurity and knowledge about what not areas. Regarding urban construction/building,
to do, e.g., to not charge mobile phones in there is often a technical office that deals
USB-ports on devices or equipment, to not use with real estate, traffic control and lights,
uncontrolled media (e.g., USB-disks), to not sewage and clean water production, as well
install any uncontrolled software, to not click as IT (unless that is an own function within
on any unknown links or open any files/attach- the municipality). The other districts/areas
ments which have not been scanned for virus/ have responsibility for schools, libraries, sport
malware, etc. Further, each new procurement arenas and facilities, elderly care and shelters,
or re-installation of a maritime IoT product’s local public traffic (busses and trams etc.),
base configuration should require mandatory which all may have their own IT-, OT-, or MT
changes of device name, user accounts, (medical technology) infrastructure using IoT
passwords and network addresses and IP- products in multiple locations. Within a muni-
mask. The cybersecurity-level should be set to cipality, the boundary and definitions regar-
the required, or above that, baseline (which can ding what is classified as critical infrastructure
be determined by the potential class action). may be somewhat unclear and should be
given more attention. The critical context con-

83
Handbook for Development of Cybersecure IoT Products

JUSTICE. JUDGES CLUB.

PHOTO: SHUTTERSTOCK.

cerns for instance sewage management and for monitoring of patients, in equipment for
clean water production, energy production/ remote care (which likely will increase a lot),
distribution, traffic, rescue services, and elderly safety alarms, and other applications enabling
care. Further, also larger roads, airports, and health and elderly care at the care takers’ own
harbours with large logistical impact should homes at increasingly higher age. Thus, there
be part of the critical context. Depending on are a lot of IoT products installed and used
the size of a municipality’s popu­lation and within the operation of a municipality – and
the operation’s impact on society in large, the number will increase as long as the cyber-
the critical districts/areas mentioned may be security-level allows that.
subject to national security protection laws
• Common problems in municipalities, which
and secondary laws form the Swedish Civil
are related to cybersecurity and the use of IoT
Contingencies Agency and Swedish Food
products, are the lack of required competencies,
Agency as well as other authorities. There
tough and prioritized budgets, and that the
are sensitive personal data/information within
law on public procurement discourages some
many of the districts/areas, which requires a
potential suppliers. In addition, the wide
high level of cybersecurity. Thus, legal and
extent of the operations add burden to this too.
regulatory frameworks, such as EU GDPR and
Regarding small and mid-sized municipalities,
potentially NIS/NIS2 and the forthcoming EU
often the main problem is to acquire the right
Cybersecurity Act need to be considered.
competencies. The use of consultants is a short-
• Due to the wide extent of a municipality’s term solution, and due to the COVID pandemic
operations, there are numerous IoT products and the digitalization efforts following it is
installed at many locations (depending on the nowadays easier to get support or help via
level of digitalization). Many IoT products are distance. Small municipalities usually have
used in similar ways as in industrial organi­ small budgets and an IT-department compri-
zations and companies as well as critical sing 2-3 employees, who shall manage 100+
infrastructure to monitor and control, and systems and cybersecurity plus everything
examples of application areas are building else. This equation simply does not add up.
automation (ventilation, heating, and cooling), To find solutions for the future, adjacent
surveillance/locks/alarm systems, etc. Within municipalities have started to collaborate
health and elderly care, IoT products are used and share systems and competencies.

84
 Handbook for Development of Cybersecure IoT Products

Larger municipalities usually have access to a a significant impact on society and cause
wider range of competencies and consultants. large disruptions, in particular if value-chains
Unfortunately, the law on public procurement involved with production of components and
discourages IoT-suppliers to do business with merchandise, food production, and logistics,
larger municipalities too. are impaired. Operations within EU, which
by the NIS Directive are classified as critical
• In general, municipalities need to adhere to
infrastructures, differs slightly from the USA’s
the increasing requirements for improved
classification as EU has seven sectors and
cybersecurity, as they store and process a
the USA sixteen sectors part of the classifica-
lot of both sensitive information and have
tion. The EU’s seven sectors today comprise
critical operations and infrastructures. Thus,
the following ones (these are likely to be
a general improvement of the cybersecurity-­
augmented within the next following years):
level is needed, which also applies for the
banks, infrastructure for financial markets,
IoT products used within the wide range of
digital infrastructure, energy, healthcare/
operations in the districts/areas. Of course,
hospitals, distribution of clean water, and
there is a variation in terms of cybersecurity
transports. The USA also further includes
requirements depending on type of operation
chemical industries, critical manufacturing/
and if the IoT products are connected in the
process industries, food production, farming,
IT- or OT environments or operate in smaller
and emergency services – all of which should
isolated networks. Paramount for municipalities
be of interest for the EU as well.
is to recruit and ensure access to cybersecurity
competencies and the additional competencies • Most critical infrastructures, having produc-
needed for IoT products. The usage of IoT tion and distribution, operate their processes
products is likely to increase a lot within the around the clock and may only have possibi-
next 20-30 years as older infrastructure is lities for shorter stops in production and dist-
gradually replaced and additional monitoring ribution. Some may have shorter stops, such
using different types of sensor solutions will as clean water production when the water
be applied. Previously, mentioned was that towers are full until they need to be refilled
small and mid-sized municipalities ought while sewage management and distribution
to cooperate and share systems, staff and of electricity must operate continuously. The
competencies. If such cooperation and colla- more continual the operations are, the harder
boration is initiated, the municipalities need to it is to change in the production and distri-
agree upon coordination of which IoT products bution processes. In such cases, all changes
to use and what cybersecurity-level to apply and new installations must be planned and
– so that the adequate competencies can coordinated well so that when there is a suitable
be acquired. stop, they can be executed and operations
resume smoothly again afterwards. Employees
may, due to efficiency reasons, need to
9.1.5 Use case – critical connect from the outside and conduct work
infrastructures tasks and monitor that all progress well.
• There are many similarities in between industri- Concerning third parties, these should not be
al organizations/companies as well as maritime allowed to connect from the outside unless
industries (see earlier use cases), but critical there are strong reasons for to do so. Further,
infrastructures have further importance for there is an increasing need for sharing of IoT
society and are therefore classified as critical. products’ data both internally and externally.
Of course, parts of industrial organizations/ In addition, there are a lot of requirements
companies and maritime industries can have pertaining to environmental sustainability, for

85
Handbook for Development of Cybersecure IoT Products

a robust and stable function, that they are over vast geographical areas. Unfortunately,
recyclable and energy efficient, as well as sabotage operations/activities are nowa-
adequately cybersecure. Besides laws related days something that must be factored into
to national security and safety, there are also the risk analyses. Thus, the physical and
requirements for work safety and environ- cybersecurity-­related requirements are higher
ment, electric safety and type approval with compared to in the industrial and maritime
CE-marking. In addition, there are guidelines settings. This requires a very high physical
from the ENISA, Swedish Civil Contingencies security level in production environments,
Agency, and Swedish Food Agency, as well strict access management, clearer separation
as laws/regulations concerning EU’s GDPR, of environments, hardening of the networks
NIS/NIS2 and the forthcoming Resilience and and equipment/devices (including the IoT
Cybersecurity Acts (with requirements for a products). Regarding the distribution processes,
hygiene level regarding cybersecurity for digital monitoring and intrusion detection are com-
consumer and professional products). monly required in terms of physical access
and cybersecurity wise. The monitoring of
• IoT products operated within critical infra-
distribution processes and networks’ function
structures are often very similar to the ones
are needed to ensure that they function well
used in industrial organizations/companies
(i.e., are available and operate as expected).
and maritime industries but may have further
If these processes fail, fast pinpointing of the
challenges in the distribution processes due
issue is needed for to be able to fix the issue
their exposure and that these are hard to
accordingly.
physically protect due to their extent ranging

HIGH VOLTAGE LINE.

PHOTO: SHUTTERSTOCK.

86
 Handbook for Development of Cybersecure IoT Products

• Within critical infrastructures, the cyberse- installed in a controlled way without disrup-
curity requirements for, and surrounding, IoT tions (unless installed at planned stops). In
products are higher or considerably higher general, IoT products need to be simple and
compared to industrial settings. The baseline fast to upgrade or change.
level for cybersecurity must be adequate and
• Finally, needed is a very high level of know-
there should not be any weak spots or areas.
ledge concerning cybersecurity and what not
The large problems for critical infrastructures
to do. Examples are to not charge mobile
are lack of enough staff with adequate com-
phones in USB-ports, to not use uncontrolled
petencies and security clearance combined
media (USB-disks), to not install uncontrolled
with sometime unclear local rules, which may
software, to not click on unknown links or
cause cybersecurity issues in OT environments
open any attached files that have not been
because of the extent and need for continuous
checked for virus/malware, etc. Further, all
improvement. Not adequate budgets are
new procurements or re-installations of an IoT
another pressing issue. A smaller problem
product’s base settings shall require a man-
is the suppliers’ function warranties, which
datory change of device name, user accounts,
often require that upgrades and patches are
passwords and network addresses and IP-
pre-approved by the supplier prior to that they
masks. Unless the IoT products can live up
can be installed. An issue is that this results
to these expectations, they will not be used
in a time window with potentially open vulne-
in critical infrastructures – whereof there are
rabilities. Due to the continuous operations, a
many as well as extensive ones.
certain level of redundancy is needed, which
further enables that some updates can be

87
Handbook for Development of Cybersecure IoT Products

10. Suggested readings

– frameworks/standards, references and
explanation of technical terms

Below, there are lists with suggested readings https://www.msb.se/sv/publikationer/fastig-

within: frameworks/standards, new upcoming EU hetsautomation--cybersakerhet-inom-fast-
regulations and directives, and reference literature ighetsautomation/
for those who wish to build a deeper knowledge • NIST standards (mainly aimed for public
and find more details for various areas and contexts. organizations within the USA but com-
prise good practices also for others) –
Frameworks and other relevant tests which can Cybersecurity Framework, SP 800-213,
be of interest in order to understand how an NISTIR 8228, NISTIR 8259, SP 800-
IoT product may fit in into the larger context 30/53/73/82/171 and a number of
of cybersecurity: publications in the 800-series (can be
• Consumer/domestic security found at www.nist.gov and more at
https://www.nist.gov/itl/applied-cybersecu-
• ETSI TS 103 645/TS 103 701 rity/nist-cybersecurity-iot-program)
(www.etsi.org)
• ENISA – EU’s centre for cybersecurity has
• Regarding connected building automation many cloud- and IoT-related cybersecurity
systems – see further below publications available on their web site
• NIST Cybersecurity for IoT concerning (www.enisa.europa.eu)
Consumer IoT Products • ISO/IEC 27019 regarding information
(https://www.nist.gov/itl/applied-cyber- security for process control within energy
security/nist-cybersecurity-iot-program/ production and distribution (can be found at
consumer-iot-cybersecurity) https://www.iso.org/standard/68091.html)
• In general and mainly for IT environments • IEC 62443 (where part 3–3 is probably of
most interest – https://www.en-standard.eu/)
• CIS controls framework
(https://www.cisecurity.org/) • ISA95/98 with the automation pyramid
as well as the Purdue-model
• ISO/IEC 27001/2/5/17/18/19/32 and
(https://www.isa.org/)
more (www.iso.org)
• Maritime environments
• In general for OT environments
• IMO’s guidelines for maritime environ-
• Recommendations from the Swedish Civil
ments MSC-FAL.1/Circ.3 and Resolution
Contingencies Agency pertaining to industrial
MSC.428(98) – there are comprehensive
control systems, cyber physical systems
frameworks made by, for instance, DNV
and IoT (a number of such publications are
(DNV-RU-SHIP Pt.6 Ch.5), LLoyd´s Regis-
available at www.msb.se)
ter (Cyber Safe for marine) and American
• Swedish Civil Contingencies Agency – Bureau of Shipping (Cybersafety program).
guidelines on cybersecurity for connected See also IACS E26/27.
building automation, 2015,

88
 Handbook for Development of Cybersecure IoT Products

• General IoT-security (and also if the data tifastighetsorganisationen.66960.html

will reside in a cloud service) • Referensarkitektur för IoT (till smart stad
• IoXt Alliance standard for IoT Security – och digitala tvillingar), Arkitekturgemen-
https://www.ioxtalliance.org/ skapen (kommuner och regioner), 2022,
https://inera.atlassian.net/wiki/spaces/
• ISO/IEC 27018 (protection of personal in-
AR/pages/2753593356/Referensarkitek-
formation in cloud services – www.iso.org)
tur+f+r+IoT
• PCI-DSS (protection of financial
• NIS/NIS2 Directive (there are information
information/credit card information
about this on EU’s and the Swedish Civil
https://www.pcisecuritystandards.org/)
Contingencies Agency’s web sites
• Municipalities, counties, and national states https://digital-strategy.ec.europa.eu/en/
– IoT in various environments within Sweden policies/nis-directive and
https://www.msb.se/sv/amnesomraden/in-
• Robust & Säker IoT: Vägledning för
formationssakerhet-cybersakerhet-och-sa-
Robust och Säker IoT ver 1.0, Svenska
kra-kommunikationer/nis-direktivet/)
Stadsnätsföreningen (SSNF), 2020,
https://www.ssnf.org/nat-i-varldsklass/ • Health care
avtal/nyhet-avtal-robust--saker-iot-ver-
• MDCG 2019-16 - Guidance on Cybersecurity
sion-1.0/#:~:text=V%C3%A4gledning%20
for medical devices
f%C3%B6r%20Robust%20%26%20
S%C3%A4ker%20IoT%20beskriver%20 • IEC 81001-5-1 - Health software and
ett,Webbinarium%20om%20avtalet%20 health IT systems safety, effectiveness
f%C3%B6r%20robust%20och%20 and security — Part 5-1: Security —
s%C3%A4ker%20IoT Activities in the product life cycle
• Stödmaterial till Klassa, there are a number • Car/vehicle safety
of publications from Swedish Association
of Local Authorities and Regions and others, • ISO 21434 (www.iso.org)
https://klassa.skr.se/sidor/stodmaterial
• Klassa för IoT, Swedish Association of Some upcoming regulations and directive
Local Authorities and Regions and RISE, on EU-level:
2020, https://webbutik.skr.se/skr/tjanster/ • EU Cybersecurity Act,
rapporterochskrifter/publikationer/klassafo- https://digital-strategy.ec.europa.eu/en/
riot.65074.html policies/cybersecurity-act
• Informationssäkerhet inom fastighetsom- • EU Cyber Resilience Act,
rådet & IoT, Swedish Association of Local https://digital-strategy.ec.europa.eu/en/
Authorities and Regions, 2022, policies/cyber-resilience-act
https://webbutik.skr.se/skr/tjanster/rappor- • EU Radio Equipment Directive (RED),
terochskrifter/publikationer/informations- https://single-market-economy.ec.europa.
sakerhetinomfastighetsomradetiot.65014. eu/sectors/electrical-and-electronic-engi-
html neering-industries-eei/radio-equipment-
• Informationssäkerhet i fastighetsorgani- directive-red_en
sationen, Swedish Association of Local
Authorities and Regions, 2022,
https://skr.se/skr/tjanster/rapporteroch-
skrifter/publikationer/informationssakerhe-

89
Handbook for Development of Cybersecure IoT Products

Reference literature: environments, and in the future a lot of IT

• Securing IoT and Big Data Next Generation and OT will likely converge from a technology
Intelligence, 1st Ed., Edited by Vijayalakshmi standpoint although their functionality differs.
Saravanan, Alagan Anpalagan, T. Poongodi, Within OT there may be requirements for
Firoz Khan, ISBN 9780367432881, CRC speed, i.e., real-time, as well as availability-­
Press, USA, 2021 level mixed with other requirements that are
not time critical.
• IoT Security and Privacy Paradigm, 1st Ed.,
Edited by Souvik Pal, Vicente García Díaz, • MT – medical technology, used within health
Dac-Nhuong Le, ISBN9780429289057, CRC care and is similar to OT but often has even
Press, USA, 2020 higher requirements pertaining to time criticality,
performance and availability.
• IoT Automation: Arrowhead Framework, Edited
by Jerker Delsing, CRC Press, Boca Raton, • Fleet management – if there are a lot of IoT
USA, 2017 products installed and running at different
customers, these are often called a fleet. A
• Industrial Network Security: Securing Critical fleet management system, or functions, can
Infrastructure Networks for Smart Grid, be used to keep track, monitor, remotely
SCADA, and other Industrial Control Systems, maintain or support a fleet of IoT products
2nd Ed., Eric D. Knapp, Joel Thomas Langill, from distance. Such a system or functions can
Syngress/Elsevier, MA, USA, 2014 improve efficiency and speed up the time until
necessary actions are taken. An alternative,
Explanation of technical terms: if remote maintenance or support is not
• IT – information technology, used more or possible, is to ask the customer’s users/
less everywhere and often in homes and offi- operations to lower the load/speed or stop
ces for administrative purposes. operations if there are signs of serious
problems prior to that a breakdown occur.
• OT – operational technology, used in for
instance production- and distribution
environments within industry and critical
infrastructures. Sometimes, OT-equipment
are similar to the equipment used within IT

90
 Handbook for Development of Cybersecure IoT Products

THERE ARE MANY FRAMEWORKS/STANDARDS, NEW LAWS AND REGULATIONS THAT91 REQUIRES
YOU TO STAY TUNED WHEN IT COMES TO CYBER SECURITY AND IOT PRODUCTS.
PHOTO: ADOBE STOCK
With support from:

STRATEGIC
INNOVATION
PROGRAMMES

smartareelektroniksystem.se ISBN: 978 -91-985741-5 -9

svenskelektronik.se PRICE: 374 SEK E XKL. MOMS