Skip to main content
Version: 4.0

scope

1.3 Scope

The scope of this document includes (but is not limited to):

  • Business processes

  • The “Things” in IoT, i.e. network connected products and/or devices

  • Aggregation points such as gateways and hubs that form part of the connectivity

  • Networking including wired, and radio connections, cloud and server elements

1.3.1 Key Issues for IoT Security

The key requirements can be summarised as follows:

Key RequirementAction RequiredFramework Reference
Management governanceThere must be a named executive responsible for product security, and privacy of customer information.2.4.3, 2.4.11
Engineered for securityThe hardware and software must be designed with attention to security threats.2.4.4, 2.4.5, 2.4.6, 2.4.7
Fit for purpose cryptographyThese functions should be from the best practice industry standards.2.4.8, 2.4.9
Secure network framework and applicationsPrecautions have been taken to secure Apps, web interfaces, and server software.2.4.12, 2.4.13
Secure production processes and supply chainMaking sure the security of the product is not compromised in the manufacturing process or in the end customer delivery and installation.2.4.10, 2.4.12, 2.4.13
Safe and secure for the customerThe product is safe and secure "out of the box" and in its day-to-day use. The configuration and control should guide the person managing the device into maintaining security and provide for software updates, vulnerability disclosure policy, and life cycle management.2.4.14

1.3.2 The Supply Chain of Trust

All end-use products are constructed using a set of component parts, typically sourced from a variety of suppliers. These parts may be electronic or mechanical components, software modules or packages, including open source. In line with regulations, specifically for the software elements of a product a Software Bill of Materials (SBoM) is required by multiple standards and regulations. This provides a hierarchical list and insight into dependencies of a software build usually via a Software Composition Analysis (SCA) tool. The SBoM also provides insight into risk factors within the codebase such as licence infringement, vulnerability exposure and code provenance [NTIA.GOV.SBOM]1 [IOTSF.SBOM]2.

During the development of a new product, the externally sourced components (both software and hardware) should be itemised and recorded in the product design portfolio, The software components are largely external function libraries (mostly Open Source) these can easily be listed using readily available commercial or free SCA scanning tools and generate an SBoM. The SBoMs from the supply chain can be concatenated into a single product master SBOM file. Many countries now require SBOMs to be available under their respective legislation, this has encouraged many large OEMs, retailers and government procurement services to also demand SBOMs as part of any product supplied to them. Automated scans of the product SBOMs enable a risk assessment of the security quality of the components through checking for out-of-date libraries or current CVE (Common Vulnerabilities and Exposures) reports [MITRE.CVE]3. The resultant audits and risk reviews allow the complete product plus supply chain to be assessed against legislative or customer demands.

The final IoT product can then be provided with its own evidence of security assessment, together with the component parts documents, as a complete package of auditable evidence. This will help users to assess how the product conforms to the overall “supply chain of trust” [IOTSF.SCW]4.

Footnotes

  1. US National Telecommunications and Information Administration (NTIA) Guidance: "Software Bill Of Materials". https://www.ntia.gov/page/software-bill-materials.

  2. IoTSF Whitepaper "The Use of Software Bills of Materials for IoT and OT Devices", Release 1.1.0, February 2023. https://iotsecurityfoundation.org/the-use-of-software-bills-of-materials-for-iot-and-ot-devices/.

  3. "CVE® Program Mission". https://www.cve.org/.

  4. IoTSF Whitepaper "Securing the Internet of Things Supply Chain" Release 1.0.0, June 2022. https://iotsecurityfoundation.org/wp-content/uploads/2022/06/RELEASE-JUNE-2022-IoTSF-supply-chain-whitepaper-v5.pdf.