2.4.13 Cloud and Network Elements
This section’s intended audience is for those personnel who are responsible for the security of the IoT Product or Services’ Cloud or Network Systems.
| Req No | Requirement | Primary Keyword | Secondary Keyword | Compliance Class And Applicability |
|---|---|---|---|---|
| 2.4.13.1 | All the product related cloud and network elements have the latest operating system(s) security updates implemented and processes are in place to keep them updated. | Business | Process | Mandatory for Class 2 and above |
| 2.4.13.2 | Any product related web servers have their webserver identification options (e.g. Apache or Linux) switched off. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.3 | All product related web servers have their webserver HTTP trace and trace methods disabled. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.4 | All the product related web servers’ TLS certificate(s) are signed by trusted certificate authorities; are within their validity period; and processes are in place for their renewal. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.5 | The Product Manufacturer or Service Provider has a process to monitor the relevant security advisories to ensure all the product related web servers use protocols with no publicly known weaknesses. | Business | Process | Mandatory for Class 1 and above |
| 2.4.13.6 | The product related web servers support appropriately secure TLS/DTLS ciphers and disable/remove support for deprecated ciphers. | System | Software | Advisory for all classes |
| 2.4.13.7 | The product related web servers have repeated renegotiation of TLS connections disabled. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.8 | The related servers have unused IP ports disabled. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.9 | Where a product related to a webserver encrypts communications using TLS and requests a client certificate, the server(s) only establishes a connection if the client certificate and its chain of trust are valid. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.10 | Where a product related to a webserver encrypts communications using TLS, certificate pinning is implemented. | System | Software | Advisory for all classes |
| 2.4.13.11 | All the related servers and network elements prevent the use of null or blank passwords. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.12 | Intentionally left blank to maintain requirement numbering | - | ||
| 2.4.13.13 | Intentionally left blank to maintain requirement numbering | - | ||
| 2.4.13.14 | All the related servers and network elements enforce passwords that follows industry good practice. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.15 | Brute force attacks are impeded by introducing escalating delays following failed user account login attempts, and/or a maximum permissible number of consecutive failed attempts. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.16 | All the related servers and network elements store any passwords using a cryptographic implementation using industry standard cryptographic algorithms. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.17 | All the related servers and network elements support access control measures to restrict access to sensitive information or system processes to privileged accounts. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.18 | All the related servers and network elements prevent anonymous/guest access except for read only access to public information. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.19 | If run as a cloud service, the service meets industry standard cloud security principles. | System | Software | Advisory for all classes |
| 2.4.13.20 | Where a Product or Services includes any safety critical or life-impacting functionality, the services infrastructure shall incorporate protection against DDOS attacks, such as dropping of traffic or sink-holing. | System | Software | Mandatory for Class 2 and above |
| 2.4.13.21 | Where a Product or Service includes any safety critical or life-impacting functionality, the services infrastructure shall incorporate redundancy to ensure service continuity and availability. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.22 | Input data validation should be maintained in accordance with industry best practice methods. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.23 | If run as a cloud service, the cloud service TCP based communications (such as MQTT connections) are encrypted and authenticated using the latest TLS standard. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.24 | If run as a cloud service, UDP-based communications are encrypted using the latest Datagram Transport Layer Security (DTLS). | System | Software | Mandatory for Class 1 and above |
| 2.4.13.25 | Where device identity and/or configuration registries (e.g., "thing shadows") are implemented to "on-board" devices within a cloud service, the registries are configured to restrict access to only authorized administrators. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.26 | Product-related cloud services bind API keys to specific IoT applications and are not installed on non-authorised devices. | System | Software | Mandatory for Class 2 and above |
| 2.4.13.27 | Product-related cloud services API keys are not hard-coded into devices or applications. | System | Software | Mandatory for all classes |
| 2.4.13.28 | If run as a cloud service, privileged roles are defined and implemented for any gateway/service that can configure devices. | System | Software | Mandatory for Class 2 and above |
| 2.4.13.29 | Product-related cloud service databases are encrypted during storage. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.30 | Product-related cloud service databases restrict read/write access to only authorized individuals, devices and services. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.31 | Product-related cloud services are designed using a defence-in-depth architecture consisting of Virtual Private Clouds (VPCs), firewalled access, and cloud-based monitoring. | System | Software | Mandatory for Class 1 and above |
| 2.4.13.32 | When implemented as a cloud service, all remote access to cloud services is via secure means (e.g. SSH). | System | Software | Mandatory for Class 1 and above |
| 2.4.13.33 | Product-related cloud services monitor for compliance with connection policies and report out-of-compliance connection attempts. | System | Software | Mandatory for Class 2 and above |
| 2.4.13.34 | IoT edge devices should connect to cloud services using secure hardware and services (e.g. TLS using private keys stored in secure hardware). | System | Hardware | Mandatory for Class 1 and above |
| 2.4.13.35 | Any personal data communicated between the mobile app and the device shall be encrypted. Where the data includes sensitive personal data then the encryption must be appropriately secure. | System | Software | Mandatory for Class 2 and above |
| 2.4.13.36 | Subject to user permission, telemetry data from the device should be analysed for anomalous behaviour to detect malfunctioning or malicious activity. | System | Software | Mandatory for Class 2 and above |