scope
1.3 Scope
The scope of this document includes (but is not limited to):
-
Business processes
-
The “Things” in IoT, i.e. network connected products and/or devices
-
Aggregation points such as gateways and hubs that form part of the connectivity
-
Networking including wired, and radio connections, cloud and server elements
1.3.1 Key Issues for IoT Security
The key compliance requirements can be summarised as follows:
Security Requirements
The following table outlines key security requirements and associated actions:
Key Requirement | Action Required | Framework Reference |
---|---|---|
Management governance | There must be a named executive responsible for product security, and privacy of customer information. | 2.4.3, 2.4.11 |
Engineered for security | The hardware and software must be designed with attention to security threats. | 2.4.4, 2.4.5, 2.4.6, 2.4.7 |
Fit for purpose cryptography | These functions should be from the best practice industry standards. | 2.4.8, 2.4.9 |
Secure network framework and applications | Precautions have been taken to secure Apps, web interfaces, and server software. | 2.4.12, 2.4.13 |
Secure production processes and supply chain | Making sure the security of the product is not compromised in the manufacturing process or in the end customer delivery and installation. | 2.4.10, 2.4.12, 2.4.13 |
Safe and secure for the customer | The product is safe and secure "out of the box" and in its day-to-day use. The configuration and control should guide the person managing the device into maintaining security and provide for software updates, vulnerability disclosure policy, and life cycle management. | 2.4.14 |
1.3.2 The Supply Chain of Trust
All end-use products are constructed using a set of component parts, typically sourced from a variety of suppliers. These parts may be electronic or mechanical components, software modules or packages, including open source. Many of these parts will be procured from third party suppliers. It is important that all parts, together with the supply chain logistics, be subject to a security review/audit.
The final IoT product can then be provided with its own evidence of security assessment, together with the component parts documents, as a complete package of auditable evidence. This will help users to assess how the product conforms to the overall “supply chain of trust” [ref 36]1.
Footnotes
-
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), an approach for managing information security risks. [https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=51546] ↩