Skip to main content

scope

1.3 Scope

The scope of this document includes (but is not limited to):

  • Business processes

  • The “Things” in IoT, i.e. network connected products and/or devices

  • Aggregation points such as gateways and hubs that form part of the connectivity

  • Networking including wired, and radio connections, cloud and server elements

1.3.1 Key Issues for IoT Security

The key compliance requirements can be summarised as follows:

Security Requirements

The following table outlines key security requirements and associated actions:

Key RequirementAction RequiredFramework Reference
Management governanceThere must be a named executive responsible for product security, and privacy of customer information.2.4.3, 2.4.11
Engineered for securityThe hardware and software must be designed with attention to security threats.2.4.4, 2.4.5, 2.4.6, 2.4.7
Fit for purpose cryptographyThese functions should be from the best practice industry standards.2.4.8, 2.4.9
Secure network framework and applicationsPrecautions have been taken to secure Apps, web interfaces, and server software.2.4.12, 2.4.13
Secure production processes and supply chainMaking sure the security of the product is not compromised in the manufacturing process or in the end customer delivery and installation.2.4.10, 2.4.12, 2.4.13
Safe and secure for the customerThe product is safe and secure "out of the box" and in its day-to-day use. The configuration and control should guide the person managing the device into maintaining security and provide for software updates, vulnerability disclosure policy, and life cycle management.2.4.14

1.3.2 The Supply Chain of Trust

All end-use products are constructed using a set of component parts, typically sourced from a variety of suppliers. These parts may be electronic or mechanical components, software modules or packages, including open source. Many of these parts will be procured from third party suppliers. It is important that all parts, together with the supply chain logistics, be subject to a security review/audit.

The final IoT product can then be provided with its own evidence of security assessment, together with the component parts documents, as a complete package of auditable evidence. This will help users to assess how the product conforms to the overall “supply chain of trust” [ref 36]1.

Footnotes

  1. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), an approach for managing information security risks. [https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=51546]