Skip to main content

2.4.13 Cloud and Network Elements

This section's intended audience is for those personnel who are responsible for the security of the IoT Product or Services Cloud or Network Systems.

Req NoRequirementCompliance Class And ApplicabilityPrimary KeywordSecondary Keyword
2.4.13.1All the product related cloud and network elements have the latest operating system(s) security updates implemented and processes are in place to keep them updated.Mandatory for Class 2 and aboveBusinessProcess
2.4.13.2Any product related web servers have their webserver identification options (e.g. Apache or Linux) switched off.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.3All product related web servers have their webserver HTTP trace and trace methods disabled.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.4All the product related web servers’ TLS certificate(s) are signed by trusted certificate authorities; are within their validity period; and processes are in place for their renewal.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.5The Product Manufacturer or Service Provider has a process to monitor the relevant security advisories to ensure all the product related web servers use protocols with no publicly known weaknesses.Mandatory for Class 1 and aboveBusinessProcess
2.4.13.6The product related web servers support appropriately secure TLS/DTLS ciphers and disable/remove support for deprecated ciphers.Advisory for all classesSystemSoftware
2.4.13.7The product related web servers have repeated renegotiation of TLS connections disabled.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.8The related servers have unused IP ports disabled.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.9Where a product related to a webserver encrypts communications using TLS and requests a client certificate, the server(s) only establishes a connection if the client certificate and its chain of trust are valid.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.10Where a product related to a webserver encrypts communications using TLS, certificate pinning is implemented.Advisory for all classesSystemSoftware
2.4.13.11All the related servers and network elements prevent the use of null or blank passwords.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.12Intentionally left blank to maintain requirement numbering-
2.4.13.13Intentionally left blank to maintain requirement numbering-
2.4.13.14All the related servers and network elements enforce passwords that follows industry good practice.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.15Brute force attacks are impeded by introducing escalating delays following failed user account login attempts, and/or a maximum permissible number of consecutive failed attempts.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.16All the related servers and network elements store any passwords using a cryptographic implementation using industry standard cryptographic algorithms.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.17All the related servers and network elements support access control measures to restrict access to sensitive information or system processes to privileged accounts.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.18All the related servers and network elements prevent anonymous/guest access except for read only access to public information.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.19If run as a cloud service, the service meets industry standard cloud security principles.Advisory for all classesSystemSoftware
2.4.13.20Where a Product or Services includes any safety critical or life-impacting functionality, the services infrastructure shall incorporate protection against DDOS attacks, such as dropping of traffic or sink-holing.Mandatory for Class 2 and aboveSystemSoftware
2.4.13.21Where a Product or Service includes any safety critical or life-impacting functionality, the services infrastructure shall incorporate redundancy to ensure service continuity and availability.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.22Input data validation should be maintained in accordance with industry best practice methods.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.23If run as a cloud service, the cloud service TCP based communications (such as MQTT connections) are encrypted and authenticated using the latest TLS standard.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.24If run as a cloud service, UDP-based communications are encrypted using the latest Datagram Transport Layer Security (DTLS).Mandatory for Class 1 and aboveSystemSoftware
2.4.13.25Where device identity and/or configuration registries (e.g., "thing shadows") are implemented to "on-board" devices within a cloud service, the registries are configured to restrict access to only authorized administrators.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.26Product-related cloud services bind API keys to specific IoT applications and are not installed on non-authorised devices.Mandatory for Class 2 and aboveSystemSoftware
2.4.13.27Product-related cloud services API keys are not hard-coded into devices or applications.Mandatory for all classesSystemSoftware
2.4.13.28If run as a cloud service, privileged roles are defined and implemented for any gateway/service that can configure devices.Mandatory for Class 2 and aboveSystemSoftware
2.4.13.29Product-related cloud service databases are encrypted during storage.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.30Product-related cloud service databases restrict read/write access to only authorized individuals, devices and services.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.31Product-related cloud services are designed using a defence-in-depth architecture consisting of Virtual Private Clouds (VPCs), firewalled access, and cloud-based monitoring.Mandatory for Class 1 and aboveSystemSoftware
2.4.13.32When implemented as a cloud service, all remote access to cloud services is via secure means (e.g. SSH).Mandatory for Class 1 and aboveSystemSoftware
2.4.13.33Product-related cloud services monitor for compliance with connection policies and report out-of-compliance connection attempts.Mandatory for Class 2 and aboveSystemSoftware
2.4.13.34IoT edge devices should connect to cloud services using secure hardware and services (e.g. TLS using private keys stored in secure hardware).Mandatory for Class 1 and aboveSystemHardware
2.4.13.35Any personal data communicated between the mobile app and the device shall be encrypted. Where the data includes sensitive personal data then the encryption must be appropriately secure.Mandatory for Class 2 and aboveSystemSoftware
2.4.13.36Subject to user permission, telemetry data from the device should be analysed for anomalous behaviour to detect malfunctioning or malicious activity.Mandatory for Class 2 and aboveSystemSoftware