Skip to main content

2.4.5 Device Software

This section's intended audience is for those personnel who are responsible for device application quality e.g. Software Architects, Product Owners, and Release Managers. Guidance is available from the IoTSF [ref 44]1 regarding Secure Operating Systems (part D), Credential Management (part F), and Software Updates (part J).

Req NoRequirementCompliance Class And ApplicabilityPrimary KeywordSecondary Keyword
2.4.5.1The product has measures to prevent unauthorised and unauthenticated software, configurations and files being loaded onto it. If the product is intended to allow un-authenticated software, such software should only be run with limited permissions and/or sandbox.Mandatory for all classesSystemSoftware
2.4.5.2Where remote software updates can be supported by the device, the software images must be digitally signed by an appropriate signing authority - e.g. manufacturer/supplier or public. The Signing Authority should be clearly identified.Mandatory for all classesSystemSoftware
2.4.5.3Where updates are supported, the software update package has its digital signature, signing certificate and signing certificate chain verified by the device before the update process begins.Mandatory for all classesSystemSoftware
2.4.5.4If remote software upgrade is supported by a device, software images shall be encrypted or transferred over an encrypted channel.Mandatory for Class 2 and aboveSystemSoftware
2.4.5.5If the product has any virtual port(s) that are not required for normal operation, they are only allowed to communicate with authorised and authenticated entities or are securely disabled when shipped. When a port is initialised or used for field diagnostics, the port input commands are deactivated and the output provides no information which could compromise the device, such as credentials, memory address or function names.Mandatory for Class 2 and aboveSystemSoftware
2.4.5.6To prevent the stalling or disruption of the device’s software operation, watchdog timers are present, and cannot be disabled.Mandatory for Class 1 and aboveSystemHardware Software
2.4.5.7The product’s software signing root of trust is stored in tamper-resistant memory.Mandatory for Class 1 and aboveSystemHardware
2.4.5.8The product has protection against unauthorised reversion of the software to an earlier and potentially less secure version. Only authorised entities can restore the software to an earlier secure version.Mandatory for Class 2 and aboveSystemSoftware
2.4.5.9There are measures to prevent the installation of non-production (e.g. development or debug) software onto production devices.Mandatory for Class 1 and aboveBusinessProcess
2.4.5.10Production software images shall be compiled in such a way that all unnecessary debug and symbolic information is removed, to prevent accidental release of superfluous data.Mandatory for Class 1 and aboveBusinessProcess
2.4.5.11Development software versions have any debug functionality switched off if the software is operated on the product outside of the product vendor’s trusted environment.Mandatory for Class 2 and aboveBusinessProcess
2.4.5.12Steps have been taken to protect the product's software from sensitive information leakage, including at network interfaces during initialisation, and side-channel attacks.Mandatory for Class 3 and aboveSystemHardware
2.4.5.13The product’s software source code follows the basic good practice of a Language subset coding standard.Mandatory for Class 2 and aboveBusinessPolicy
2.4.5.14The product’s software source code follows the basic good practice of static vulnerability analysis [ref 37]2 by the developer.Mandatory for Class 2 and aboveBusinessProcess
2.4.5.15The software must be architected to identify and ring fence sensitive software components, including cryptographic processes, to aid inspection, review and test. The access from other software components must be controlled and restricted to known and acceptable operations. For example security related processes should be executed at higher privilege levels in the application processor hardware.Mandatory for Class 1 and aboveBusinessProcess
2.4.5.16Software source code is developed, tested and maintained following defined repeatable processes.Mandatory for Class 1 and aboveBusinessProcess
2.4.5.17The build environment and toolchain used to compile the application is run on a build system with controlled and auditable access.Mandatory for Class 2 and aboveBusinessProcess
2.4.5.18The build environment and toolchain used to create the software is under configuration management and version control, and its integrity is validated regularly.Mandatory for Class 2 and aboveBusinessProcess
2.4.5.19Where present, production software signing keys are under access control.Mandatory for all classesBusinessPolicy
2.4.5.20The production software signing keys are stored and secured in a storage device compliant to FIPS-140-2/FIPS-140-3 level 2, or equivalent or higher standard.Mandatory for Class 1 and aboveBusinessPolicy
2.4.5.21Where the device software communicates with a product related webserver or application over TCP/IP or UDP/IP, the device software uses certificate pinning or public/private key equivalent, where appropriate.Mandatory for Class 2 and aboveSystemSoftware
2.4.5.22For a device with no possibility of a software update, the conditions for and period of replacement support should be clear. A replacement strategy must be communicated to the user, including a schedule for when the device should be replaced or isolated.Mandatory for all classesBusinessPolicy
2.4.5.23All inputs and outputs are checked for validity e.g. use “Fuzzing” tests to check for acceptable responses or output for both expected (valid) and unexpected (invalid) input stimuli.Mandatory for Class 2 and aboveBusinessProcess
2.4.5.24The software has been designed to meet the safety requirements identified in the risk assessment; for example in the case of unexpected invalid inputs, or erroneous software operation, the product does not become dangerous, or compromise security of other connected systems.Mandatory for Class 2 and aboveSystemSoftware
2.4.5.25Support for partially installing updates is provided for devices whose on-time is insufficient for the complete installation of a whole update (constrained devices).Advisory for all classesSystemSoftware
2.4.5.26Support for partially downloading updates is provided for devices whose network access is limited or sporadic.Advisory for all classesSystemSoftware
2.4.5.27Where real-time expectations of performance are present, update mechanisms must not interfere with meeting these expectations (e.g. by running update processes at low priority, or notifying the user of the priority and duration of the update and with the option of postponing or disabling the update).Mandatory for all classesSystemSoftware
2.4.5.28Where a device doesn’t support secure boot, upon a firmware update the user data and credentials should be re-initialised.Mandatory for all classesSystemHardware Software
2.4.5.29Where a device cannot verify authenticity of updates itself (e.g. due to no cryptographic capabilities), only a local update by a physically present user is permitted and is their responsibility.Mandatory for all classesSystemSoftware
2.4.5.30An update to a device must be authenticated before it is installed. Where the update fails authentication, the device should, if possible, revert to the last known good (current stable) configuration/software image which was stored on the device.Mandatory for all classesSystemSoftware
2.4.5.31Withdrawn as duplicate requirement
2.4.5.32There is secure provisioning of cryptographic keys for updates during manufacture in accordance with industry standards.Mandatory for Class 1 and aboveBusinessPolicy
2.4.5.33Memory locations used to store sensitive material (e.g. cryptographic keys, passwords/passphrases, etc.) are sanitised as soon as possible after they are no longer needed. These can include but are not limited to locations on the heap, the stack, and statically-allocated storage [ref 47]3.Mandatory for Class 2 and aboveSystemSoftware
2.4.5.34Any caches which potentially store sensitive material are cleared flushed after memory locations containing sensitive material have been sanitised.Mandatory for Class 3 and aboveSystemHardware Software
2.4.5.35An end-of-life policy shall be published which explicitly states the minimum length of time for which a device will receive software updates and the reasons for the length of the support period. The need for each update should be made clear to users and an update should be easy to implement. At the end of the support period, the device should reduce the risk of a latent vulnerability being exploited. This could be by indicating an error condition to the user or curtailing functionality. This action should be clearly communicated to the user during the procurement stage.Mandatory for all classesBusinessPolicy
2.4.5.36Updates should be provided for a period appropriate to the device, and this period shall be made clear to a user when supplying the device. Updates should, where possible, be configurable to be automatically or manually installed. The supply chain partners should inform the user that an update is required.Mandatory for all classesBusinessPolicy
2.4.5.37The device manufacturer should ensure that shared libraries (e.g. Clib or Crypto libraries) that deliver network and security functionalities have been reviewed or evaluated (note that the actual review or evaluation does not have to be conducted by the manufacturer if it has been conducted by another reputable organisation or government entity). Cryptography libraries should be re-reviewed for known security vulnerabilities on each update of the device.Mandatory for Class 2 and aboveBusinessPolicy
2.4.5.38Maintenance changes should trigger full security regression testing.Mandatory for Class 2 and aboveBusinessPolicy
2.4.5.39IoT devices must allow software updates to maintain security over the product lifetime.Mandatory for Class 2 and aboveBusinessPolicy
2.4.5.40Hard-coded critical/ security parameters in device software source code shall not be used; if needed these should be injected in a separate (secure) process.Mandatory for all classesBusinessPolicy
2.4.5.41Where the device is capable, it should check after initialization, and then periodically, whether security updates are available, either autonomously or as part of the support service. Otherwise, the support service should push updates to the device.Mandatory for Class 1 and aboveBusinessPolicy

Footnotes

  1. Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html]

  2. Supply Chain of Trust by Hayden Povey of Secure Thingz and the IoTSF [http://www.newelectronics.co.uk/article-images/152099/P18-19.pdf]

  3. Examples of security vulnerability advisory programs: [https://www.us-cert.gov/report https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy ]