2.4.7 Device Interfaces
This section's intended audience is for those personnel who are responsible for device security. Guidance is available from the IoTSF Best Practice Guidelines [ref 44]1 regarding Credential Management (part F) and Network Connections (part H).
Req No | Requirement | Compliance Class And Applicability | Primary Keyword | Secondary Keyword |
---|---|---|---|---|
2.4.7.1 | The product prevents unauthorised connections to it or other devices the product is connected to. | Mandatory for Class 1 and above | System | Software |
2.4.7.2 | The network component and firewall (if applicable) configuration has been reviewed and documented for the required/defined secure behaviour. | Mandatory for Class 1 and above | Business | Process |
2.4.7.3 | To prevent bridging of security domains within products with network interfaces, forwarding functions should be blocked by default. | Mandatory for Class 1 and above | System | Software |
2.4.7.4 | Devices support only the versions of application layer protocols that have been reviewed and evaluated against publicly known vulnerabilities. | Mandatory for Class 1 and above | Business | Process |
2.4.7.5 | If a potential unauthorised change is detected (e.g.: an access fails authentication or integrity checks), the device should alert the user/administrator to the issue and should not connect to wider networks than those necessary to perform the alerting function. Failed attempts should be logged, but without providing any information about the failure to the initiator. | Mandatory for Class 1 and above | System | Software |
2.4.7.6 | All the product's unused ports (or interfaces) are closed and only the necessary ones are active. | Mandatory for Class 1 and above | Business | Process |
2.4.7.7 | If a connection requires a password or passcode or passkey for connection authentication, the factory issued or reset password is unique to each device. | Mandatory for all classes | Business | Process |
2.4.7.8 | Where using initial pairing process, a Strong Authentication shall be used, requiring physical interaction with the device or possession of a shared secret. | Mandatory for Class 1 and above | System | Software |
2.4.7.9 | Where a wireless interface has an initial pairing process, the passkeys are changed from the factory issued, or reset password prior to providing normal service. | Mandatory for all classes | Business | Policy |
2.4.7.10 | For any Wi-Fi connection, WPA-2 AES [ref 51]2 or a similar strength encryption has been used. Migration to the latest standard should be planned.(e.g. WPA3). Older insecure protocols such as WEP, WPA/WPA2 (Auto), WPA-TKIP and WPA-2 TKIP/AES (Mixed Mode) are disabled. | Mandatory for Class 1 and above | System | Software |
2.4.7.11 | Where WPA-2 WPS is used it has a unique, random key per device and enforces exponentially increasing retry attempt delays. | Mandatory for Class 1 and above | System | Software |
2.4.7.12 | All network communications keys are stored securely, in accordance with industry standards. | Mandatory for Class 1 and above | System | Software |
2.4.7.13 | Where a TCP protocol, such as MQTT, is used, it is protected by a TLS connection with no known vulnerabilities. | Mandatory for Class 1 and above | System | Software |
2.4.7.14 | Where a UDP protocol is used, such as CoAP, it is protected by a DTLS connection with no known vulnerabilities. | Mandatory for Class 1 and above | System | Software |
2.4.7.15 | Where cryptographic suites are used such as TLS, all cipher suites shall be listed and validated against the current security recommendations such as NIST 800-131A [ref 2]3 or OWASP. Where insecure ciphers suites are identified they shall be removed from the product. | Mandatory for Class 1 and above | Business | Process |
2.4.7.16 | All use of cryptography by the product, such as TLS cipher suites, shall be listed and validated against the import/export requirements for the territories where the product is to be sold and/or shipped. | Mandatory for Class 1 and above | Business | Process |
2.4.7.17 | Where there is a loss of communications or availability it shall not compromise the local integrity of the device. | Mandatory for Class 1 and above | System | Software |
2.4.7.18 | The product only initialises and enables the communications interfaces, network protocols, application protocols and network services necessary for the product’s operation. | Mandatory for Class 1 and above | System | Software |
2.4.7.19 | Communications protocols should be latest versions with no publicly known vulnerabilities and/or appropriate for the product. | Mandatory for Class 1 and above | Business | Policy |
2.4.7.20 | Post product launch, communications protocols should be reviewed throughout the product life cycle against publicly known vulnerabilities and changed to the most secure versions available if appropriate. | Mandatory for Class 1 and above | Business | Policy |
2.4.7.21 | If a factory reset is made, the device should warn that secure operation may be compromised until updated. | Mandatory for Class 1 and above | System | Software |
2.4.7.22 | Where RF communications are enabled (e.g., ZigBee, etc.) antenna power is configured to limit ability of mapping assets to limit attacks such as WAR-Driving. | Advisory for all classes | System | Software |
2.4.7.23 | Protocol anonymity features are enabled in protocols (e.g., Bluetooth) to limit location tracking capabilities. | Advisory for all classes | System | Software |
2.4.7.24 | As far as reasonably possible, devices should remain operating and locally functional in the case of a loss of network connection. | Mandatory for Class 1 and above | System | Software |
2.4.7.25 | Following restoration of power or network connection, devices should be able to return to a network in a sensible state and in an orderly fashion, rather than in a massive scale reconnect, which collectively could overwhelm a network. | Mandatory for Class 1 and above | System | Software |
Footnotes
-
Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 [https://www.iso.org/standard/57018.html] ↩
-
NCSC guidance on TLS management [https://www.ncsc.gov.uk/guidance/tls-external-facing-services] ↩
-
NIST Special Publication 800-131A Revision 1 ”Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” November 2015 ↩