To secure IoT, security needs to be considered at all stages of the supply chain – design phase, implementation phase, distribution phase, deployment phase, operational phase, upgrading phase, and decommissioning phase.
We have identified, analysed, and selected 174 requirements from a number of guidelines, best practices, standards, regulations, and other sources. These requirements were grouped under the following 18 IoT domain-agnostic security requirement categories:
- Use strong passwords
- Keep device updated
- Securely store sensitive security parameters
- Communicate securely
- Minimize exposed attack surfaces
- Ensure software integrity
- Ensure that personal data is secure
- Make systems resilient
- Examine and protect system telemetry data
- Have data protection provisions in place
- Make installation, configuration and maintenance of devices easy and secure
- Validate input data
- Use robust cryptography
- Manufacturer obligations – Procedures & Policies
- Manufacturer obligations – Documentation
- Manufacturer obligations – Maintenance
- Manufacturer obligations – Adoption of Secure Software Development Lifecycle
- Device identification and access management
To learn more, download the deliverable “D2.1 – IoT supply chain security requirements” where you can find all the requirements outlined in detail!