Resources for IoT Device Manufacturers

To provide a high level of cybersecurity for their clients, companies needs to comply with strict cybersecurity requirements including: secure development lifecycles, security quality, cryptographic tools and security functionalities, protection from malware propagation, product documentation, as well as vulnerability handling.

These companies have shared their tips on mitigating the risks of IoT devices and identified key areas that can help businesses protect users’ data, devices and connections.

Access their library of cybersecurity resources below.

IoT Manufacturers Resources

IoT ManufacturerIoT Security Resources
ABB

ABB software suppliers, must comply with strict cybersecurity requirements which enable the company to provide a high level of cybersecurity for their clients. Some of these cyber standards include: secure development lifecycles, security quality, cryptographic tools and security functionalities, protection from malware propagation, product documentation, as well as vulnerability handling. 
ABB Cybersecurity Requirement for Suppliers
How ABB enables secure IoT
Arm


As a company that secures one trillion connected devices, Arm co-founded PSA Certified as a security framework and certification scheme to establish security best practice in the IoT. The four-stage process includes threat models, hardware and firmware specifications, firmware source code and independent testing for developers, manufacturers and deployers of IoT. 
PSA Certified
Free development resources (threat models, architectural specifications, etc.)
BT

BT’s Insight Blog provides a number of straightforward tips on mitigating the risks of IoT devices and identifies key areas that can help businesses protect users’ data, devices and connections:
– Every network-connected device must be accessible by its supplier to ensure updates to their software and firmware.
– Key management should be used to generate and manage keys for device provisioning and identity. Users should consider the use of cryptographic signatures on firmware to determine its authenticity.
– Default passwords should be disabled and replaced with unique and secure user-generated ones.
– Edge gateways should be used with extra security and digital certificates to exchange data with devices and networks.
BT’s Insights Blog
Microsoft

Microsoft Azure’s Resource Centre includes information which can help users identify ways to secure their IoT deployments based on their Seven Properties of Highly Secure Devices and insights from Microsoft Research. With a focus on recommendations for identity and access management, data protection, networking, and monitoring, Microsoft’s security recommendations for IoT include guidelines on security architecture and deployment as well as general best practices.
How to secure IoT
Nokia

Nokia’s official IoT security recommendations were spelled out in its work with the IoT Cybersecurity Alliance. The Alliance’s paper on Demystifying IoT Cybersecurity stresses that in order to successfully deploy IoT technology, a multi-layered, end-to-end security approach must be taken. They suggest the following:
– Build IoT devices with hardware-based security with a strong set of security features including secure boot, secure update mechanisms, tamper-proof device identifiers.
– Segment data according to need in a highly secure manner.
– Employ authentication to only allow approved devices onto the network.
– Enable and protect devices’ identity, access, and authorization to increase visibility of IoT endpoints as well as your ability to track, monitor, and manage IoT devices.
IoT Cybersecurity Alliance paper
Panasonic

In an effort to understand how IoT devices can be hacked and what can be done to prevent it, Panasonic IoT researchers connect experimental devices to internet honeypots and allow hackers to try and take them over. This allows Panasonic to determine the vulnerability of their devices and allows its developers to reverse engineer the issues to ensure a higher level of cybersecurity. The honeypot technique enables new and old Panasonic products to be secure, by regularly updating the patch of their devices.
Panasonic’s honeypot technique 
Schneider

Schneider Electric’s Cybersecurity Support Center provides a repository of documents, guidelines and white papers that its clients can use to learn about securing their products. From industrial processes, building management and access control systems, to data center and electrical infrastructure control systems, Schneider Electric provides information on how to secure your product from cyber threats.
Schneider Electric’s Support Center
Telefonica

In April 2019, the Spanish Telecommunications company Telefonica launched its new IoT Security Unit, a project focused on the security of the Internet of Things of its customers. The Unit’s twofold objective aims at expanding the existing catalogue of IoT products and services which Telefonica can offer its clients and aims at developing new IoT security solutions to mitigate the emerging threats faced by businesses who deploy this technology. The Unit also provides an early detection service, for the identification of IoT threats.
How Telefonica ensures the cybersecurity of their customers’ IoT devices 
VMware

Vmware offers the opportunity to participate in webinars where VMware experts and partners they share their knowledge on how to simplify IoT complexity, improve the security of IoT infrastructure and accelerate ROI with the right IoT platform.
VMware IoT webinars
Capgemini

In 2015, Capgemini Consulting and Sogeti High Tech launched a study to understand the implications of cybersecurity threats for the IoT. Following the study, Capgemini published a paper, which provides information on how organizations can prepare themselves to address cybersecurity threats of their IoT devices. These recommendations include:
– Set up an integrated team of business executives and security specialists.
– Ensure that security is embedded through the IoT product design process.
– Educate consumers on the dangers of potential hacks.
Address privacy concerns with transparent privacy policies.
Capgemini report on securing IoT
Cisco

The Cisco Security Portal is a platform which allows users to consult the company’s resources on everything security related. The website provides access to a number of resources to help users protect their systems including:
– Cisco Security Advisories, which allows you to learn more about Cisco’s security vulnerability disclosure policies and publications;
– Cisco Tactical Resources, which includes guidelines and best practices on network design, running a secure network and on how to respond to a security incident;
– Cisco Security Blog, which includes blogposts and tips from leading Cisco cybersecurity experts.
Cisco security resources (Cisco policies and processes, security advisories, etc.)
Trend Micro


Trend Micro has created a large depository of articles and guidelines on how to ensure IoT devices are not exposed to risks or exploitations. The IoT Security16 mini-site, includes information on how consumers can stay safe with their connected devices, how connected cars can be secured, and on how smart factories and smart cities can improve their cybersecurity. The site also includes sector specific guidelines and tips for the retail, healthcare and utilities industry.
Trend Micro’s IoT Security guidelines and advice
F-Secure


In 2016, F-Secure’s Chief Research Officer Mikko Hypponen coined the term Hypponen’s Law, a simple yet powerful reminder about the reality of connected devices: if it’s smart, it’s vulnerable. 

It’s very important to remember that anything that can be programmed can be hacked. While hackers can easily get access to our smart air conditioning, they do so get to something else that’s far more interesting than just the ventilation system: our data. 
F-Secure blog
Eaton

Cybersecurity is a critical capability in this increasingly electrified and digitally connected world. At Eaton, our enterprise-wide proactive and consistent approach combined with our industry partnerships is leading the way to achieve unified global cybersecurity standards. Learn about our advanced technologies and strategies for implementing a holistic approach to cybersecurity through the entire product life cycle to protect infrastructures and ensure a cybersecure world for all. 
Eaton’s library of cybersecurity resources (global forum, expert-led panel discussions, etc.)

Guidelines on Securing IoT Devices for Manufacturers

As the application of this technology continues to grow, national and international regulators, as well as influential actors in the IoT space, have published several reports and guidelines spelling out what manufacturers can do to ensure that their products are secure by design.

InstitutionGuidelines
US National Institute of Standards and Technology (NIST)

The US National Institute of Standards and Technology (NIST) recently published a second draft of the Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, or NISTIR 8259 for short. The draft sets out voluntary and recommended activities related to cybersecurity that manufacturers should consider performing before their IoT devices are sold to customers. These activities are intended to help manufacturers lessen the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromise and the attacks performed using compromised IoT devices.
Foundational Cybersecurity Activities for IoT Device Manufacturers

Internet of Things Security Foundation (IoTSF)

The Internet of Things Security Foundation (IoTSF), a collaborative, non-profit, international initiative created in response to the complex reality of cybersecurity in the hyper-connected IoT industry, has produced multiple publications of best practices that manufacturers should consider implementing such as vulnerability disclosures, secure design best practice guides and other resources manufacturers may find useful.
 Full reports and recommendations 
European Telecommunications Standards Institute (ETSI)

The European Telecommunications Standards Institute (ETSI) published the ETSI Technical Specification on Cyber Security for Consumer Internet of Things, a document which sets out thirteen outcomes-focused security guidelines that manufacturers of IoT consumer devices are encouraged to implement. These include avoiding the use of default passwords, implementing a vulnerability disclosure policy, keeping software updated, and storing sensitive data securely in the manufacture of consumer goods. The document maps the guidelines against established standards from national and international cybersecurity regulatory bodies, helping developers build on best practices from across the industry.
ETSI consumer IoT standards 
UK Government

In May 2019, the Government of the United Kingdom launched a consultation on regulatory proposals for consumer IoT security, which concluded in June 2019. The consultation found that there was a need to restore transparency within the market, with a focus on the need for manufacturers to be more transparent about what security requirements were built in to IoT devices.

In February 2020, the UK Government presented its response to the consultation through a legislation which comprises three main security requirements for IoT manufacturers: IoT device passwords must be unique and not resettable to any universal factory setting, manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy, and finally, manufacturers of IoT products must explicitly state the minimum length of time for which the device will receive security updates. Achieving compliance with these three standards ensures consumers are being given important protection against the most basic vulnerabilities of IoT devices.
UK Government response to “Regulatory proposals for consumer Internet of Things (IoT) security” consultation
Consumers International

Consumers International has published a set of principles and guidelines to help manufacturers create safe and trusted consumer IoT devices. The Trust by Design principles and accompanying guidelines set out requirements across six areas, to ensure the security, privacy, transparency, user-friendliness and ethical nature of smart devices. The guidelines include a checklist, which manufacturers can use to ensure that their consumer goods are Trust by Design approved, and useful case studies which can help manufacturers with their implementation.
 Trust by Design principles and accompanying guidelines
Singapore’s Infocomm Media Development Unit (IMDA)

Singapore’s Infocomm Media Development Unit (IMDA), a statutory board of the City State’s Government, published a practical guide for IoT developers, providers and users, which focuses on the security aspects of developing and operating IoT systems. The guide gives baseline recommendations on both the implementation and operational phase for IoT projects, which include employing strong cryptography, protecting impactful systems data, conducting threat modelling, enforcing proper access controls, preparing for and protecting against attacks and conducting periodic assessments. The guide also includes a practical checklist, which can guide users to the process of threat modelling.
Singapore’s Infocomm Media Development IoT Guidelines
Japan’s Ministry of Economy, Trade and Industry (METI)

In July 2016, the IoT Acceleration Consortium set up by Japan’s Ministry of Economy, Trade and Industry (METI), released a set of IoT Security Guidelines based on the “Security by Design Principle.” The Guidelines were envisaged to help IoT manufacturers take proactive actions to secure IoT and to create an environment where users can utilize IoT devices, systems, and services securely.

The Guidelines are based on five principles: (i) establish a basic policy with consideration of the nature of the IoT; (ii) recognize risks on IoT; (iii) consider a design to protect what should be protected; (iv) consider security measures on network side; and (v) maintain a safe and secure state and dispatch and share information. Each principle includes a list of 4-5 security measures that manufacturers and users should follow to ensure IoT cybersecurity. The Guidelines were designed with a broad list of target readers including device manufacturers, system providers, service providers, corporate users as well as general users.
METI’s IoT Security Guidelines
The Australian Department of Home Affairs, the Australian Signals Directorate and the Australian Cyber Security Centre

The Australian Department of Home Affairs, together with the Australian Signals Directorate and the Australian Cyber Security Centre have released a voluntary Code of Practice for manufacturers of IoT devices. The Draft Guidelines, released in November 2019, are meant to provide industry standards for Australian manufacturers and comprise of 13 principles that are set to improve the security of IoT devices. The first three principles are the highest priority and include: setting unique, unpredictable, complex and unfeasible to guess passwords; providing a public point of contact as part of a vulnerability disclosure policy in order to report issues; and keeping software timely updated. The Draft Code of Practice has just undergone a consultation period which ended on 1 March 2020.
Code of Practice for manufacturers of IoT devices
European Union Agency for Cybersecurity (ENISA) 

The European Union Agency for Cybersecurity (ENISA) released the Good Practices for Security of IoT report, aimed at promoting the security by design of IoT products. The report has a particular focus on guidelines for software development, a key aspect for achieving security by design of IoT devices and outlines good practices in the Software Development Life Cycle of IoT systems. This entails ensuring the security of the entire IoT ecosystem (devices, communications, networks, cloud, etc.) in order to bolster the security of the development process, resulting in devices that are fundamentally more secure.
Good Practices for Security of IoT report
PSA Certified

PSA Certified is a global partnership which provides independent evaluation that demonstrates an OEM’s commitment to security. It also provides alignment to worldwide regulations by providing an easy-to consume, comprehensive methodology for the lab-validated assurance of a product’s security design. Our aim is that the root of trust is the foundation of all connected devices. 
10 key security goalsPSA Certified methodologyPSA Certified components and certification resources

As a global community representing a diversity of interests and expertise, we collectively endorse these five capabilities as the global baseline for consumer IoT security.

  • No universal default passwords
  • Implementing a vulnerability disclosure policy
  • Keeping software updated
  • Securely communicating
  • Ensuring that personal data is secure