Enisa R Standards
Source: Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures November 2017
| # | Enisa R Id | Req Description | Standards In Support Of Requirement | Remarks S | Include | |
|---|---|---|---|---|---|---|
| 1 | GP-TM-57 | Conduct periodic audits and reviews of security controls to ensure that the controls are effective. Perform penetration tests at least biannually | ISO 27002 12 | no | View | |
| 2 | GP-TM-56 | Implement regular monitoring to verify the device behaviour, to detect malware and to discover integrity errors | No specific standards apply. Best practice requirement | yes | View | |
| 3 | GP-TM-55 | Implement a logging system that records events relating to user authentication, management of accounts and access rights, modifications to security rules, and the functioning of the system. Logs must be preserved on durable storage and retrievable via authenticated connections | ISO/IEC 15408-2 (to be further investigated) | no | View | |
| 4 | GP-TM-54 | Data input validation (ensuring that data is safe prior to use) and output filtering | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 5 | GP-TM-53 | Avoid security issues when designing error messages | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 6 | GP-TM-52 | Ensure web interfaces fully encrypt the user session, from the device to the backend services, and that they are not susceptible to XSS, CSRF, SQL injection, etc | No specific standards apply. Best practice requirement | yes | View | |
| 7 | GP-TM-51 | Implement a DDoS-resistant and Load-Balancing infrastructure | No specific standards apply. Best practice requirement | no | View | |
| 8 | GP-TM-50 | Ensure only necessary ports are exposed and available | No specific standards apply. Best practice requirement | yes | View | |
| 9 | GP-TM-49 | Avoid provisioning the same secret key in an entire product family, since compromising a single device would be enough to expose the rest of the product family | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 10 | GP-TM-48 | Protocols should be designed to ensure that, if a single device is compromised, it does not affect the whole set | No specific standards apply. Best practice requirement | yes | View | |
| 11 | GP-TM-47 | Risk Segmentation. Splitting network elements into separate components to help isolate security breaches and minimise the overall risk | ISO/IEC 27033 Network security (6 parts) | yes | View | |
| 12 | GP-TM-46 | Rate limiting. Controlling the traffic sent or received by a network to reduce the risk of automated attacks | No specific standards apply. Best practice requirement | yes | View | |
| 13 | GP-TM-45 | Disable specific ports and/or network connections for selective connectivity | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 14 | GP-TM-44 | Make intentional connections. Prevent unauthorised connections to it or other devices the product is connected to, at all levels of the protocols | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 15 | GP-TM-43 | IoT devices should be restrictive rather than permissive in communicating | Best practice requirement | yes | View | |
| 16 | GP-TM-42 | Do not trust data received and always verify any interconnections. Discover, identify and verify/authenticate the devices connected to the network before trust can be established, and preserve their integrity for reliable solutions and services | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 17 | GP-TM-41 | Guarantee data authenticity to enable reliable exchanges from data emission to data reception. Data should always be signed whenever and wherever it is captured and stored | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 18 | GP-TM-40 | Ensure credentials are not exposed in internal or external network traffic | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 19 | GP-TM-39 | Ensure that communication security is provided using state-of-the-art, standardised security protocols, such as TLS for encryption | No specific standards apply. Best practice requirement | yes | View | |
| 20 | GP-TM-38 | Guarantee the different security aspects -confidentiality (privacy), integrity, availability and authenticity- of the information in transit on the networks or stored in the IoT application or in the Cloud | ISO 27002 5 ISO 27034 (application security) ISO 27033 (network security) ISO 27040 (storage security) ISO 27017 ( 27002 for cloud services) | yes | View | |
| 21 | GP-TM-37 | Support scalable key management schemes | No specific standards apply. Best practice requirement | no | View | |
| 22 | GP-TM-36 | Build devices to be compatible with lightweight encryption and security techniques | ISO 27002 clause 10 ISO 11770 (key management) Series of standards ISO/IEC 29192 (Lightweight cryptography – 7 parts, covering algorithms and protocols) Not specifically addressed in standards. The reason is that standards by design are built on proven solutions and conforming to standards addresses this. | yes | View | |
| 23 | GP-TM-35 | Cryptographic keys must be securely managed | ISO 27002 clause 10 ISO 11770 (key management) Series of standards ISO/IEC 29192 (Lightweight cryptography – 7 parts, covering algorithms and protocols) Not specifically addressed in standards. The reason is that standards by design are built on proven solutions and conforming to standards addresses this. | yes | View | |
| 24 | GP-TM-34 | Ensure a proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of data and information (including control messages), in transit and in rest. Ensure the proper selection of standard and strong encryption algorithms and strong keys, and disable insecure protocols. Verify the robustness of the implementation | ISO 27002 10 | View | ||
| 25 | GP-TM-33 | Ensure that devices only feature the essential physical external ports (such as USB) necessary for them to function and that the test/debug modes are secure, so they cannot be used to maliciously access the devices. In general, lock down physical ports to only trusted connections | ISO/IEC 15408-2 (to be further investigated) | yes | View | |
| 26 | GP-TM-32 | Ensure that the device cannot be easily disassembled and that the data storage medium is encrypted at rest and cannot be easily removed | ISO/IEC 19790 Security requirements for cryptographic modules, ITU-T Y.4415 Reference architecture for IoT device capability exposure | yes | View | |
| 27 | GP-TM-31 | Measures for tamper protection and detection. Detection and reaction to hardware tampering should not rely on network connectivity | ISO/IEC 19790 Security requirements for cryptographic modules | yes | View | |
| 28 | GP-TM-30 | Ensure a context-based security and privacy that reflects different levels of importance | ISO 27002 8.2 | no | View | |
| 29 | GP-TM-29 | Data integrity and confidentiality must be enforced by access controls. When the subject requesting access has been authorised to access particular processes, it is necessary to enforce the defined security policy | ISO 27002 9 | yes | View | |
| 30 | GP-TM-28 | Device firmware should be designed to isolate privileged code, processes and data from portions of the firmware that do not need access to them. Device hardware should provide isolation concepts to prevent unprivileged from accessing security sensitive code | No standards apply. Best practice requirement | yes | View | |
| 31 | GP-TM-27 | Limit the actions allowed for a given system by Implementing fine-grained authorisation mechanisms and using the Principle of least privilege (POLP): applications must operate at the lowest privilege level possible | No standards apply. Best practice requirement | yes | View | |
| 32 | GP-TM-26 | Ensure password recovery or reset mechanism is robust and does not supply an attacker with information indicating a valid account. The same applies to key update and recovery mechanisms | ISO/IEC 19790 Security requirements for cryptographic modules | yes | View | |
| 33 | GP-TM-25 | Protect against ‘brute force’ and/or other abusive login attempts. This protection should also consider keys stored in devices | ISO/IEC 19790 Security requirements for cryptographic modules | yes | View | |
| 34 | GP-TM-24 | Authentication credentials shall be salted, hashed and/or encrypted | ISO/IEC 19790 Security requirements for cryptographic modules | yes | View | |
| 35 | GP-TM-23 | Authentication mechanisms must use strong passwords or personal identification numbers (PINs), and should consider using two-factor authentication (2FA) or multifactor authentication (MFA) like Smartphones, Biometrics, etc., on top of certificates | ISO/IEC 19790 Security requirements for cryptographic modules | yes | View | |
| 36 | GP-TM-22 | Ensure that default passwords and even default usernames are changed during the initial setup, and that weak, null or blank passwords are not allowed | ISO 27002 9.2.4, ISO 27002 9.4.2 ISO 27002 9.4.3 Addressed in TS 103 645 and in ETSI TR 103 533. | yes | View | |
| 37 | GP-TM-21 | Design the authentication and authorisation schemes (unique per device) based on the system-level threat models | "29192 CD Lightweight cryptography --Part 7: Broadcast Requires a system wide threat analysis. Approaches to such threat analysis include ETSI TS 102 165-1, ISO27000 series, ISO15408 series and others for specific sectors. Frameworks for authentication protocol and authorisation schemes are defined in ETSI TS 102 165-2 and in ISO/IEC 29115." | yes | View | |
| 38 | GP-TM-20 | Backward compatibility of firmware updates. Automatic firmware updates should not modify user-configured preferences, security, and/or privacy settings without user notification | Addressed in best practice guidance from ETSI and others | yes | View | |
| 39 | GP-TM-19 | Offer an automatic firmware update mechanism | Addressed in best practice guidance from ETSI and others | yes | View | |
| 40 | GP-TM-18 | Ensure that the device software/firmware, its configuration and its applications have the ability to update Over-The-Air (OTA), that the update server is secure, that the update file is transmitted via a secure connection, that it does not contain sensitive data (e.g. hardcoded credentials), that it is signed by an authorised trust entity and encrypted using accepted encryption methods, and that the update package has its digital signature, signing certificate and signing certificate chain, verified by the device before the update process begins | Addressed in TS 103 645 and in ETSI TR 103 533. | yes | View | |
| 41 | GP-TM-17 | Ensure standalone operation - essential features should continue to work with a loss of communications and chronicle negative impacts from compromised devices or cloud-based systems | ISO 27031 (guidelines for information and communication technology readiness for business continuity)By default an IoT device cannot operate in stand-alone mode, it is designed to be tethered to the Internet. This introduces a new mode to the IoT device. | yes | View | |
| 42 | GP-TM-16 | Mechanisms for self-diagnosis and self-repair/healing to recover from failure, malfunction or a compromised state | ISO 27031 (guidelines for information and communication technology readiness for business continuity) | yes | View | |
| 43 | GP-TM-15 | Design with system and operational disruption in mind, preventing the system from causing an unacceptable risk of injury or physical damage | ISO 27002 17.1.1 | yes | View | |
| 44 | GP-TM-14 | Users of IoT products and services must be able to exercise their rights to information, access, erasure, rectification, data portability, restriction of processing, objection to processing, and their right not to be evaluated on the basis of automated processing | GDPR ISO 29100 ISO 30141 11.4 (ea: other PII standards to be identified)No specific standards apply. There are obligations from GDPR that address this and some ETSI best practices are being developed. | no | View | |
| 45 | GP-TM-13 | IoT stakeholders must be compliant with the EU General Data Protection Regulation (GDPR) | No standardisation applies. | no | View | |
| 46 | GP-TM-12 | Minimise the data collected and retained | This is a pre-requisite in GDPR ISO 29100. | no | View | |
| 47 | GP-TM-11 | Make sure that personal data is used for the specified purposes for which they were collected, and that any further processing of personal data is compatible and that the data subjects are well informed | This is a pre-requisite in GDPR ISO 29100. | no | View | |
| 48 | GP-TM-10 | Personal data must be collected and processed fairly and lawfully, it should never be collected and processed without the data subject’s consent | ISO 27002 18.1.4 ISO 29100 ISO/IEC 29184 Online privacy notice and consent ISO 30141 clause 11.4 (Privacy and PII Protection). This is a prerequisite in GDPR (Article 6 applies). Regarding consent not all parts of Article 6 apply (consent is not the only path to allow for lawful processing). | no | View | |
| 49 | GP-TM-09 | Establish hard to crack, device-individual default passwords | ISO 27002 clause 9.2.4. This is not a recommended approach as the use of default passwords should be avoided. Addressed in TS 103 645 and in ETSI TR 103 533 | no | View | |
| 50 | GP-TM-08 | Any applicable security features should be enabled by default, and any unused or insecure functionalities should be disabled by default | ISO/IEC 15408-1 and -2Addressed in TS 103 645 and in ETSI TR 103 533. It is noted that if the secure by default approach is selected there will be no requirement to disable insecure functionalities as they will not exist. | yes | View | |
| 51 | GP-TM-07 | Use protocols and mechanisms able to represent and manage trust and trust relationships | In general for cryptographic trust the mechanisms inherent in X.509 apply, with additional protocol mechanisms to transfer X.509 certificates such as those in TLS apply. | yes | View | |
| 52 | GP-TM-06 | Enable a system to return to a state that was known to be secure, after a security breach has occurred or if an upgrade has not been successful | ISO 27002 clause 12.3 | yes | View | |
| 53 | GP-TM-05 | Control the installation of software in operating systems, to prevent unauthenticated software and files from being loaded onto it | ISO 27002 clause 12.6.2. This is covered by techniques including load time attestation, boot time attestation and run time attestation. Many of these techniques are built on TPMs (published as ISO/IEC 11889). In addition the ETSI GR NFV-SEC-007 gives broad guidance to this topic. | yes | View | |
| 54 | GP-TM-04 | Sign code cryptographically to ensure it has not been tampered with after signing it as safe for the device, and implement run-time protection and secure execution monitoring to make sure malicious attacks do not overwrite code after it is loaded | Series of standards ISO/IEC 29192-5 and 6 (Lightweight cryptography – Part 5: Hash-functions, Part 6: Message authentication codes (MACs), ITU X.1362 Simple ecryption procedure for IoT environments | yes | View | |
| 55 | GP-TM-03 | Trust must be established in the boot environment before any trust in any other software or executable program can be claimed | Secure boot, Defined by TCG (published as ISO/IEC 11889) | yes | View | |
| 56 | GP-TM-02 | Use hardware that incorporates security features to strengthen the protection and integrity of the device – for example, specialised security chips / coprocessors that integrate security at the transistor level, embedded in the processor, providing, among other things, a trusted storage of device identity and authentication means, protection of keys at rest and in use, and preventing unprivileged from accessing to security sensitive code. Protection against local and physical attacks can be covered via functional security | TPM from TCG (published as ISO/IEC 11889) | yes | View | |
| 57 | GP-TM-01 | Employ a hardware-based immutable root of trust | TPM from TCG (published as ISO/IEC 11889) SIM from ETSI SCP | yes | View | |
| 58 | GP-PS-12 | Identify the intended use and environment of a given IoT device | depth approach although it is an accepted best practice of most security professionals "Required in development of a risk analysis in defining the scope of security evaluation (the ToE in ISO/IEC 15408-1 and -2)). Addressed in some IoT best practices including the (soon to be published) ETSI TS 103 645." | no | View | |
| 59 | GP-PS-11 | Identify significant risks using a defence-in-depth approach | Military standards such as below may apply. In general there are no standards that define the defence in | no | View | |
| 60 | GP-PS-10 | Establish and maintain asset management procedures and configuration controls for key network and information systems | ETSI TS 103 305 (from controls from CIS). ISO/IEC 27002 clause 8.1 may apply in selection of controls with other parts of the ISO 27002 ISO 55000 Asset management | yes | View | |
| 61 | GP-PS-09 | Perform privacy impact assessments before any new applications are launched | ISO/IEC 27005, ISO/IEC 29134. ISO 27005 defines a method of conducting a PIA. It is noted that GDPR requires that a DPIA/PIA is performed | no | View | |
| 62 | GP-PS-08 | Make privacy an integral part of the system | ISO 29550 | no | View | |
| 63 | GP-PS-07 | For IoT software developers it is important to conduct code review during implementation as it helps to reduce bugs in a final version of a product. | ISO/IEC 15408-3 (ATE Class description) Whilst this is not directly mappable to standards there are quality practices that may impose code review. In addition many coding practice guidelines will explicitly address means to perform code reviews, and many frameworks will explicitly identify when a codereview should be performed. Apple secure development guidelines, from https://developer.apple.com/library /content/documentation/Security/C onceptual/SecureCodingGuide/Intro duction.html Microsoft Security Development Lifecycle (SDL) from https://www.microsoft.com/enus/sdl Open Software Assurance Maturity Model (SAMM) from http://www.opensamm.org Building Security in Maturity Model (BSIMM), incorporating the SSDL method, from https://www.bsimm.com | yes | View | |
| 64 | GP-PS-06 | For IoT hardware manufacturers and IoT software developers it is necessary to implement test plans to verify whether the product performs as it is expected. Penetration tests help to identify malformed input handling, authentication bypass attempts and overall security posture. | ISO/IEC 15408-3 (ATE and AVA Classes description) May be addressed in part by independent assurance testing against documented security claims. The role of penetration testing is often prohibited, or restricted, by legislation (e.g. the Computer Misuse Act). | yes | View | |
| 65 | GP-PS-05 | Design architecture by compartments to encapsulate elements in case of attacks. | ISO 30141 clause 11.3.2 | yes | View | |
| 66 | GP-PS-04 | Designing for power conservation should not compromise security. | n/a | no | View | |
| 67 | GP-PS-03 | Security must consider the risk posed to human safety. | ISO 30141 clause 11.2 | no | View | |
| 68 | GP-PS-02 | Ensure the ability to integrate different security policies and techniques. | ISO 30141 clause 11.3.2 | yes | View | |
| 69 | GP-PS-01 | Consider the security of the whole IoT system from a consistent and holistic approach during its whole lifecycle across all levels of device/application design and development, integrating security throughout the development, manufacture, and deployment. | ISO 30141 clause 11.3.3, ITU Y.4806 Security capabilities supporting safety of the Internet of things | yes | View | |
| 70 | GP-OP-14 | For IoT hardware manufacturers and IoT software developers it is necessary to adopt cyber supply chain risk management policies and to communicate cyber security requirements to its suppliers and partners | ISO 27002 clause 15 | yes | View | |
| 71 | GP-OP-13 | Only share consumers’ personal data with third parties with express consent of the consumers, unless otherwise required and limited for the use of product features or service operations | ISO 27002 clause 18.1.4 This is a key constraint of the GDPR and is specifically addressed in Article 6 for the lawful processing of data. | no | View | |
| 72 | GP-OP-12 | Data processed by a third-party must be protected by a data processing agreement | ISO 27002 clause 13.2.4, clause 15 | no | View | |
| 73 | GP-OP-11 | Ensure that cybersecurity roles and responsibilities for all workforce are established and introduce personnel assignments in accordance with the specifics of the projects and security engineering needs | ISO 27002 clause 7.2.1 | no | View | |
| 74 | GP-OP-10 | Document and monitor the privacy and security training activities | ISO 27002 clause 7.2.2 | no | View | |
| 75 | GP-OP-09 | Ensure the personnel practices promote privacy and security – train employees in good privacy and security practices | ISO 27002 clause 7.2 | no | View | |
| 76 | GP-OP-08 | Create a publicly disclosed mechanism for vulnerability reports, e.g. Bug Bounty |
ISO/IEC 301111 (Vulnerability handling processes) and 29147 (Vulnerability disclosure)Addressed in TS 103 645 and in ETSI TR 103 533. Some vendors provide financial incentives and this has to be considered (it may be argued that if a financial incentive is offered then bug hunters may be more incentivised than if no such incentive applies). | no | View | |
| 77 | GP-OP-07 | Participate in information-sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public and private partners | ISO 27002 6.1.3 ISO 27002 6.1.4 Addressed in TS 103 645 and in ETSI TR 103 533. In addition the use of Common Vulnerability Disclosure (ISO/IEC 29147) applies. It is also noted in a number of regulatory instruments (GDPR, NIS, …) that common use of the CERT framework is expected. | yes | View | |
| 78 | GP-OP-06 | Coordinated disclosure of vulnerabilities | ISO/IEC 301111 (Addressed in TS 103 645 and in ETSI TR 103 533. In addition the use of Common Vulnerability handling processes) and Disclosure (ISO/IEC 29147 (Vulnerability disclosure)) applies. | no | View | |
| 79 | GP-OP-05 | Establish procedures for analysing and handling security incidents | ISO 27002 16Addressed in TS 103 645 and in ETSI TR 103 533. | no | View | |
| 80 | GP-OP-04 | Use proven solutions, i.e. well known communications protocols and cryptographic algorithms, recognized by the scientific community, etc. Certain proprietary solutions, such as custom cryptographic algorithms, should be avoided | ISO 27002 clause 10 ISO 11770 (key management) Series of standards ISO/IEC 29192 (Lightweight cryptography – 7 parts, covering algorithms and protocols) Not specifically addressed in standards. The reason is that standards by design are built on proven solutions and conforming to standards addresses this. | yes | View | |
| 81 | GP-OP-03 | Monitor the performance and patch known vulnerabilities up until the “end-of-support|” period of a product’s lifecycle | ISO 30141 clause 11.3.3 (IoT system & product Security Life Cycle Reference Model)Addressed in TS 103 645 and in ETSI TR 103 533. | yes | View | |
| 82 | GP-OP-02 | Disclose the duration and end-of-life security and patch support (beyond product warranty) | ISO 30141 clause 11.3.3 (IoT system & product Security Life Cycle Reference Model)Addressed in TS 103 645 and in ETSI TR 103 533. | no | View | |
| 83 | GP-OP-01 | Develop an end-of-life strategy for IoT products | ISO 30141 clause 11.3.3 (IoT system & product Security Life Cycle Reference Model)Addressed in TS 103 645 and in ETSI TR 103 533. | no | View | |
Loading...
Saving...
Loading...