ETSI TR 103 305-3 V2.0.4 (2023-02)

ETSI TR 103 305-3 V3.1.1 (2023-07)
TECHNICAL REPORT
Cyber Security (CYBER);
Critical Security Controls for Effective Cyber Defence;
Part 3: Internet of Things Sector
---------------------- Page: 1 ----------------------
2 ETSI TR 103 305-3 V3.1.1 (2023-07)
Reference
RTR/CYBER-00107
Keywords
cyber security, cyber-defence, information
assurance
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871
Important notice
The present document can be downloaded from:
https://www.etsi.org/standards-search

The present document may be made available in electronic versions and/or in print. The content of any electronic and/or

print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any

existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI

deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.

Users of the present document should be aware that the document may be subject to revision or change of status.

Information on the current status of this and other ETSI documents is available at

If you find errors in the present document, please send your comment to one of the following services:

If you find a security vulnerability in the present document, please report it through our

The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of

experience to understand and interpret its content in accordance with generally accepted engineering or

No recommendation as to products and services or vendors is made or should be implied.

No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law

rule and/or regulation and further, no representation or warranty is made of merchantability or fitness

for any particular purpose or against infringement of intellectual property rights.

In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not

limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property

rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages

for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use

No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and

The content of the PDF version shall not be modified without the written authorization of ETSI.

Intellectual Property Rights ................................................................................................................................ 4

Foreword ............................................................................................................................................................. 4

Modal verbs terminology .................................................................................................................................... 4

Executive summary ............................................................................................................................................ 4

Introduction ........................................................................................................................................................ 5

1 Scope ........................................................................................................................................................ 6

2 References ................................................................................................................................................ 6

2.1 Normative references ......................................................................................................................................... 6

2.2 Informative references ........................................................................................................................................ 6

3 Definition of terms, symbols and abbreviations ....................................................................................... 8

3.1 Terms .................................................................................................................................................................. 8

3.2 Symbols .............................................................................................................................................................. 8

3.3 Abbreviations ..................................................................................................................................................... 8

4 Applying the Critical Security Controls for effective risk control and enhanced resilience of the

Internet of Things sector........................................................................................................................... 9

4.1 Introduction, Methodology and Use ................................................................................................................... 9

4.2 Applicability Overview .................................................................................................................................... 11

4.3 Applying the Critical Security Controls and Safeguards .................................................................................. 12

4.3.1 CONTROL 01 Inventory and Control of Enterprise Assets ....................................................................... 12

4.3.2 CONTROL 02 Inventory and Control of Software Assets ......................................................................... 14

4.3.3 CONTROL 03 Data Protection ................................................................................................................... 16

4.3.4 CONTROL 04 Secure Configuration of Enterprise Assets and Software .................................................. 19

4.3.5 CONTROL 05 Account Management ........................................................................................................ 22

4.3.6 CONTROL 06 Access Management Control ............................................................................................. 24

4.3.7 CONTROL 07 Continuous Vulnerability Management ............................................................................. 26

4.3.8 CONTROL 08 Audit Log Management ..................................................................................................... 28

4.3.9 CONTROL 09 Email and Web Browser Protections ................................................................................. 30

4.3.10 CONTROL 10 Malware Defences .............................................................................................................. 32

4.3.11 CONTROL 11 Data Recovery .................................................................................................................... 35

4.3.12 CONTROL 12 Network Infrastructure Management ................................................................................. 37

4.3.13 CONTROL 13 Network Monitoring and Defence...................................................................................... 39

4.3.14 CONTROL 14 Security Awareness and Skills Training ............................................................................ 41

4.3.15 CONTROL 15 Service Provider Management ........................................................................................... 43

4.3.16 CONTROL 16 Application Software Security ........................................................................................... 45

4.3.17 CONTROL 17 Incident Response Management......................................................................................... 48

4.3.18 CONTROL 18 Penetration Testing ............................................................................................................ 50

Annex A: Bibliography .......................................................................................................................... 52

History .............................................................................................................................................................. 53

IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations

pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be

found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to

ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the

Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,

including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not

referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,

The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.

ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no

right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does

not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.

DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its

Members. 3GPP™ and LTE™ are trademarks of ETSI registered for the benefit of its Members and of the 3GPP

Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of the

oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.

This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).

The present document is part 3 of a multi-part deliverable covering the Critical Security Controls for Effective Cyber

In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be

interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).

"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

Internet of Things (IoT) networks, devices and applications have become pervasive worldwide as a critical

infrastructure sector. The protection of this infrastructure from cyber security threats by instituting effective risk control

and enhanced resilience has received the global attention of governmental authorities and industry organizations [i.1]

thru [i.16]. The present document addresses this protection challenge by providing guidance on individually applying

the most current version of the Critical Security Controls for effective cyber defence to IoT by enterprises. For

compliance purposes, the Critical Security Controls have mappings to almost every known government and industry

cyber security framework with extensive implementations for diverse operating systems and applications. The present

document is directed at enterprise IoT and not intended as an alternative to ETSI normative consumer IoT

specifications, but may supplement their use, ETSI EN 303 645 [i.13] and ETSI TS 103 701 [i.14].

The Critical Security Controls are a prioritized set of actions that collectively form a defence-in-depth set of best

practices that mitigate the most common attacks against systems and networks. Under the auspices of the Center for

Internet Security (CIS), the Controls are developed by a community of Information Technology (IT) experts who apply

their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who

develop the Controls come from a wide range of sectors including, retail, manufacturing, healthcare, education,

government, defence, and others. While the Controls address the general practices that most enterprises should take to

secure their systems, some operational environments may present unique requirements not addressed by the Controls.

A significant evolution of cyber defence is now underway. To help better understand cyber threats, an array of threat

information feeds, reports, tools, alert services, standards, and threat-sharing frameworks have emerged. This

information is immersed in an ecosystem of security requirements, risk management frameworks, compliance regimes,

and regulatory mandates. There is no shortage of information available to security practitioners on what they should do

to secure their infrastructure. However, all of this technology, information, and oversight has become a veritable "Fog

of More" - competing options, priorities, opinions, and claims that can paralyse or distract an enterprise from vital

action. Business complexity is growing, dependencies are expanding, users are becoming more mobile, and the threats

are evolving. New technology brings great benefits, but it also means that the data and applications are distributed

across multiple locations, many of which are not within the enterprise infrastructure.

The Controls started as a grassroots activity to cut through the "Fog of More" and focus on the most fundamental and

valuable actions that every enterprise should take. This clause breaks down and map the applicable Controls and their

implementation for the cloud environment. As the Controls continue to be refined and re-worked through the expert

community, the call for Controls guidance for the IoT sector became a high priority.

The present document is an evolving repository for guidelines on service sector Critical Security Control

implementations. Because of its rapidly scaling importance and need for defensive measures, the enterprise Internet of

Things (IoT) sector are treated here. The CSC are a specific set of technical measures available to detect, prevent,

respond, and mitigate damage from the most common to the most advanced of cyber attacks.

The present document is technically equivalent and compatible with the "CIS Controls v8 IoT Companion Guide"

References are either specific (identified by date of publication and/or edition number or version number) or

non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the

NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee

The following referenced documents are not necessary for the application of the present document but they assist the

[i.1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on

measures for a high common level of cybersecurity across the Union, amending Regulation (EU)

No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2

[i.2] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on

the resilience of critical entities and repealing Council Directive 2008/114/EC (Text with EEA

[i.3] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on

ENISA (the European Union Agency for Cybersecurity) and on information and communications

technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity

[i.4] Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of

European critical infrastructures and the assessment of the need to improve their protection (Text

[i.5] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on

a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)

[i.6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the free

movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[i.7] 2022/0272 (COD): Proposal for a Regulation of the European Parliament and of the Council on

horizontal cybersecurity requirements for products with digital elements and amending Regulation

[i.8] Commission Staff Working Document Advancing the Internet of Things in Europe Accompanying

the document Communication from the Commission to the European Parliament, the Council, the

European Economic and Social Committee and the Committee of the Regions Digitising European

[i.9] ETSI TR 103 305-1: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber

[i.10] ETSI TR 103 305-4: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber

[i.11] ETSI TR 103 305-5: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber

[i.12] ETSI TR 103 866: "Cyber Security (CYBER); Implementation of the Revised Network and

[i.13] ETSI EN 303 645: "CYBER; Cyber Security for Consumer Internet of Things: Baseline

[i.14] ETSI TS 103 701: "CYBER; Cyber Security for Consumer Internet of Things: Conformance

[i.15] ETSI TR 103 621: "Guide to Cyber Security for Consumer Internet of Things".

[i.16] Center for Internet Security (CIS): "CIS Controls v8 Internet of Things Companion Guide".

[i.17] The Internet of Things: An Overview: "Understanding the Issues and Challenges of a More

[i.21] IETF RFC 8613: "Object Security for Constrained RESTful Environments (OSCORE)".

[i.24] NIST SP 1800-15: "Securing Small-Business and Home Internet of Things (IoT) Devices:

[i.25] W3C Recommendation 8 April 2021: "Web Authentication: An API for accessing Public Key

[i.26] IETF RFC 7744: " Use Cases for Authentication and Authorization in Constrained Environments".

[i.28] ETSI TR 103 959: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber

[i.29] IEEE 802.1x™: "IEEE Standard for Local and Metropolitan Area Networks--Port-Based Network

For the purposes of the present document, the terms given in ETSI EN 303 645 [i.13], ETSI TS 103 701 [i.14] and ETSI

The purpose of the Controls Internet of Things Community is to develop best practices and guidance for implementing

the Controls in association with a variety of devices within the Internet of Things (IoT). Enterprise use of IoT presents

unique and complex challenges for security professionals. IoT devices are being embedded into the enterprise across the

globe and often cannot be secured via standard enterprise security methods, such as running a monitoring application on

the device, as the devices cannot support these types of applications. Yet for ease of use, enterprise IoT devices are

often connected to the same networks that employees use day in and day out and are often directly connected to the

internet via a variety of network protocols (e.g. Ethernet, Bluetooth , Wireless Fidelity (Wi-Fi ), cellular).

There is no universally agreeable definition for IoT. The variety of perspectives from industry, academia, governments,

and others across the world have led to different definitions, each focused on the needs of their sector, business, or area

of interest. Each definition has relevant strengths and weaknesses, and they do not act to invalidate each other. Instead,

these definitions work within their desired context, and others may choose to use and apply them as they see fit for the

• In The Internet of Things: An Overview [i.17], a 2015 report from The Internet Society, IoT is defined as:

"…scenarios where network connectivity and computing capability extends to objects, sensors, and everyday

items not normally considered computers, allowing these devices to generate, exchange, and consume data

• A 2015 report from the Institute of Electrical and Electronics Engineers Incorporated (IEEE), titled Towards a

Definition of the Internet of Things [i.18], defines IoT as "A network of items - each embedded with sensors -

• IoT has been defined within a recommendation from the International Telecommunication Union as "a global

infrastructure for the information society, enabling advanced services by interconnecting (physical and

virtual) things based on existing and evolving interoperable information and communication technologies".

• Gartner's IT Glossary [i.19] defines IoT as "the network of physical objects that contain embedded technology

to communicate and sense or interact with their internal states or the external environment".

Regardless of which definition an enterprise chooses to use, there are certain common features:

• Communications - Whether this is via a local medium, such as Radio Frequency Identification (RFID),

Bluetooth, Wi-Fi, or via a Wide Area Network (WAN) protocol, such as cellular, IoT devices can

• Functionality - IoT devices have a core function as well as some additional functionality but they do not do

• Processing capability - IoT devices have sufficient processing capability to make their own decisions and act

on inputs received from outside sources, but not enough intelligence to do complex tasks. For instance, they

generally cannot run a rich operating system designed for a traditional desktop or mobile device.

The lack of a consistent, agreed-upon definition is actually part of the challenge within the IoT arena. IoT is a large,

• Diversity - Devices are developed by different manufacturers with varying version numbers of hardware,

• Ecosystem - Multiple vendors are involved in creating each device, including hardware, firmware, and

• Standardization - There are minimal agreed standards for securing access and communications for these

Examples of IoT devices that might be included within an enterprise include speakers, security cameras, door locks,

window sensors, thermostats, headsets, watches, power strips, and more basically any device that may be integrated into

A consistent approach is needed for analysing the Controls in the context of IoT. For each of the 18 Controls, the

• Applicability - This assesses the degree to which a Control functions or pertains to IoT.

• Challenges - These are unique issues that make implementing any of the relevant Controls, or associated

• Additional Discussion- A general guidance area to include relevant tools, products, or threat information that

The objective of this guide is to have broad applicability across sectors. IoT affects all areas of computing across

multiple sectors, such as healthcare, aviation, public safety, and energy. This has