Cybersecurity — IoT security and privacy — Guidelines

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT) solutions.

Cybersécurité — Sécurité et protection de la vie privée pour l’IoT — Lignes directrices

General Information

Status
Published
Publication Date
06-Jun-2022
Current Stage
6060 - International Standard published
Due Date
20-Jun-2022
Completion Date
07-Jun-2022
Ref Project

Buy Standard

Standard
ISO/IEC 27400:2022 - Cybersecurity — IoT security and privacy — Guidelines Released:7. 06. 2022
English language
42 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 27400
First edition
2022-06
Cybersecurity — IoT security and
privacy — Guidelines
Cybersécurité — Sécurité et protection de la vie privée pour l’IoT —
Lignes directrices
Reference number
ISO/IEC 27400:2022(E)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 27400:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27400:2022(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Abbreviated terms ............................................................................................................................................................................................. 2

5 IoT concepts ..............................................................................................................................................................................................................3

5.1 General ........................................................................................................................................................................................................... 3

5.2 Characteristics of IoT systems.................................................................................................................................................. 3

5.3 Stakeholders of IoT systems ....................................................................................................................................................... 4

5.3.1 General ........................................................................................................................................................................................ 4

5.3.2 IoT service provider ......................................................................................................................................................... 4

5.3.3 IoT service developer ........................................................................................................................................... ........... 4

5.3.4 IoT user ................................... ..................................................................................................................................................... 5

5.4 IoT ecosystem .......................................................................................................................................................................................... 5

5.5 IoT service life cycles ........................................................................................................................................................................ 5

5.6 Domain based reference model ............................................................................................................................................... 7

6 Risk sources for IoT systems ................................................................................................................................................................... 8

6.1 General ........................................................................................................................................................................................................... 8

6.2 Risk sources .............................................................................................................................................................................................. 9

6.2.1 General ........................................................................................................................................................................................ 9

6.2.2 Sample risk sources related to IoT domains .............................................................................................. 9

6.2.3 Risk sources from outside the IoT domains ............................................................................................ 11

6.2.4 Privacy related risk sources..................................................................................................................................12

7 Security and privacy controls .............................................................................................................................................................13

7.1 Security controls ............................................................................................................................................................................... 13

7.1.1 General .....................................................................................................................................................................................13

7.1.2 Security controls for IoT service developer and IoT service provider.............................13

7.1.3 Security controls for IoT user ..............................................................................................................................30

7.2 Privacy controls ........................................................................................................................................... ....................................... 32

7.2.1 General ..................................................................................................................................................................................... 32

7.2.2 Privacy controls for IoT service developer and IoT service provider ............................... 32

7.2.3 Privacy controls for IoT user ................................................................................................................................38

Annex A (informative) IoT monitoring camera sample risk scenario ..........................................................................40

Bibliography .............................................................................................................................................................................................................................42

iii
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC 27400:2022(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27400:2022(E)
Introduction

Information security is a major concern of any information and communication technology (ICT) system

and Internet of Things (IoT) systems are no exception. IoT systems present particular challenges for

information security in that they are highly distributed and involve a large number of diverse entities.

This implies that there are a very large attack surface and a significant challenge for the information

security management system (ISMS) to apply and maintain appropriate security controls across the

whole system.

Privacy or personally identifiable information (PII) protection is a significant concern for some types

of IoT systems. Where an IoT system acquires or uses PII, it is usually the case that there are laws and

regulations that apply to the acquisition, storage and processing of PII. Even where regulations are

not a concern, the handling of PII by an IoT system remains a reputational and trust concern for the

organizations involved, for example, if the PII is stolen or is misused, potentially causing some form of

harm to the people identified by the information.

Security and privacy controls in this document are developed for stakeholders in an IoT system

environment, so as to be utilized by each IoT stakeholder, throughout the IoT system life cycle.

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27400:2022(E)
Cybersecurity — IoT security and privacy — Guidelines
1 Scope

This document provides guidelines on risks, principles and controls for security and privacy of Internet

of Things (IoT) solutions.
2 Normative references
There are no normative references in this document.
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 20924, ISO/IEC 27000,

ISO/IEC 29100, ISO 31000 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
cloud computing

paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual

resources with self-service provisioning and administration on-demand

Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications and

storage equipment.
[SOURCE: Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, 3.2.5]
3.2
cloud service

one or more capabilities offered via cloud computing (3.1) invoked using a defined interface

[SOURCE: Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, 3.2.8]
3.3
IoT device

entity of an IoT system that interacts and communicates with the physical world through sensing or

actuating
3.4
IoT device developer
entity that creates an assembled final IoT device

Note 1 to entry: “final” in this definition means the stage of delivery to the IoT service developer in the assemble

process.
3.5
IoT platform

infrastructure that enables the deployment, management and operation of IoT devices

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 27400:2022(E)
3.6
IoT system
system providing functionalities of Internet of Things

Note 1 to entry: IoT system is inclusive of IoT devices, IoT gateways, sensors, and actuators.

Note 2 to entry: In the context of this document, this also includes applications and backend that support IoT

solutions.
3.7
IoT solution

seamlessly integrated bundle of technologies, potentially including sensors, gateways and actuators

Note 1 to entry: These can solve a specific problem or need or they can be used to build additional functionality

in other none IoT solutions
3.8
ecosystem
infrastructure and services based on a network of organizations and stakeholders
Note 1 to entry: Organizations can include public bodies.
[SOURCE: ISO/IEC TS 27570:2021, 3.8]
4 Abbreviated terms
ASD Application and Service Domain
CRM Customer Relationship Management
DoS Denial of Service
IC Integrated Circuit
ICT Information and Communications Technology
IoT Internet of Things
ISAC Information Sharing and Analysis Centre
ITS Intelligent Traffic System
OMD Operations and Management Domain
OTA Over The Air
PED Physical Entity Domain
PII Personally Identifiable Information
RAID Resource Access and Interchange Domain
SCD Sensing and Controlling Domain
UD User Domain
Wi-Fi Wireless Fidelity
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27400:2022(E)
5 IoT concepts
5.1 General

This clause provides a brief introduction to IoT concepts and reference models which are useful in the

context of security and privacy. Detailed information on these topics is provided in ISO/IEC 30141.

5.2 Characteristics of IoT systems

The applications of IoT systems are diverse, making it impractical to define a generally applicable set

of characteristics for every IoT system. As a practical way to describing characteristics of IoT systems,

“common characteristics” and “specific characteristics for application areas” can be identified.

IoT systems share following common characteristics.

— IoT systems include IoT devices, which is specific hardware and software equipment which is used

in conjunction with or attached to physical things or materials.

— IoT devices are connected to networks and have the ability to transmit and receive data. Wired as

well as wireless networks can be used.

— IoT devices usually have sensing capabilities, e.g. for detecting environment states or movements.

— IoT devices can have actuating capabilities, e.g. receiving controlling data in order to initiate physical

actions.

— IoT systems include IoT applications in order to process data from IoT devices, to generate and send

controlling data, and to enable integration with other systems.

— IoT systems include operational components which allows the setup and operation of IoT devices

and applications.

— IoT systems support human or digital users (for further information refer to ISO/IEC 30141).

Depending in which area or for which purpose IoT systems are used there are specific requirements.

See the following list of examples.

— For consumer IoT systems pricing is very sensitive, which makes low cost for manufacturing and

operating IoT devices important. Depending on the data processed, data privacy can also be very

important.

— Industrial IoT systems can replace or be used in conjunction with an industrial plant and control

systems and therefore, be subject to similar requirements such as high availability or safety. Safety

of process utilizing IoT systems may depend on the security characteristics of an IoT device.

— IoT systems used in vehicles are used in the context of reliability or safety relevant functionalities.

Whereas in the reliability related use case privacy requirements can be important to consider, a

safety use case can impose high integrity and availability requirements.

For further information and discussion of specific use cases for IoT systems, refer to

ISO/IEC TR 22417:2017.

IoT service providers often use cloud infrastructure to implement their services. Especially when using

public cloud services, this allows low initial cost and great scalability.

An IoT service provider should ensure as a consumer of a cloud service that the cloud service has

adequate security controls in place. These controls, often also in combination with additional controls

at the IoT service provider’s side, should fully address the security and privacy requirements of the IoT

users (e.g. regarding protection of PII), for which the IoT service provider is in a supplier role.

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 27400:2022(E)

For further guidance on supplier relationships in cloud services refer to ISO/IEC 27036-4, for guidance

on security controls for cloud services based on ISO/IEC 27002 refer to ISO/IEC 27017, and further

guidance on PII protection in public cloud is provided in ISO/IEC 27018.
5.3 Stakeholders of IoT systems
5.3.1 General

In order to be able to implement security and privacy for an IoT system, it is important to know the

stakeholders of the system. Depending on their role, they are either setting the level of security and

privacy required for the system based on their risk appetite, or they contribute to effective controls for

achieving these requirements.

ISO/IEC 30141 defines three types of roles: IoT service provider, IoT service developer and IoT users. It

also defines a number of subroles and activities, some of them relate to security and privacy.

In 5.3, the common stakeholders relevant for most IoT systems are introduced.
5.3.2 IoT service provider

An IoT service provider manages and operates the services of an IoT system which are offered to the IoT

users.

Common services provided by IoT service providers include connectivity services, data collection and

management services as well as management service for IoT-related assets such as IoT devices.

The IoT service needs to match the IoT user’s needs and is dependent on a specific use case or a relevant

IoT ecosystem.

IoT service providers need to understand the functional and non-functional requirements of IoT users

for services provided, and to satisfy IoT users with the services, particularly in terms of security and

privacy.

In order to achieve this, IoT service providers also need to fully understand any relevant threat vectors

in order to be able to perform a risk assessment and to select effective risk treatment options.

For specific controls which have to be considered by an IoT service provider, refer to the controls given

in Clause 7 which have “IoT service provider” as the indicated audience.
5.3.3 IoT service developer

IoT service developers are responsible for the design, implementation and integration of IoT services.

IoT service developers can be further specialized, e.g. by taking on the role as architect for IoT solutions

or platforms, as designer and or implementer for IoT applications, as designer or implementer for IoT

devices.

In each role, IoT service developers should follow best practices for design and development, e.g.

adhering to security and privacy by design principles or using secure software development life cycles.

One of the subroles of IoT service developers is IoT device developer. It does engineer and produce

specific hardware equipment to be used in IoT systems, in particular IoT devices.

IoT devices can either be operated and used directly by an IoT user or by an IoT service provider, and

the technically same device can be used in various different IoT use cases. It is important for an IoT

device developer to consider the security and privacy requirements of potential usage scenarios for the

device in the design phase, in order to be able to offer devices which have the right set of functionality

and features to fulfil their customers’ need.
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27400:2022(E)

IoT service developers need to understand and consider the security and privacy expectations and

requirements of the IoT service providers as well as of IoT users, so that necessary controls are selected

to ensure adequate treatment of risks of the IoT system.

For more information regarding controls which have to be considered by IoT service developers, refer

to the controls given in Clause 7 which have “IoT service developer” as an indicated audience.

5.3.4 IoT user

An IoT user is the end user of an IoT service and can be categorized into human user and digital user.

Human user is an individual who uses the IoT service. Digital user is a non-human user of the IoT

service; it can be an automated service acting on behalf of a human user.

In the case of human user, he/she can be either represented by an individual, for example, in the case of

consumer level IoT systems, or by an organization, e.g. in the case of industrial IoT systems.

In any case, the IoT user does directly set or at least does influence the functional and non-functional

requirements for an IoT system or an IoT service.

It is in the core interest of the IoT user that an IoT system or IoT service can be used without introducing

unacceptable risks in the area of security and privacy.

The level of security and privacy required to be provided in a IoT system or service is mainly driven by

expectations or risk considerations done by IoT users. However, IoT users may often be unaware of the

security implications of the technologies.

For any use case a profound understanding of the IoT users and of their needs and requirements is

crucial.

In order to be able to treat IoT related risks adequately, there are also controls an IoT user should

consider and implement. For more information regarding these controls, refer to the controls given in

Clause 7 which has “IoT User” as an indicated audience.
5.4 IoT ecosystem

Dependencies among IoT service providers, IoT service developers and IoT users in the context of

security and privacy in an IoT system can be described as an ecosystem, an analogy to the concept in

ecology. The dependencies in security and privacy in IoT include:
a) products and services supplier relationships;

b) provision of measures by other entities within the ecosystem necessary in implementing security

and privacy controls (see Clause 7); and

c) potential externality of consequences in conceivable risk scenarios not contained within an entity

(see Clause 6), e.g. failure in implementing a control by an IoT service provider or an IoT service

developer giving rise to security and privacy risk of IoT users.

Furthermore, there are concerns about adverse effects on other organizations beyond the impact

between stakeholders assumed in a single IoT system, such as cyber attacks against external

organizations and countries that exploit vulnerable IoT systems and devices. These adverse effects

need to be addressed in an expanded ecosystem that includes the entities potentially affected, and

responsible organizations should implement controls (Clause 7) addressing them.
5.5 IoT service life cycles

An IoT service introduces various life cycles, which can be mapped to the stakeholders of an IoT system.

More specifically, an IoT service is:
a) developed by an IoT service developer and IoT device developer(s);
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 27400:2022(E)
b) provided by an IoT service provider, and
c) used by IoT users.

Processes of these stakeholders form a set of interdependent life cycles of device development, service

development, service provision and use of the service. Figure 1 shows these life cycles of IoT service

and the relationships among them.
Figure 1 — IoT service life cycles

In the life cycle of the IoT device, the IoT device developer designs, develops, manufactures, sells to

and supports the IoT service developers, the IoT service providers or the IoT users. At retirement of

the device, the IoT device developer terminates supporting the IoT device. Security and privacy

requirements are considered in design and development of the IoT device, and implemented as features

of the IoT device, e.g.
d) user authentication and access control mechanisms of the device;
e) physical security feature such as secure case; and
f) device software and firmware updating mechanism and operation.

During supplier relationships, information of these features is provided to and used by the IoT service

developers and the IoT service providers at relevant stages of their life cycles. An IoT device developer

should ensure that adequate and updated device information including security related information is

available to all relevant stakeholders.

The IoT service developer designs, develops, produces, and supports the IoT system that enables the

IoT service. At retirement, the IoT service developer terminates supporting the IoT system. Based on

requirements for an IoT service driven by the needs of the assumed users of the service, security and

privacy requirements are considered in design and development of the IoT system, and implemented as

features of the IoT system, e.g.
g) user authentication and access control mechanisms of the service;
h) protection against malware;
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 27400:2022(E)
i) redundancy of components and network;
j) software updating mechanism and operation; and
k) functions and procedures for system operations.

Information of these features is provided to and used by the IoT service providers at relevant stages of

its life cycle and they need to be aligned with the security features of the used IoT devices.

The IoT service provider develops the operation and operates the IoT service acquired from the IoT

service developer. At retirement, the IoT service provider terminates provision of the service. The

activities of these phases of the life cycle, i.e. development, operation and retirement, are implementation

of system life cycle processes given in ISO/IEC 15288 including but not limited to:

l) acquisition process;
m) supply process;
n) organizational project enabling processes;
o) technical management processes;
1) risk management process;
2) quality assurance process;
p) technical processes;
3) operation process;
4) maintenance process; and
5) disposal process.

Among these processes, the risk management process and the quality assurance process are key to

security and privacy in the IoT service. In the risk management process, security and privacy risks are

assessed and treated by applying the features of the IoT devices and the IoT system and implementing

secure operations. Through the quality assurance process, the IoT system and software are ensured

to be excluding vulnerabilities and malicious components, and to have necessary safety functions that

ensure availability of the IoT system along with other safety aspects.

Through the supply process, information related to security and privacy in the use of the IoT service

and software updates are provided to the IoT user.

The IoT user chooses an IoT service that meets its service and functional requirements along with

security and privacy requirements. Information related to security and privacy is provided by the

IoT service provider and the IoT device developer, and are examined by the IoT user at this stage.

After purchasing the IoT service, the IoT user applies software and firmware updates and uses other

information provided by the IoT service provider and the IoT device developer to keep the level of

security and privacy during the operation till the decommissioning of the IoT device.

It should be noted that security and privacy issues can occur due to lack of consistency among life

cycles of the stakeholders. As an example, the IoT service providers should be aware of the possibility

that support period of a specific IoT device terminates during the operation of the IoT service, or the

IoT device developer or other IoT service developer cease to exist in the market, while the IoT users

continue to use the IoT device whether aware or not of the termination.
5.6 Domain based reference model

IoT reference models presented in ISO/IEC 30141 provide views of the IoT systems. One of the reference

models is the domain based reference model which
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.