ISO/IEC 24767-1:2008

ISO/IEC 24767-1
Edition 1.0 2008-09
INTERNATIONAL
STANDARD
Information technology – Home network security –
Part 1: Security requirements
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester.
If you have any questions about ISO/IEC copyright or have an enquiry about obtaining additional rights to this
publication, please contact the address below or your local IEC member National Committee for further information.

IEC Central Office
3, rue de Varembé
CH-1211 Geneva 20
Switzerland
Email: inmail@iec.ch
Web: www.iec.ch
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigenda or an amendment might have been published.
ƒ Catalogue of IEC publications: www.iec.ch/searchpub
The IEC on-line Catalogue enables you to search by a variety of criteria (reference number, text, technical committee,…).
It also gives information on projects, withdrawn and replaced publications.
ƒ IEC Just Published: www.iec.ch/online_news/justpub
Stay up to date on all new IEC publications. Just Published details twice a month all new publications released. Available
on-line and also by email.
ƒ Electropedia: www.electropedia.org
The world's leading online dictionary of electronic and electrical terms containing more than 20 000 terms and definitions
in English and French, with equivalent terms in additional languages. Also known as the International Electrotechnical
Vocabulary online.
ƒ Customer Service Centre: www.iec.ch/webstore/custserv
If you wish to give us your feedback on this publication or need further assistance, please visit the Customer Service
Centre FAQ or contact us:
Email: csc@iec.ch
Tel.: +41 22 919 02 11
Fax: +41 22 919 03 00
ISO/IEC 24767-1
Edition 1.0 2008-09
INTERNATIONAL
STANDARD
Information technology – Home network security –
Part 1: Security requirements
INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
PRICE CODE
K
ICS 35.200 ISBN 2-8318-1000-1
– 2 – 24767-1 © ISO/IEC 2008(E)
CONTENTS
FOREWORD.4
1 Scope.5
2 Terms, definitions and abbreviations .5
2.1 Terms and definitions .5
2.2 Abbreviations .6
3 Conformance.6
4 Security requirements for home electronic systems and networks.6
4.1 General .6
4.2 Home electronic system security .7
4.3 Issues related to HES security but out of scope of this standard.11
5 Challenges .12
5.1 General .12
5.2 Always-on challenge .12
5.3 Power line challenge .12
5.4 Wireless challenge .13
5.5 Complex assortment devices challenge .13
5.6 Many and diverse user needs.13
5.7 Many and diverse applications.13
6 Security models.14
6.1 Introduction .14
6.2 Owner supported single home HES (OSS).14
6.3 Externally supported single home HES (ESS).14
6.4 Externally supported multiple homes HES (ESM) .14
7 Threat analysis.15
7.1 General .15
7.2 Unauthorized access .15
7.3 Malicious software and configuration .16
7.4 Denial of service .17
7.5 Unintended modification of data during communication .17
7.6 User errors .17
7.7 System failures .17
7.8 Security service providers .17
8 Security requirements.17
8.1 General .17
8.2 Access control.18
8.3 Data and message authentication.19
8.4 Remote access control .19
8.5 Protection of communications.19
8.6 Firewalls.20
8.7 Virus protection .20
8.8 Protection against denial of service attacks .20
8.9 Auditing.21
8.10 Recovery.21
9 Requirements on security solutions .21

24767-1 © ISO/IEC 2008(E) – 3 –
9.1 General .21
9.2 Different levels of security services for different applications in a home.21
9.3 Convenience .22
Annex A (informative) Comparison between office IT systems and home electronic
system security requirements .23
Bibliography.24

Figure 1 – A concept model of home networks.10
Figure 2 – Different considerations in different home environments .11

Table 1 – Security threats and corresponding defences .18

– 4 – 24767-1 © ISO/IEC 2008(E)
INFORMATION TECHNOLOGY –
HOME NETWORK SECURITY –
Part 1: Security requirements
FOREWORD
1) ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form the
specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in
the development of International Standards. Their preparation is entrusted to technical committees; any ISO and
IEC member body interested in the subject dealt with may participate in this preparatory work. International
governmental and non-governmental organizations liaising with ISO and IEC also participate in this preparation.
2) In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
3) The formal decisions or agreements of IEC and ISO on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested IEC and ISO member bodies.
4) IEC, ISO and ISO/IEC publications have the form of recommendations for international use and are accepted
by IEC and ISO member bodies in that sense. While all reasonable efforts are made to ensure that the
technical content of IEC, ISO and ISO/IEC publications is accurate, IEC or ISO cannot be held responsible for
the way in which they are used or for any misinterpretation by any end user.
5) In order to promote international uniformity, IEC and ISO member bodies undertake to apply IEC, ISO and
ISO/IEC publications transparently to the maximum extent possible in their national and regional publications.
Any divergence between any ISO/IEC publication and the corresponding national or regional publication
should be clearly indicated in the latter.
6) ISO and IEC provide no marking procedure to indicate their approval and cannot be rendered responsible for
any equipment declared to be in conformity with an ISO/IEC publication.
7) All users should ensure that they have the latest edition of this publication.
8) No liability shall attach to IEC or ISO or its directors, employees, servants or agents including individual experts
and members of their technical committees and IEC or ISO member bodies for any personal injury, property
damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees)
and expenses arising out of the publication of, use of, or reliance upon, this ISO/IEC publication or any other IEC,
ISO or ISO/IEC publications.
9) Attention is drawn to the normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
10) Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
International Standard ISO/IEC 24767-1 was prepared by subcommittee 25: Interconnection
of information technology equipment, of ISO/IEC joint technical committee 1: Information
technology.
The list of all currently available parts of the ISO/IEC 24767 series, under the general title
Information technology – Home network security, can be found on the IEC web site.
This International Standard has been approved by vote of the member bodies, and the voting
results may be obtained from the address given on the second title page.
This publication has been drafted in accordance with the ISO/IEC Directives, Part 2.

24767-1 © ISO/IEC 2008(E) – 5 –
INFORMATION TECHNOLOGY –
HOME NETWORK SECURITY –
Part 1: Security requirements
1 Scope
This part of ISO/IEC 24767 specifies home network security requirements that may come from
inside or outside a home. It serves as a foundation for the development of security services
against threats affecting the home environment.
The discussions about security requirements in this standard are presented in a relatively
informal manner. Although many of the items discussed here are expected to guide the design
of security mechanisms applied either inside home networks or through the Internet, they are
not considered formal requirements.
Various devices are connected to the home network; see Figure 1. The devices of the “living
network”, the devices for “A/V entertainment” and the devices for “informational applications”
provide different features and performance. This standard provides means to analyse the
risks for each networked device and to define its specific “security requirements”.
2 Terms, definitions and abbreviations
2.1 Terms and definitions
For the purpose of this document the following definitions apply.
2.1.1
brown goods
A/V devices that are mainly used for entertainment, for example, television or DVD recorder
2.1.2
confidentiality
property that information is not made available or disclosed to unauthorized individuals,
entities or processes
2.1.3
data authentication
service used to ensure that the source of the data claimed by a party to a communication is
correctly verified
2.1.4
data integrity
property that data has not been altered or destroyed in an unauthorized manner
2.1.5
user a
...