Importance of IoT cyber security compliance and standards
10 minute read
IoT cybersecurity standards, established by industry bodies and government agencies, play a pivotal role in ensuring that software and hardware products comply with regulations and best practices. These standards are essential for maintaining interoperability and security within the IoT ecosystem.
Navigating compliance standards
TrustCore SDK equips developers with the tools to seamlessly integrate commonly used standards, ensuring compliance across various industries.
Streamlining Compliance Standards with TrustCore SDK
TrustCore SDK simplifies the development of compliant IoT solutions by aligning with a diverse array of industry standards, including NIST, ISO, IEC, FDA, and more.
NIST Compliance in focus
NIST sets guidelines for IoT security, covering areas such as Identity Assurance (IAL), Authentication Assurance (AAL), Federation Assurance (FAL) Levels, and Federal Information Processing Standard (FIPS) 140. TrustCore SDK lays the groundwork for building IoT solutions that are not only secure and scalable but also adhere to these NIST standards.
Identity Assurance Levels (IAL)
- IAL1 Ideal for simple, self-asserted identity verification in IoT devices for low-risk scenarios.
- IAL2 Offers enhanced proofing, validating the real-world identity of IoT devices for increased security.
- IAL3 The highest assurance level, requiring physical presence, perfect for critical and high-security IoT devices.
Identity Assurance Levels (IAL)
- AAL1 Suitable for IoT devices in low-risk environments, utilizing single-factor authentication.
- AAL2 Introduces robust two-factor authentication, bolstering security in IoT applications.
- AAL3 Provides advanced, hardware-based authentication protocols for highly secure IoT environments.
Identity Assurance Levels (IAL)
- FAL1 Implements secure assertion protocols for IoT identity providers, ensuring verified identities.
- FAL2 Strengthens security with encrypted assertions, protecting identity data during transit.
- FAL3 Offers the utmost security with additional cryptographic key proofs, crucial for critical IoT systems.
FIPS Compliance
Adhering to NIST FIPS 140-2 and 140-3 standards is vital for data-sensitive IoT applications and demonstrates that your solution employs FIPS-validated encryption. This compliance is a prerequisite for marketing IoT devices and solutions in various public sectors.
Importance of IETF RFC Compliance
Compliance with IETF RFC standards is critical to ensure your IoT devices function effectively within the broader IoT ecosystem of web services, APIs, protocols, and hardware platforms. Adherence to established communication and cryptographic protocols means developers can build solutions that are secure and able to interact with disparate systems and technologies, maintaining compatibility with core internet standards.
ISA and CIP Compliance in Industrial and Infrastructure Sectors
For industries focused on automation and critical infrastructure, ISA (International Society of Automation) and CIP (Critical Infrastructure Protection) standards are crucial. TrustCore SDK promotes operational security and efficiency to protect vital infrastructure from cyber threats.
- ISA Compliance Sets best practices for automation and control systems in the industrial IoT (IIoT), ensuring operational security and efficiency.
- CIP Standards Focus on protecting critical infrastructure like power grids and water treatment facilities from cyber threats, emphasizing robust security measures.
Additional Compliance Standards
- FDA Regulations for Medical Device OEMs
- Pre-Market Focuses on cybersecurity risk management, addressing potential vulnerabilities, SBOM, etc.
- Post-Market Emphasizes managing cybersecurity risks in marketed devices, highlighting proactive monitoring, timely patching, and effective incident response plans.
- Automotive Sector UNECE WP.29 regulations, effective July 2024, mandate OEMs and their supply chains to meet specific requirements for cyber vulnerability protection. Non-compliance may halt vehicle manufacturing, posing significant commercial and reputational risks. These regulations apply to vehicles developed from mid-2022 onwards.
- UK Product Security and Telecommunications Act Addresses the evolving landscape of product security and telecommunications, ensuring up-to-date compliance in these sectors.
TrustCore SDK supported standards and technologies
TrustCore SDK is compliant with the following key IoT standards and guidelines.
NIST compliance details
TrustCore SDK is compliant with the following NIST digital identity guidelines.
| Level | Module | Details |
|---|---|---|
| IAL1 | NanoTAP | Basic identity proofing, suitable for low-risk scenarios. |
| IAL2 | Enhanced identity proofing, requiring stronger evidence of identity for moderate risk. | |
| IAL3 | The most stringent identity proofing, involving in-person verification for high-risk scenarios. |
| Level | Module | Details |
|---|---|---|
| AAL1 | NanoCrypto, NanoEAP, NanoTAP, NanoSMP | Basic authentication, typically single-factor, for low-risk environments. |
| AAL2 | Two-factor authentication for moderate risk, adding an extra layer of security. | |
| AAL3 | Multi-factor authentication with the highest security for high-risk environments. |
| Level | Module | Details |
|---|---|---|
| FAL1 | NanoCrypto, NanoSSL, NanoTAP | Basic federation assurance, using secure protocols for identity assertions. |
| FAL2 | Enhanced security for identity assertions, with encrypted data transmission. | |
| FAL3 | Highest level of federation assurance, involving advanced cryptographic methods. |
| Standard | Details |
|---|---|
| FIPS 140-2 | Certificate #4298, Certificate #4299 |
| FIPS 140-3 | Implementation under test |
| Guidline | Details |
|---|---|
| NIST SP 800-57 | Recommendations for cryptographic key management and best practices in federal agencies. |
| NIST SP 800-131 | Guidance on transitioning to stronger cryptographic keys and algorithms for federal systems. |
| NIST SP 800-161 | Guidelines for supply chain risk management in ICT, from procurement to disposal. |
IETF RFC compliance details
TrustCore SDK is compliant with the following RFCs.
| Module | RFC# | Details |
|---|---|---|
| NanoCrypto | RFC 8032 | Edwards-Curve Digital Signature Algorithm (EdDSA) |
| RFC 7748 | Elliptic Curves for Security | |
| NIST FIPS 202 | SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions | |
| NanoCert | X.509 v3 | X.509 v3 certificate |
| X.509 v2 | CRL format | |
| RFC 2251 | LDAP (Lightweight Directory Access Protocol) (v3) | |
| RFC 2252 | LDAP (v3): Attribute Syntax Definitions | |
| RFC 2254 | String Representation of LDAP Search Filters | |
| RFC 2255 | LDAP URL Format | |
| RFC 2256 | A Summary of the X.500(96) User Schema for use with LDAPv3 | |
| RFC 2560 | Online Certificate Status Protocol - OCSP | |
| RFC 2616 | Hypertext Transfer Protocol - HTTP/1.1 | |
| RFC 2617 | HTTP Authentication: Basic and Digest Access | |
| RFC 2830 | Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security | |
| RFC 3280 | X.509 certificate and CRL profiles | |
| RFC 4210 | Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) | |
| RFC 5759 | Suite B Certificate and Certificate Revocation List (CRL) Profile | |
| IETF Draft | draft-nourse-scep-14.txt | |
| Draft | draft-ietf-ldapext-ldap-c-api-05 | |
| 3GPP TS 33.310 | Network Domain Security/Authentication Framework (NDS/AF) | |
| X.509 v2 | CRL format (duplicate, might be an intentional repetition or a different context) | |
| NanoSec | RFC 2367 | PF_KEY Key Management API, Version 2 |
| RFC 2401/4301 | Security Architecture for the Internet Protocol | |
| RFC 2402/4302 | IP Authentication Header | |
| RFC 2403 | The Use of HMAC-MD5-96 within ESP and AH | |
| RFC 2404 | The Use of HMAC-SHA-1-96 within ESP and AH | |
| RFC 2405 | The ESP DES-CBC Cipher Algorithm With Explicit IV | |
| RFC 2406/4303 | IP Encapsulating Security Payload (ESP) | |
| RFC 2407 | The Internet IP Security Domain of Interpretation for ISAKMP | |
| RFC 2408 | Internet Security Association and Key Management Protocol (ISAKMP) | |
| RFC 2409 | Internet Key Exchange (IKE) | |
| RFC 2410 | The NULL Encryption Algorithm and Its Use With IPsec | |
| RFC 2451 | The ESP CBC-Mode Cipher Algorithms | |
| RFC 3280 | Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile | |
| RFC 3526 | More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) | |
| RFC 3566 | AES-XCBC-MAC-96 Algorithm and Its Uses With IPsec | |
| RFC 3602 | AES-CBC Cipher Algorithm and Its Use with IPsec | |
| RFC 3686 | Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) | |
| RFC 3706 | A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers | |
| RFC 3715 | IPsec-Network Address Translation (NAT) Compatibility Requirements | |
| RFC 3748 | Extensible Authentication Protocol (EAP) | |
| NanoSSH | RFC 4250 | Secure Shell (SSH) Protocol Assigned Numbers |
| RFC 4251 | Secure Shell (SSH) Protocol Architecture | |
| RFC 4252 | Secure Shell (SSH) Authentication Protocol | |
| RFC 4253 | Secure Shell (SSH) Transport Layer Protocol | |
| RFC 4254 | Secure Shell (SSH) Connection Protocol (partially supported) | |
| RFC 4344 | Secure Shell (SSH) Transport Layer Encryption Modes | |
| RFC 4335 | Secure Shell (SSH) Session Channel Break Extension | |
| RFC 4419 | Diffie-Hellman Group Exchange for Secure Shell (SSH) Transport Layer Protocol | |
| RFC 4432 | RSA Key Exchange for Secure Shell (SSH) Transport Layer Protocol | |
| RFC 6187 | X.509v3 Certificates for Secure Shell Authentication | |
| RFC 6239 | Suite B cryptographic suites for SSH | |
| RFC 5656 | Elliptic Curve Algorithm Integration in Secure Shell Transport Layer | |
| RFC 8332 | Use of RSA Keys with SHA-256 and SHA-512 in Secure Shell (SSH) Protocol | |
| Draft | Draft-green-secsh-ecc-07 | |
| Draft | Draft-igoe-secsh-aes-gcm-02 | |
| NanoSSL | RFC 2246 | Transport Layer Security (TLS) Protocol Version 1.0 |
| RFC 3268 | Advanced Encryption Standard (AES) Cipher suites for TLS | |
| RFC 6066 | Transport Layer Security (TLS) Extensions | |
| RFC 4279 | Pre-shared Key Cipher suites for TLS | |
| RFC 4346 | Transport Layer Security (TLS) Protocol Version 1.1 | |
| RFC 4492 | Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security | |
| RFC 5246 | Transport Layer Security (TLS) Protocol Version 1.2 | |
| RFC 8446 | Transport Layer Security (TLS) Protocol Version 1.3 | |
| RFC 6347 | Datagram Transport Layer Security Version 1.2 | |
| RFC 9147 | Datagram Transport Layer Security Version 1.3 |
ISA and CIP compliance
TrustCore SDK helps achieve compliance with the following ISA and CIP standards.
| Standard | Details |
|---|---|
| ISA 62443-3-3 | Provides security guidelines for Industrial Automation and Control Systems (IACS), focusing on safeguarding critical industrial processes and control systems from cyber threats. |
| CIP-002 | Identifies and categorizes critical cyber assets in the energy sector, particularly in the electricity subsector, that if compromised could impact the reliability or operation of the electric grid. |
| CIP-003 | Establishes policies and procedures to protect critical cyber assets, addressing personnel and training, security management controls, and incident reporting and response planning. |
| CIP-005 | Governs electronic security perimeters and access controls to manage the connectivity and interaction between critical and non-critical cyber assets. |
| CIP-007 | Outlines requirements for securing systems by managing system vulnerabilities, implementing security patches, and monitoring system security. |
| CIP-009 | Focuses on ensuring the resilience and recovery capabilities of cyber systems essential to the reliability of the electric grid, addressing disaster recovery and cyber incident response. |
Quick look: Supported cryptographic algorithms, technologies, and standards
| 3DES-EDE-CBC | CTR | HMAC-SHA1 | MD2 | SHA2-384 | | 802.11i | DES | HMAC-SHA2 | MD4 | SHA2-512 | | AEAD | DH | HMAC-SHA2-224 | MD5 | SHA3-224 | | AEAD-AES-CCM | DHE | HMAC-SHA2-256 | MOBIKE | SHA3-256 | | AEAD-AES-GCM | Diffie Hellman | HMAC-SHA2-384 | Mode Config | SHA3-384 | | AES | Digest | HMAC-SHA2-512 | NAT-T | SHA3-512 | | AES-CBC | Digital Signature | HTTP | NIST | Shake-128 | | AES-CCM | DPD | HTTPS | NSA Suite B | Shake-256 | | AES-CCMP | DSA | IKE | OCSP | Signature | | AES-CMAC | DTLS | IKEv1 | OFNB | Single DES | | AES-CTR | EAP | IKEv2 | P-Curve | SRP | | AES-EAX | EAP-AKA | IP v6 | PEAP | SRTP | | AES-ECB | EAP-SIM | IPsec | PKCS #1 | SSH | | AES-GCM | EAP-TLS | Jacobi Symbol | PKCS #1 v1.5 | SSH v2 | | AES-GMAC | EAP-TTLS | KDF | PKCS #1 v2.1 | SSL | | AES-ICM | EAST-FAST | Key | PKCS #10 | SSL v3 | | AES-MM0 | EAX | Key Agreement | PKCS #12 | Stream Cipher | | AES-XCBC | ECB | Key Protection | PKCS #3 | Suite B | | AESKW | ECC | Key Wrapper | PKCS #5 | TAP | | ANSI | ECDA | LDAP | PKCS #7 | TKIP | | ARC-2 | ECDH | LDAP | PKCS #8 | TLS | | ARC-4 | ECDSA | LDAPv3 | Poly 1305 MAC | TLS v1.0 | | ARCFOUR | ECDSA-192 | LEAP | Private Key | TLS v1.1 | | ARCTWO | ECDSA-224 | Lucas Prime Test | Public Key | TLS v 1.2 | | ASN.1 | ECDSA-256 | MD2 | PureEdDSA | TLS v1.3 | | Behavioral –based Security | ECDSA-384 | MD4 | Rabin-Miller | TPM | | Blowfish | ECDSA-521 | MD5 | RC2 | Triple DES | | Buffer Overflow | EDDH | MOBIKE | RC4 | Trust Point | | Cast | Elliptic Curve | Mode Config | RSA | Two DES | | CBC | FIPS 140-2 | NAT-T | RSAES-OAEP | Verify Signature | | CBC-MAC | FIPS 186-2 | NIST | RSASSA-PSS | White Listing | | Certificate Authority | Firmware tampering | NSA Suite B | SCEP | Wireless | | Certificate Chain | Firmware updates | OCSP | SFTP | x.509v3 | | Certificates | HMAC | OFNB | SHA-1 | XAUTH | | Cipher Suites | HMAC-MD2 | P-Curve | SHA-2 | Zero Day | | CMPv2 | HMAC-MD4 | PEAP | SHA2-224 | Zero Knowledge Authentication | | CRL | HMAC-MD5 | Lucas Prime Test | SHA2-256 | XTS |