Profound publications about IoT security are rare on the market even rarer are analysis details about threats, attacks, asset, etc. The "Baseline Security Recommendations for IoT" publication from the European Union of Agency and Information Security (ENISA) combine all this topics in one clearly structured document. The document is a collaborative work in between the big players in the IoT and Security Industry together with ENISA.

IoT Security Recommendations

Have you ever been searching for some statistics, proof of concept or recommendations for IoT security on the web? Most of the time you will end with some info graphics without a clear source, or generic statements à la "Every 10th company already faced a security incident with IoT".

At least this was my personal impression when I started to dig deeper in IoT Security 2 years ago, and still today it is quite hard to find any sources which distinguish between sensors, gateways, mobile phones, apps, clouds, management services, security policies and concepts for company processes. This was initially also the reason I started this blog and published articles like

The publication I want to present today is going in to exactly the same direction as my blog here but has a strong support by the industry and the politics. I'm talking about Baseline Security Recommendations for IoT from the European Union of Agency and Information Security (ENISA) published in November 2017.

Authors of IoT Security Recommendations

The document itself was usually written by the agency itself but the list of acknowledgments is pretty long, which allow the assumptions that also the list of authors and co-authors was pretty long. In the list we can found companies like ARM, Kaspersky, Symantec, ST, Cloudflare, NXP, GSM, Bosch, Huawei, Siemens, Microsoft, Avast and many more.

Sure you can still say that you do not trust any publications from an Agency, then you can stop reading here. But due to the fact that no specific cryptographic algorithms are recommended but only the techniques. I think it is worth to read for everyone who is somehow in touch with the development of IoT products for every market. Especially the first 50 pages (in reality we talk about ~25), are very generic and do not contain any security domain specific abbreviations or heavy technical content. I think they are really worth to read for every security critical Project or Product manager.

Structure of the IoT Security Publication

The document starts with a definition of IoT, going through the some analysis about the most critical parts of IoT chain, IoT assets, taxonomy of cyber security attack scenarios relevant for IoT (but not only), attackers. After this broad introduction of the security topics in IoT the authors are switching to the recommendation for company policies, organizational measures and then technical measures at the end.

All of the topics, statements and recommendations are supported either by a source or an expert statement. A long list of references allows a deep dive in different topics as well as a proof of trust.

Other Books Recommendations

There a also a lot of good books on the market facing IoT Security topics here are some popular examples