ENISA publishes best practices guide for IoT security

The European Union Agency for Cybersecurity (ENISA) publishes a best practice guide for IoT security. The report details the security concerns surrounding IoT and classifies the threats into several categories: ‘personnel’, ‘outages’, unintentional damages’, ‘physical attack’, ‘legal’, ‘failures/malfunctions’ and ‘nefarious activity/abuse’. The report concludes with recommendations focusing on the issue of secure Software Development Life Cycle (sSDLC) of IoT. These recommendations include three parts: people, processes, and technologies. People refer to issues such as training and awareness especially within organizations and the establishment of security culture (defining security roles and privileges, separating duties, monitoring and responding to security incidents). Processes refer to issues such as third party and operations management; sSDLC methodology, secure deployment, and security design and internal policies. Technologies refer to issues such as access control (secure storage of users’ credentials); third-party software, using secure communications practices and codes; sSDLC infrastructure, security reviews and setting up contingency plans.