The purpose of this publication is to give manufacturers recommendations for improving how securable the Internet of Things (IoT) devices they make are. This means the IoT devices offer device cybersecurity capabilities—cybersecurity features or functions the devices provide through their own technical means (i.e., device hardware and software)—that device customers, including both organizations and individuals, need to secure them within their systems and environments. IoT device manufacturers will also often need to perform actions or provide services that their customers expect and/or need to plan for and maintain the cybersecurity of the device within their systems and environments. From this publication, IoT device manufacturers will learn how they can help IoT device customers with cybersecurity risk management by carefully considering which device cybersecurity capabilities to design into their devices for customers to use in managing their cybersecurity risks and which actions or services may also be needed to support the IoT device’s securability and their customers’ needs.
The publication is intended to address a wide range of IoT devices. The IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. Components of a device, such as a processor or a sensor that transmits data to a purpose-built base station2, that cannot function at all on their own are outside the scope of this publication.
Some IoT devices may be dependent on specific other devices (e.g., an IoT hub) or systems (e.g., a cloud) for some functionality. IoT devices will be used in systems and environments with many other devices and components, some of which may be IoT devices, while others may be conventional information technology (IT) equipment. All parts of and roles within the IoT ecosystem, other than the IoT devices themselves and the manufacturer’s roles related to cybersecurity of those devices, are outside the scope of this publication.
This publication is intended to inform the manufacturing of new devices and not devices that are already in production, although some of the information in this publication might also be applicable to such devices.
Readers do not need a technical understanding of IoT device composition and capabilities, but a basic understanding of cybersecurity principles is assumed.