Defining your security policies
Define your IoT system technical security policies. Use automated tools to check for compliance with these policies whenever possible. Security policies for your system will vary based on unique system characteristics, but some recommended policies include:
- Secure communications:
- All communications are authenticated and encrypted
- TCP communications are encrypted using TLS 1.2 or higher
- TLS communications are authenticated using client/server certificates
- Unneeded ports/services are disabled
- Outbound communications that did not originate from a device are rejected (DENY)
- Cryptography:
- Only approved cryptographic ciphers are used within the system
- Only approved key lengths are used within the system
- Devices are configured to avoid negotiating unapproved cryptographic algorithms and protocols (negotiating downwards)
- Key and certificate management:
- Certificate lifetimes are limited to no more than three years' duration
- All key material is stored in a trusted enclave/element...