Guidelines for a secure IoT ecosystem

28.03.19 03:10 PM By Brightsight

In the current climate of continuous change and rapid evolution for both the technology and the threats generated by the larger number of devices in operation, a growing number of security frameworks are being developed by public and private organisations. Several of these frameworks deserve special mention. 

This set of recommendations has an interesting spin on the value of security. In partnership with a number of cyber assurance companies, the UK Cyber Essentials scheme gives value to the security assessment. After all, we are in the same business: managing risk. While insurance companies look at financial risk, security evaluation laboratories look at information risk.

This is a prime example of a framework that seems to be heading in the direction of becoming regulation – if not the framework itself, at least its recommendations. The work of the UK Department for Digital, Culture, Media & Sport (DCMS) provides a high level and yet a sufficient set of minimum requirements for consumer IoT devices.

This is one of the most recent frameworks and the result of a comprehensive study of recommendations and other frameworks in use.

This set of recommendations from the European Union Agency for Network and Information Security (ENISA) has been around since November 2017. It provides a solid foundation for what is rightly labelled “baseline security for IoT devices”. In addition to the document itself, ENISA provides tools and further development of this framework for applications such as smart cities and manufacturing.

Launched in February 2019 by the European Telecommunications Standards Institute (ETSI), this technical specification is a nice example of how a framework can become a standard. The work of the ETSI group is the formalization of work initiated by DCMS under the Code of Practice.

The work of the GSMA Association is a good example of how the industry can reflect on security experience from a particular field (telecommunications under the GSMA group, in this case) to use and share this experience in a technologically agnostic framework for a wider audience.

There are many other frameworks worth mentioning, such as the IEC 62443 for industrial IoT. This framework deserves a dedicated blog describing the work of the International Electrotechnical Commission.

A more comprehensive list of frameworks is maintained by NIST and DCMS. We should also not forget the IoT Security Standards Gap Analysis by ENISA and the STATE OF THE ART SYLLABUS by ECSO. Both provide a broader overview of frameworks by regions and applications, looking to support the industry in building a stronger, safer and secure IoT ecosystem.

More information on how Brightsight can help address this evolving space for IoT security frameworks can be found here.

For more information about certifications, frameworks and how we can help you, please send an e-mail to

Author: Carlos Serratos