The purpose of this paper is to present a set of well-investigated Internet of Things (IoT) security guidelines and best practices that others can use as a basis for future standards, certifications, laws, policies and/or product ratings. Most, if not all, of these guidelines would apply to any Internetconnected device; however, this paper focuses on security measures either peculiar to the IoT or especially relevant to the IoT. This paper assumes the end-to-end processing model of the Internet, in which application features such as security are handled by end nodes of the network, client and server hardware. It focuses on security mechanisms, including patching and updating, that should be considered at the manufacturing design phase rather than after devices have already been built or deployed.
This paper expands on the findings of a 2016 project by the IEEE Internet Initiative, the IEEE Experts in Technology and Policy (ETAP) Forum on Internet Governance, Cybersecurity and Privacy. Several ETAP events took place in 2015 and 2016 in various regions around the world, including Israel, China, India and the United States. These events brought together technologists, policy-makers and others with an interest and expertise in technology policy. One of the issues consistently brought up in these events was security of the IoT.
This paper is intended for an educated lay audience. The recommendations offered in this paper are generally intended for implementation by manufacturers of IoT products, however they are also designed to be readable by nontechnical but well-educated lawmakers, corporate and governmental policy makers, and participants in standard setting bodies.