iot security

rfc8576 Internet of Things (IoT) Security: State of the Art and Challenges

iot security

从威胁讲起:漏洞、隐私、clone of things、替换、监听、MITM、镜像、信息提取、路由攻击(改包、选择性转发、分光、伪装)、提权、ddos。

影响:业务影响、安全风险、隐私风险、安全事件处理

基于IP的安全框架。。。

PSK, Raw Public Key, Cert 安全模式。。。

主要问题点:异构网络、资源受限、DDoS、E2E、初始化、group comm、移动网络状态变换、secure update、update old and insecure cryptographic primitives、end of life (eol)、设备证明、应急响应、quantum-resistance、privacy (idenfication, localization, profiling, interaction, life cycle transitions, inventory attack, linkage)、逆向、可信操作。

iotsf

IoT Security Foundation Publications

Secure Design Best Practice Guides

classification of data, physical security, device secure boot, secure os, application security, credential Management, encryption, network connections, securing software updates, logging, software update policy, secure boot, secure update, side channel attack。

IoT Security Assurance Framework

分了几个安全等级,以及对上面的菜名的细化要求。

gfce

International IoT Security Initiative

Internet of Things (IoT) Security GFCE Global Good Practices

思路不错,问题点,bcp(设计,实践,认证,基线,标准),challenge(供应链,碎片化,生命周期,rot,监控,人员) 都列了一下。

etsi

ETSI EN 303 645

ETSI IoT Security WORKSHOP

nist

NISTIR 8228 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

主要关注device security, data security, privacy (personally identifiable information, PII)。

NISTIR 8259 Foundational Cybersecurity Activities for IoT Device Manufacturers

8259主要扯厂商可以在iot device的出厂前,出厂后干些什么事。注意出厂后的安全生命周期、升级、过期等等处理。

8259A关注device Cybersecurity的基线: device idenfication, device configuration, data protection, logical access to interface, software update, cybersecurity state awareness。

8259B主要扯要有什么人,应该干什么事。

NIST SP 800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements

800-213 主要是表态。

800-213A 是针对8259讨论的内容的一些描述与解释,看目录也行。

NIST Cybersecurity for IoT Program

Trusted Internet of Things (IoT) Device 4 Network-Layer Onboarding and Lifecycle 5 Management

doc