Security Classification of IoT Devices

When classifying IoT devices and IoT hardware from a security perspective, there are different taxonomies or frameworks based on a variety of factors, including functionality, risk level, architecture, and attack surface.

Recent standard ISO/IEC 30141:2024, titled "Internet of Things (IoT) – Reference Architecture," provides a standardized framework for designing IoT systems, and unlike its 2018 version, it is emphasizing trustworthiness. On the other side, NIST Internet of Things (IoT) Component Capability Model (IoT CCM), where capability is defined as “the quality of being able to perform a given function”, is including security in “supporting capabilities”, but is not giving any details about classifications.

CROSSCON project deliverable D1.5, which deals with requirements elicitation (https://crosscon.eu/library/deliverables), gives an overview of different standards and papers that deal with this issue, but also mentions that these efforts are “resource centric”, meaning that device resources (i.e., commuting power) and functionality are used as a key differentiation for dividing devices into classes.

The CROSSCON device classification is based in two aspects:

·???????? Security Capabilities, understood as the security capabilities that the hardware and firmware of the device can offer to users and applications.

·???????? Security Guarantees, which are security requirements a device might have due to its usage or context, and these are independent for the security capabilities. For example, a device might have very few security capabilities but requires high security guarantees.

The security capabilities of a device are either typically provided by the CPU itself, e.g., as part of the architecture, or by additional hardware provided by the MCU manufacturers. They include features such as memory protection, memory virtualization, secure identifiers or crypto primitives. These capabilities can be used then to implement trusted security services for devices, such as secure boot, secure storage or control flow integrity.

This is a different approach than for example draft ISO/IEC 27404, titled "Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT," aims to establish a standardized framework for cybersecurity labeling of consumer Internet of Things (IoT) devices. It is designed to complement existing standards, such as ISO/IEC 27402, which specifies baseline security and privacy requirements for IoT devices.

Other approaches include German Federal Office for Information Security (BSI) Security Label based on the ETSI EN 303 645 standard, which again outlines security requirements for consumer IoT devices, more aligned with what we called “security guarantees” in CROSSCON.

In other words, CROSSCON classification is also contemplating “what could IoT device/hardware do” and not only “what IoT device should do”.

The proposed device classification for the CROSSCON project is the following:

·???????? Class 0 (NO SECURITY): devices that have no built-in security capabilities at all. These are normally devices that respect ultra-low power and low-costs constrains, and are therefore not adequate to perform critical functions not being able to provide any security guarantee per-se. These devices need to rely entirely on software-based security, which makes them more vulnerable to attacks.

·???????? Class 1 (BASIC SECURITY): devices that are resource constrained but which contains basic security capabilities such as memory protection via MPU and basic privilege system. While these devices may have a better secure stack than Class 0 devices, they may still be vulnerable to specific attacks. Providing certain security guarantees on them can be a complex task and require a lot of secure software development.

·???????? Class 2 (STRONG SECURITY) devices which already contain integrated or discrete hardware functions with security capabilities such as secure storage, crypto services and measuring and reporting, as well as hardware-based enclaves. These can be MCU using CPUs such as Cortex M23 or M33.

·???????? Class 3 (EXTENDED SECURITY) devices which typically can be used in high-security environments such as critical infrastructure, military applications, or secure communications. They have the highest level of security by incorporating he most advanced security capabilities such as subsystems to isolate specific parts of the device, True Random Number Generators (TRNG), physically unclonable functions (PUFs), or hardware-based intrusion detection.

Other public CROSSCON project deliverables will be published soon, check the project website or contact me for more information. ?