Why have you performed this work?
When we first performed this work, the IoT world was heavily fragmented. Since the initial mapping was conducted we have seen the IoT space defragment significantly and we hope that our original site at iotsecuritymapping.uk played a part in helping people in that process. Global views on a common baseline for IoT security are more harmonised than ever. Following the release of ETSI EN 303 645, a European standard for IoT security, we decided to refocus our mapping work to it as work evolved globally from the UK Code of Practice. Our intent and hope for this site remains: to help vendors and other stakeholders in the IoT ecosystem to understand how everything fits together, originally by mapping to the UK Code of Practice, and now to ETSI EN 303 645. This will reduce time and effort significantly for many who need to answer questions about what is available around the world and also ultimately help to reduce fragmentation in the standards and recommendations space.
What has happened to the previous mapping site?
The previous mapping work is still available and hosted on the original site which be found here. We will keep this site alive for as long as possible as it is directly referenced from the ETSI EN and many other places.
Will you develop the mapping further?
With the previous version of this site, we had been updating the data regularly and plan to do the same with this site. Updates are listed on the front page of this site. The space is constantly moving and as such new and updated documentation is always emerging. We’ll keep tracking it as much as possible!
Standards and recommendations are constantly being updated. How up-to-date are these mappings?
The original research conducted to create the initial mappings was performed against the UK Code of Practice for Consumer IoT Security, in July 2018. We were regularly maintaining and updating that site, and now following the revision of the mappings to the ETSI EN, we plan to update the new site regularly based on newly published and submitted material. The market has continued to mature significantly (July 2020) and there has been a consolidation of ideas and best practice to the point where there is broad harmonisation on what constitutes the foundations of IoT security. Our task therefore falls to keep track of this consolidation as it moves towards conformance and compliance. We expect this to be a big focus around the world up until 2024.
Why didn’t you include x standard or recommendation?
Some documents were reviewed and judged to be out-of-scope. The reasons for this included that the document wasn’t publicly available, hadn’t been published at the time of review, did not include security or privacy requirements, had no specific recommendations, or that the specification was at too much of a specific low level to be practical as a reference to the Code of Practice or the ETSI EN. Submissions of other documentation for future consideration are welcomed at: iotsecuritymapping[@]copperhorse.co.uk.
Why didn’t you update to new version x of our recommendation?
We have observed in some cases, newer versions of recommendations have been issued but on review, the updates have been editorial in nature or are not related to the ETSI work. For those recommendations, we’ve left the mapping at the version we mapped previously. We do however try to keep up-to-date where we can. Please contact us if you feel we’ve missed something.
What is the difference between versions of the mapping research?
Each of the open data files contain a version number which helps us during the development process. Versions 1-4 were mapping standards and documents in the area to the UK’s Code of Practice. Versions 5 and onwards are mapping to ETSI EN 303 645. However! We’ve reset the version numbers of the files that you can download from this site. Of course, this site is starting afresh and the mappings are against a different document, so for that reason, the filenames start at v1. As we age out / deprecate material we’ll review this, but we thought this was the most sensible and logical way forward.
Where did you source the recommendations?
We performed our own research but were able to source guidance references from a number of places including our own mobilephonesecurity.org living list of IoT security and privacy resources and others which are referenced within the published mapping document from the UK Government. We have also had excellent feedback and submissions since the original publication of this site.
Why is GDPR not mapped?
A decision was taken not to map GDPR because it is seen as fundamental to all consumer products, it should be considered an underlying foundational requirement for creating a secure product. We also mainly tried to concentrate on documents that focused on IoT security & privacy guidance and recommendations rather than government policy or legal requirements. That said, we did include the draft US bill on Internet of Things (IoT) Security Improvement as a number of sources referred to it. The same applies to California’s CCPA, although we did map SB-327 on the Security of Connected Devices which came into law in January 2020. We’ll again keep monitoring this situation to see what are the most logical and useful things to map.
Is there a downloadable copy of the data available?
Yes, all the data is available as open data on this site in JSON, CSV and ODS formats.
What platform was used to create the visual mappings?
We used the excellent kumu.io to provide the visual mappings.
How can I contact you?
Questions related to this site and its contents should be submitted to: iotsecuritymapping[@]copperhorse.co.uk .