Home > Articles > IoT and Security Standards and Best Practices

IoT and Security Standards and Best Practices

Chapter Description

In this sample chapter from Orchestrating and Automating Security for the Internet of Things: Delivering Advanced Security Capabilities from Edge to Cloud for IoT, the author team raises awareness of what should be considered when planning to secure an IoT system and highlights some of the more robust standards and best practices used today that can help.

Topics covered in this chapter include

  • Today’s Standard Is No Standard

  • Defining Standards

  • The Challenge with Standardization

  • IoT Standards and Guidance Landscape

  • Standards for NFV, SDN, and Data Modeling for Services

  • Communication Protocols for IoT

  • Specific Security Standards and Guidelines

Today’s Standard Is No Standard

IoT can be complex and quite broad in what it attempts to address and deliver. IoT can also look and feel very different between each implementation or use case. Yet consistently, for IoT to deliver on the promised business value through connecting things and leveraging produced data for business insight, it must enable devices, networks, and applications to seamlessly work and interoperate together to produce “smart” outcomes. It must also do this in a secure way. If we are unable to deliver on this promise, then we might as well revert back to proprietary or single-vendor solutions and give up on the potential value IoT brings. The question is, will this ever happen? And will we see a time when only a few open IoT standards exist to easily enable the implementation of solutions in a consistent, secure, and manageable way?

In 2015, a McKinsey and Company report concluded that incompatibility is the number one problem facing IoT growth. The authors argued that interoperability among IoT systems is critical. Of the total potential economic value IoT enables, interoperability is required for 40 percent on average and for nearly 60 percent in some settings. With the estimated value of IoT reaching between $4 trillion and $11 trillion in revenue by 2025, the opportunity is huge. McKinsey and Company concluded, “The true potential of the market will be determined by the ability of policymakers and businesses to drive technology and innovation that is interoperable, secure, protective of privacy and property rights, with established business models that better facilitate and enable data sharing.” Clearly, to realize the benefit and value IoT can create, interoperability and standards are a must. This includes standards for interoperability and for securing the IoT.

As outlined in Chapter 1, “Evolution of the Internet of Things (IoT),” IoT has existed for many years. Various forms of standardization now being leveraged for IoT also have existed for years. Remember, we are using IoT here as an umbrella term that also includes industrial IoT and market- or sector-specific initiatives. Clearly, there are differences in terms of use cases and requirements; however, from a technology perspective, there are also many similarities. Even before the term IoT was widely adopted, elements of IoT, such as standardized communication protocols, were being explored. Standards for IoT started to really grow around 2013, with several maturing enough through 2014 to offer limited certification programs. Some of these earlier standards have even started to come to fruition and deliver against use cases. We have also seen some early harmonization of standards efforts for IoT. One example is the Open Connectivity Foundation (OCF), formed when the AllSeen Alliance and the OCF came together under the OCF umbrella, with the aim of providing the interoperability element of an IoT solution at all levels, including silicon, software, platform, and finished goods. The OCF message is clear and accurate: Interoperability standards are the starting point, but standards must progress to include security as a foundation and must address requirements for consumers, business, and industry to deliver value.

The reality, though, is that this is a nice success story in a sea of disparity and competing standards. Despite industry analysts cautiously predicting that 2017 would be the year when standards started to really align, this was not the case. The only agreed-upon conclusion is that we are still a long way from a universal IoT standard—or even two or three IoT standards. Today’s perspective from both analysts and researchers is that this disparity is likely to continue over the next few years at the very least.

So why is alignment difficult? After all, IoT is now accepted as a phenomenon, and consumers, vendors, businesses, and industries want it to succeed and provide the value it promises. If only it were that simple. In practice, a wealth of considerations have an impact on the creation and shaping of standards for IoT:

  • There is still no single, agreed-upon definition of IoT. Without a universally accepted definition, how do you standardize for it?

  • Many different forces continue to shape the IoT landscape, and these forces themselves are evolving. These forces can be broadly grouped into market and social trends, business digitization and transformation, the evolving workforce, and next-generation mobility for people and devices.

  • As we discussed in Chapter 3, “IoT Security Fundamentals,” we need to standardize many different areas of IoT. An IoT system might contain communications, management, architecture, data normalization, services, security, hardware, applications, analytics, and so on. Even if one part were standardized, we might encounter interoperability issues with the other parts. Defining what and how things should be standardized is another challenge with no current answer.

  • Different verticals and industries often have their own requirements and perspectives, thus driving different standards based on their needs. This could mean differences such as IT and OT standards within the same organization, or specific industry vertical initiatives such as smart cities, digital manufacturing, or smart energy that have different regulations or guiding principles.

  • New use cases continue to arise, often driven by the advent of new technology. How can we constantly ensure that standards apply? Creating security by design is difficult if the use case is ahead of technology and security for that requirement. New use cases often leverage proprietary measures with the aim of them becoming standardized at some stage, but this usually results in limited security response capabilities (and even more standardization efforts).

  • New technologies and technology architectures are still being developed. If we consider advancements in areas such as NFV, SDN, cloud, fog, software-defined automation (SDA), and autonomic networking, and couple this with new technology areas such as deterministic networking, NB-IoT and LoRa in the RF space, and 5G, and then throw in aspects of Big Data, analytics, machine learning (ML), and AI, we can see that the potential arena is huge. The Gartner Hype Cycle for the Internet of Things (2016) in Figure 4-1 highlights this landscape and shows the emergence of IoT areas; all of these need to be secured and, if possible, standardized.

Figure 4-1

Figure 4-1 The Gartner Hype Cycle for the Internet of Things (2016)

  • Not all IoT solutions will be deployed in greenfield environments. In fact, a good percentage of environments exist today and are evolving. This means that legacy and proprietary technologies need to be integrated, further muddying the standardization opportunity.

  • IoT is more complex than either IT or OT on their own. This might seem pretty obvious because often a combination of IT and operational technologies and systems is needed to deliver against a use case. However, IoT is often approached in the same way organizations address new technology as part of their core IT or OT business. By its very nature, IoT usually generates more data, is more geographically dispersed, contains new devices, involves new technologies, and produces a mixed IT/OT deployment environment.

  • IPv6 is an enabler for IoT. IoT6.eu believes that many arguments and features (including scalability, a solution to the NAT barrier problem, multi-stakeholder support, and features such as multicast, anycast, mobility support, autoconfiguration, and address scope) demonstrate that it will be a key communication enabler for IoT in the future. IPv6 also supports tiny operating systems, provides increased hardware support, and supplies new protocols focused on interoperability among different layers of the IoT stack.

  • Legislation and regulations are starting to arise. Early examples include NERC-CIP, for power utilities in North America, and ENISA, which focuses on delivering a governance framework to coordinate cybersecurity standardization within Europe.

  • A major challenge is that standards groups, alliances, and consortia often consist of large vendors who are unlikely to want to give up their market share. We are starting to see potential shifts here, with customers demanding interoperable efforts. One example is the Open Group Open Process Automation standard, driven by Exxon Mobil requirements for its next-generation processing environments.

  • The speed of standards development is usually slow. This contrasts with development within the communications industry, where technology moves at pace to address customer business needs. This pace can result in proprietary efforts because of business demand, not necessarily vendor choice.

  • Security itself is not a simple phenomenon. It must be addressed across the board and built in from scratch, not just piecemeal. Security can often be a driver for change, but usually it is playing catchup to try to secure a lack of interoperability.

As a result, we are still waiting for the IoT market to develop an approach that would allow for a fully end-to-end, consistent security strategy. We also need to realize that many standards, guidelines, and consortia have existed before IoT (technology has been around for some time) and must still adapt to IoT. These other standards should not necessarily be discarded; they have already shown value.

Looking at these challenges, IoT remains something of a puzzle. The use cases and business scenarios require interoperability and simplification of technology to work, with enabling technologies rationalized around robust and secure standards that also include legacy environments. However, these use cases and business scenarios are still evolving, with new endpoints and technologies being frequently introduced into a landscape without appropriate standardization. This makes the idea of standards an even more complex and challenging task. We will look at this more closely in this chapter as we explore the following topics:

  • How standards are defined

  • Why we need standards

  • An overview of the IoT standards landscape

  • Standards for NFV and SDN

  • Security standards for IoT and NFV/SDN

The aim of the chapter is not to detail or recommend standards and guidelines, but to raise awareness of what should be considered when planning to secure an IoT system. We also highlight some of the more robust standards and best practices today that can help.

2. Defining Standards | Next Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020