Join us at Black Hat USA 2024!
Join us at Black Hat USA 2024!
Join us at Black Hat USA 2024!
Join us at Black Hat USA 2024!
Join us at Black Hat USA 2024!
Join us at Black Hat USA 2024!
Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
API Security

IoT Security Foundation (IoTSF) - Full Guide

If you’re someone who wants to keep your technology understanding updated, IoT shouldn’t be an aligned term for you. An easy way to refer to the Internet of Things, IoT is strengthening its position at a rapid pace and is penetrating almost all the leading industries.

As per recent market studies, the world already uses 13.14 billion IoT devices and this number is going to touch the mark of 29.42 billion as we enter the year 2030.

When one technology is used at such an extensive scale, it’s unwise to think that it will be unmonitored. IoTSF is responsible for overlooking the IoT adoption, upgrades, scope, and other related concepts.

In this expert-led guide, we will try to explain what IoTSF is and what importance it holds for IoT users.

IoT Security Foundation (IoTSF) - Full Guide

What Is IoT?

There is no point in getting familiar with IoTSF if you don’t know what IoT is. IoT is among the most trending technologies these days. It refers to the bunch of closely tied technology and devices designed to promote the continual flow of data between various devices. The data/information is gathered in real-time and is shared over the cloud.

The three key elements of IoT are smart devices, IoT apps, and the user interface. Here, IoT device refers to data-driven devices like camera, TV, smartwatch, and many more. To be a part of IoT domain, this device should have great computing abilities so that it’s possible to collect real-time data, share the inputs, and can communicate with other peers/devices.

An IoT application could be a single software or collection of services that aim to gather data from linked IoT devices. The app is mainly driven by AI so that data is collected in real-time and further analyzed for critical decision-making.  

The last component is the user interface, which is mostly mobile or website. The end-user is able to utilize the IoT-enabled devices and gather data.

The History of IoT

  • Many thinks that IoT is an emerging concept. However, the reality is different. If we take a look at the IoT development timeline, we will be able to understand that it has existed since the 1980s. The very first introduction of IoT can be traced back to a vending machine installed by Coca-Cola. It was deployed at Carnegie-Mellon University and it became the earliest ARPANET-linked device.
  • It was equipped enough to report the consumption of cold drink cans and inventory-related details to the university.
  • In 1985, Peter T. Lewis was the first one to use the IoT term for the Congressional Black Caucus Foundation. He also described IoT as the fruitful integration of people, key processes, and concerned technology so that data transmission could be continual.
  • The next prominent growth in the IoT domain occurred in 1991 when Mark Weiser published a paper, ‘The Computer of the 21st Century’, and discussed ubiquitous computing at large. Later, academic giants, e.g. PerCom, UbiComp, etc. also supported the early IoT vision.
  • Reza Raji (1994) explained IoT in an elaborated manner in IEEE Spectrum. He defined IoT as movable small data-packets designed in a way that they can automate home appliances.
  • By the time we entered in 1997, the world had better clarity on IoT as tech giants like Microsoft and NEST envisioned device-to-device communication. This concept was depicted as a component of the 6 Webs framework. This was the first time when IoT was openly discussed.
  • Until 1999, IoT existed in a de-constructed manner. While many tried to envision it, no one had a clear idea of its actual significance. Computing expert of MIT, Kevin Aston, was the first one to frame the IoT concept in a structured way. He explained that the use of RFIDs is crucial for IoT existence. IoT is mainly useful for short-range mobile transceivers to improve communication between technology and people, says the expert Kevin Aston.
  • LG becomes the first organization to IoT on a large scale. It launched an Internet refrigerator in 2000 and was selling it at more than $20,000 per unit. The high price tag becomes the reason behind its downfall.
  • By 2004, IoT became very famous and it started experiencing frequent mentions in books, posts, articles, and media.
  • Seeing the growing popularity of IoT, the first international IoT conference was held in Zurich in 2004. For years later, Google launched IoT-based pacemakers and self-driving cars. Bitcoins were also in function and this currency used IoT technology.
  • In 2010, the Chinese government granted IoT a full-fledged technology. The launch of Amazon Echo in 2014 was the first move to support the establishment of the smart home. By 2017-2019, IoT’s penetration was so deep that its development became cheap and easy.
  • Presently, IoT is a mainstream technology used excessively in every walk of life. From smart homes to smart trackers, all are based on this technology.
What Is IoT

What Is the IoT Security Foundation?

As the penetration of IoT becomes deeper, IoT security becomes a key issue. The higher the number of devices interlinked globally, the higher the risk. The first IoT malware attack was spotted in 2018 and since then, there is no stopping. We get to see more and more IoT devices under attack.

In 2020, nearly 50 billion IoT devices faced certain cyberattacks. With high-speed internet, malware spread happens at a rapid pace. Hence, 1 malware ends up infecting thousands of IoT devices if immediate actions are not taken. This is why the world needed a well-constructed body to look after the growing cybersecurity crimes on IoT devices.

The IoT Security Foundation or IoTSF was the solution to this issue. This is a globally recognized organization responsible for improving IoT security. It aims to spread enough awareness about IoT security that related risks are in control, detected earlier, and damages are on the lower side. It makes it happen by spreading awareness, supporting best practices, and promoting the adoption of the IoT Security Assurance framework.

Its assistance is applicable to IoT hardware, software, network providers, professionals, users, security experts, and many other related entities. All of them can be hugely benefited from the IoT security inputs provided by IoTSF.

The organization has some of the best tech-giants as its members that contribute towards knowledge building. IoTSF is extensively engaged in publishing content that contributes to the existing IoT security infrastructure.

The Main Goals Of The IoTSF

IoTS aims to:

  • Fabricate a sustainable IoT security framework that can help protect the services and products
  • Promote to use of best IoT security practices
  • Aware IoT clients and service providers about the importance of adopting of the compliance framework
  • Establish well-coordinated assurance processes that align well with the IoTSF compliance framework

History of IoTSF

This association came into being in 2015 when a bunch of IT veterans gathered at Bletchley Park and they all felt that there is a need for someone/something to address the growing IoT security risks.

The participants of this discussion were mainly IT professionals with profound experience in self-driven cars, IT regulation, encryption, and data security policies. As a result of the discussion, it was concluded that there has been a well-established IoT security framework. Their inputs were noted down and further polished. Finally, IoTSF was officially launched on 23rd September 2015.

Key IoT Security Recommendations By IoTSF

As mentioned earlier, the prime goal of IoTSF is to strengthen the IoT security ecosystem. Hence, the organization suggests key IoT security recommendations that are explained next.

  • Robust management governance

As per the framework, each organization must have a dedicated professional to handle customer data privacy and product security. However, very few organizations understand this and have this role filled.

  • Solutions designed for security

The framework explains that the focus on security should be from the stage of development. Both the IoT hardware and software should be designed in a way that they are equipped enough to deal with cybersecurity threats.

  • Compatibility with cryptography

If you’re using IoT for cryptography, the industry’s best standards and procedures should be in place.

  • Give enough attention to network applications and frameworks

IoT security should go beyond application security. The framework suggests giving enough attention to the network-based apps, software, and interfaces.

  • Protect production and supply chain

IoT devices are not secure, despite robust security measures, if they pass through an unprotected supply chain or are developed in an unsecured production ecosystem. Hence, both these fronts must be secured with IoTSF best practices so that IoT devices remain secured from production to delivery.

  • Great customer-side safety and security

IoT service providers should make sure that the solution is entirely safe and easy to use for the customers. There should be regular updates and security patches offered.

compliance requirements

Impact of IoTSF  

The rapid adoption of IoT accelerated the risks involved with this technology. The lack of any universal IoT security guidelines/standards gave cyberpunks more chances to exploit this technology. IoTSF tried to reduce this risk factor by various means, like:

  • Education

The key reason behind the higher percentage of successful IoT attacks is that people are not fully aware of the attack surfaces and entry points. The more ignorant IoT users are, the easier it is to conduct an IoT attack. IoTSF tries to get rid of this lack of awareness and education about IoT security by creating enough resources like guides, posts, manuals, and so on.

Both the IoT users and the service providers can refer to these resources to get familiar with IoT security.

  • Working Group

Just as we have many kinds of IoT solutions, we have many IoT threats and it’s important to prioritize them so that potential threats get immediate attention. This is why IoTSF has formed multiple working groups that aim to establish a remarkable Internet of Trust by dispersing more and more knowledge. Every working group has an executive board champion.

Supply chain, Compliance Framework, Assurance, Best Practices, and Smart Building are some of the key working groups of IoTSF.  

  • Smart Building Development

Out of all the above-mentioned working groups, the work done by the Smart Building Development Working Group is the most viable because it aims to determine enterprise domain security guidelines. The organization invites supply chain partners from across the world to join this workgroup so that it’s easy to improve the supply chain for IoT.  

The group tries to have standard supply chain IoT cybersecurity guidelines that have the ability to IoT procurement, installation, operation, integration, and maintenance from the very core level. Mainly, it concerns the IoT devices used in the building that include devices like HVAC, audiovisuals, building security, and building lights.

IoTSF Resources For Sound IoT Security Practices

As IoT security is not something that one should take lightly, IoTSF offers adequate resources that one can refer to during the journey of sound IoT security.

  • IoT Security Assurance Framework: This is a carefully-curated document offering a list of recommended IoT security requirements that organizations can refer to during the evidence-gathering process. It talks about IoT’s security-specific best practices and the need for following them at length.
  • The Assurance Questionnaire: It is an extensive assessment and audit resource to use along with the framework. With this, it’s easy to determine the security objectives of an organization. When objectives are clear, an organization can easily gather the required evidence and resources. Hence, the questionnaire helps an organization at a great length. IoTSF members don’t have to pay any fee to use this questionnaire.
  • Extra Best Practice Guidelines: One can have hassle-free access to a wide range of blogs, posts, guides, documents, publications, and other documents that talk about IoTSF in detail. These published resources are laced with updated data and insights that are bound to deliver desired results, provided you implement them correctly. One can access these guides from the official website for IoTSF.

What Is IoT Security Assurance Framework?

Offered by IoTSF, IoT Security Assurance Framework is a precisely designed document that instructs IoT users to ensure improved IoT security by using a detailed evidence collection and questioning process. The framework is here to ensure that adequate and viable IoT security measures are in place wherever IoT is used.

Earlier, it was known as IoT Security Compliance Framework. But, since the launch of the 3.0 version in November 2021, it’s now known as IoT Security Assurance Framework. The updated version has more details about IoT risks and provides an overview of how leading public and private entities are handling IoT security.

The inputs and suggestions of the framework, when implemented correctly, are capable of delivering viable IoT security solutions in all sorts of organizations. The key focus of the framework remains to generate checklists and collect relevant evidence.

It features some of the best IoT security practices, designed by IoTSF members, and is globally accepted. As far as its concerned audiences are concerned, IoTSF recommends using the framework in any sort of organization as a pre-compliance solution whenever self or third-party IoT security auditing is taking place. Also, one can also use it during the procurement of IoT devices and technologies to make sure that the security requirements of a specific organization are clearly conveyed to the vendor.

The most closely linked stakeholders for this framework are:

  • Managers handling service delivery of IoT services, technology, and products. By providing a detailed overview of best IoT security practices, this framework guides project managers, executives, and other higher authorities about IoT security.
  • Developers and Engineers as the framework can guide these professionals about the developmental loopholes that can later give rise to a cybersecurity attack.
  • Logistics and Manufacturing Staff because they can refer to this framework in day-to-day workflow and make sure that best security practices are in place.
  • Supply Chain Managers can use the framework to instruct the IoT security audits and find out the caveats.
  • Any trusted third parties should also use this framework when they are carrying out an audit for IoT service providers.

As far as the functionality of this framework is concerned, the assurance process is divided into three sections.

  • Risk analysis

Every IoT device should be analyzed extensively for the presence of cybersecurity risks in its relative ecosystem. The detailed risk analysis is crucial for determining the assurance class of the concerned IoT device/application.

As one performs risk analysis, generating risk registers and finding out the CIA Triad security objectives are important. We understand that the risk analysis format, recommended by this framework, is not the best. But, as it’s simple, many are capable of performing risk analysis.

  • Assurance class

Once risk analysis is successfully complete, the framework instructs IoT authorities to decide on the assurance class. According to this framework, there are five assurance classes.

assurance classes

Assurance ClassSecurity Objective - ConfidentialitySecurity Objective - IntegritySecurity Objective - Availability
Class 0BasicBasicBasic
Class 1BasicMediumMedium
Class 2MediumMediumHigh
Class 3HighMediumHigh
Class 4HighHighHigh

You need to understand that assurance classes should be based on the security objectives of the concerned device and should be determined in a fully documented product ecosystem. These classes are further classified into three security objectives; confidentiality, integrity, and availability.

  • Using the Assurance Questionnaire

At last, you must respond to every question that the assurance questionnaire puts forward. This questionnaire is only available for IoTSF members and is important to judge the IoT security processes of an organization. 

The questionnaire mainly involves identifying the areas where a dire need for IoT security exists. Later, it involves evidence collection. The last stage involves the release of adequate security requirements. The questionnaire is highly optimized and can revolve around a specific product/service.

Final Say

Considering the wonders IoT is doing for the world, we have no qualms to admit that IoT is the future. However, one can only use this technology without any risks and hassles if IoT security is improved and risks are nowhere to be seen.

IoTSF is a globally recognized organization that is empowering IoT security at every level. As this guide explained, IoTSF:

  • Is spreading IoT security awareness
  • Offering enough reference and study material related to IoT security
  • Trying to provide a standardized security assurance framework
  • Helping make IoT tool security strong from the designing stage

This is more of a collaboration of most enthusiasts IoT security professionals than an organization that is trying its best to make IoT users aware of IoT security. If you’re an IoT user or service provider, signing up for its members will certainly pay off well as you will be able to learn about trending IoT security facts and figures.


How can I get involved with IoTSF?
What are the best practices for IoT security?
How does IoTSF help organizations with IoT security?
Why is IoT security important?
What is the IoTSF?

Subscribe for the latest news

February 26, 2024
Learning Objectives
Subscribe for
the latest news
Related Topics