CTIA Cybersecurity Certification Test Plan for IoT Devices

CTIA Cybersecurity Certification Test Plan for IoT Devices

Description (Purpose)

OWASP IoT Top 10 Mappping

1 Terms of Service and Privacy Policies Test

Device Terms of Service and privacy policy are readily available. The Terms of Service cover “end of life” for the device.

I6 Insufficient Privacy Protection

2 Password Management Test

Device supports local password management.

I1 Weak, Guessable, or Hardcoded Passwords I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings

3 Authentication Tests.

Device supports user authentication.

I3 Insecure Ecosystem Interfaces

4 Access Controls

Device enforces role-based access control.

I1 Weak, Guessable, or Hardcoded Passwords

5 Patch Management

Device supports automatic and manual installation of patches from an authorized source.

I4 Lack of Secure Update Mechanism I5 Use of Insecure or Outdated Components

6 Software Upgrades

Device supports manual installation software upgrades from an authorized source.

I4 Lack of Secure Update Mechanism I5 Use of Insecure or Outdated Components

7 Audit Log

Device supports the gathering audit log events and reporting them to an EMS using IPsec, SSH, TLS, or DTLS for encryption and integrity protection.

I8 Lack of Device Management

8 Encryption of Data in Transit

Device supports encrypted communications using IPsec, SSH, TLS or DTLS.

I7 Insecure Data Transfer and Storage

9 Multi-Factor Authentication

Device supports multiple authentication factors.

N/A

10 Remote Deactivation

Device can be remotely deactivated by the EMS.

N/A

11 Secure Boot

Device supports a secure boot process to protect its hardware (e.g., UEFI).

I9 Insecure Default Settings

12 Threat Monitoring

Device supports logging of anomalous or malicious activity based on configured polices and rules.

I8 Lack of Device Management

13 IoT Device Identity

Device provides an IoT Device Type and a globally unique IoT Device Identity.

I8 Lack of Device Management

14 Digital Signature Generation and Validation

Device supports generation and validation of digital signatures

I7 Insecure Data Transfer and Storage

15 Encryption of Data at Rest

Device supports an effective mechanism for encrypting data stored on the device.

I7 Insecure Data Transfer and Storage

16 Tamper Evidence

Device has the ability to alert a monitoring system when it is physically opened.

I10 Lack of Physical Hardening

17 Design-In Features

Device includes features to fail secure, provide boundary security, and ensure function isolation.

I2 Insecure Network Services I3 Insecure Ecosystem Interfaces I9 Insecure Default Settings