IoT Security Policy Platform

The Internet of Things (IoT) is changing virtually every aspect of our lives.

Connected devices can help us improve our personal health, run our businesses more efficiently, and drive economic development and growth worldwide. The opportunities are infinite, but so are the risks.

The IoT Security Policy Platform is a collaborative body of government agencies and global organizations working together to make security a pillar of our digital future.

Collaborating for a safer future online

IoT is constantly evolving, and so are the threats against it. The IoT Security Policy Platform believes collaboration is the best way to stay ahead of emerging risks online.

The Platform’s goal is to gather, coordinate and promote global best practices in IoT security to address key challenges to the ecosystem. By harmonizing global efforts to promote security among manufacturers, retailers, policymakers, regulators, and consumers trying to make good choices, we can take greater strides towards a safer connected future for all.

Stronger working together

Everyone can play a role in building a safer connected future. The IoT Security Policy Platform is made up of national government agencies, and non-governmental organizations (NGOs) working in this space, that draw on the strength and expertise of all stakeholders to develop solutions to protect both people and innovation online.

Platform members must meet one of two criteria:

  • Already have developed an IoT security framework
  • Actively developing an IoT security framework through a multistakeholder process.

Expert Advisors Group

There are many individuals engaged in IoT security who do not work directly for a government agency or non-governmental organization engaged on this topic, but are independent subject matter experts and leaders in IoT security. These individuals’ voices are important in global discussions, and the Expert Advisors Group was created to include their perspectives.

In the initial stages of this initiative, the Expert Advisors Group will be comprised of one individual from each participating member country. Additional Experts may be included at a later date. 

Next Steps

The Platform has clear goals and deliverables through the end of 2019. After that, they may choose to re-charter and continue their work, at their discretion.

Anyone interested in becoming a member of the IoT Security Policy Platform must be a representative of a government agency or global organization, meet the criteria of the Platform, and be approved by a majority of the existing members. 

Those interested in joining the Expert Advisors Group must meet one of two criteria and be approved by a majority of the existing members of the Platform: 

  1. Have expertise in relevant area(s) in the judgment of a majority of members; OR
  1. A designated subject matter expert from a trade organization or alliance representing connected-device manufacturers, service providers, or retailers, with a clear interest in contributing to the work of the Platform.

For more information, contact

Examples of collaborative approaches to IoT

Learn more about collaborative initiatives to build security into our connected future in countries like Canada, France, Senegal, and initiatives such as Dynamic Coalition and the IGF’s Best Practice Forum on IoT.

Members Testimonials

Why did you join this group and what do you hope to get out of it?

In order to address a global development driven by global industry, it is important that a common understanding of “global good practice” is developed amongst governments thus to ensure the emergence of a healthy ecosystem in which we can benefit best from the promises that come with connected technologies.

Maarten Botterman

This is a great forum to bring countries (and at times, important industry associations) from across the world together to understand what work they are undertaking on IoT security, to share evidence and work together to align our work and avoid fragmentation.

Ed Venmore-Rowland, DCMS

I participate in the group to share our experience in the field, and to take advantage of the experiences of others and to enrich research on IoT for the development and security of their uses in our countries.

Ndeye Fatou Coundoul, Senegal

Internet of Things is a huge ecosystem and as the word Internet on the title implies it comes full of widespread deployment and dependencies. Similarly to traditional Internet, where wider collaborations are much needed to ensure security, the IoT world would also greatly benefit from multi-disciplinary, worldwide collaborations. It is not something that can be solved by individual units, we rather need to work together across the board and across borders, because we cannot reach the full potential of IoT unless we see it as it is: something that is not compartmentalized, an actual Internet. When we talk about security this ecosystem, since everything is connected, horizontal, cross-cutting efforts are needed. These can of course be complemented with sectorial specificities, e.g. consumer IoT, but at the end of the day, since all of it is connected, solutions across the board need to be sought after. It is for this reason that we jumped on board this opportunity to discuss with peers across the world, to understand better their needs, efforts and requirements and hopefully come up with common set of principles/approaches on securing the IoT. Coming up with novel schemes and solutions might not even be needed, since there is already a multitude of existing frameworks, baselines and good practices out there, ENISA has also produced some.

Apostolos Malatras, ENISA

We appreciate the global reach of ISOC. The cybersecurity challenge is global and too many individual discussions around the world have led to fragmentation. We hope to see ISOC influencing security topics in a way that reduces this fragmentation. We also hope to help define the boundaries between privacy, security and safety.

Mike Bergman, CTA

Does your country/agency/organization/etc. have an IoT security/privacy framework in place?

USA: NIST Cybersecurity risk management framework (CSF) and a privacy framework is also under study.

Mike Bergman, CTA is possibly the most comprehensive document produced internationally. Interactive ‘legend’ diagram or spreadsheets available. Code of Practice for Consumer IoT Security. Worked with ETSI to create TS 103 645.

Ed Venmore-Rowland, DCMS

No, we have not yet a formal setting, otherwise the agreement signed between the Ministry in charge of ICT and ISOC but discussions are underway.

Ndeye Fatou Coundoul, Senegal

The “security framework” I would bring in is the IGF DC IoT’s proposed way forward at global level, relating to the following “global good practice principle”: “Internet of Things Good Practice aims at developing loT systems, products, and services taking ethical considerations into account from the outset, both in the development, deployment and use phases of the life cycle, thus to find an ethical, sustainable way ahead using loT helping to create a free, secure and rights enabling based environment: a future we want, full with safe opportunities to embrace.”

For the full paper see here.

Maarten Botterman

ENISA, as the EU cybersecurity agency, has worked on IoT security for several years. In 2017, ENISA published the IoT Security Baseline which sets a baseline of security measures for IoT in a horizontal manner, i.e. agnostic to the application domain. The Baseline IoT Security study comes with a full mapping to more than 200 resources, namely each security measure is mapped against other works/publications that also make reference to such a measure. At the same time, ENISA has also produced work on sectorial aspects of IoT security, such as automotive, airports, hospitals, smart homes and intelligent public transport. The latest such work is that on Industrial IoT (IIoT or Industry 4.0), with relevant security measures proposed and also mapped against existing resources. Lastly, in January 2019 ENISA published an online, interactive IoT tool which synthesizes all our previous studies and presents the security measures and their mapping per application domain, but also as a baseline.

Apostolos Malatras, ENISA

What are your top two or three priority milestones for this group in 2019?

I would like to see the group productively comment or add to the debate on baseline security and defragmentation of security policies. I would like to see the group develop an understanding and a plan to deal with policy vs. technology, as privacy policy and cybersecurity keep getting mixed up.  Even the NIST draft privacy framework has a couple of cybersecurity technology requirements.  In our view, privacy is a policy topic.  Once the policy is set, technology—typically in the cybersecurity realm—must enforce it.

Mike Bergman, CTA

Three urgent actions:

1. Extend the group to other countries and international organizations working in the field or that can support IoT research;

2. Organize training sessions in Africa on IoT with successful exchange of experiences,

3. Continue to raise awareness about the safety of IoT uses

Ndeye Fatou Coundoul, Senegal

With respect to milestones, given that it is already the 10th of May, I think that realistically speaking we might need to tone down expectations. Some set of high-level guidance principles might be a good start, and a solid understanding amongst group members about the scope of the work of the group and its objectives. That for me is the first and foremost step, agreement on which will greatly foster all forthcoming initiatives.

Apostolos Malatras, ENISA

1. Lots of different areas of IoT, such as privacy, security, transparency, environment etc. The UK Government believes the platform’s focus should be on the security of IoT.

2. We propose that the platform should initially focus on agreeing what the minimum baseline security requirements (3 or 5 for example) should be for consumer IoT products.

3. In 2020, once we have published the above requirements, the platform will gain further credibility. We would then propose that the platform focuses on identifying and agreeing what the minimum baseline security requirements should be for IoT more broadly.

4. In terms of the set-up of the group, the UK is aware that some countries are nervous about joining the platform unless industry are involved. We propose that the group should decide on which industry bodies and civil society organisations are invited and the mechanism for selection should be discussed at the next call/meeting.

5. We feel it’s important that industry are involved in the discussions, but also think it would be beneficial to have occasional calls where only governments attend as we’re concerned that some government officials will not want to say things in the presence of industry and other stakeholders.

Ed Venmore-Rowland, DCMS