The adoption of Internet of Things (IoT) services is rapidly growing. IoT services can provide significant advantages to consumers, enterprises, and government institutions. It is important that as IoT services are designed and delivered, full account is taken of the security considerations both to protect the IoT service itself and to prevent IoT equipment becoming a source of attacks against other service users.
In some cases, the network operator’s role in delivering IoT services is simply to provide connectivity and there is no direct technical or business partnering between the operator and the IoT service provider. In other cases, the network operator may take a more active role where the IoT service includes technical and business aspects under the control of the network operator. In this report, several different scenarios are introduced that characterize different relationships and levels of partnering that may exist between a network operator and an IoT service provider. In these scenarios, shared responsibility for securing the service may exist and consequences of security failures may be felt by both the network operator and the IoT service provider. The security implications of the various scenarios are discussed and practices that can be used to proactively address security in these scenarios are provided.
No part of this document should be taken as normative. Its purpose is to document practices that may be helpful to the development of good solution security. As each situation is different, it is necessary for the security approach to be chosen by the parties involved appropriately for their service, priorities, and circumstances.