Skip to main content

Minimum Security Standards: Internet of Things (IoT) Devices

Minimum Security Standards: Internet of Things (IoT) Devices

An IoT device is defined by having an embedded operating system that does not support the installation of security agents such as antivirus and does not lend itself to frequent software updates. This includes devices such as printers, security cameras, smart speakers, smart lights, industrial controls, smart TVs, video streaming devices, personal network attached storage devices, VOIP phones, conference room systems, and digital signage. These standards apply to all such devices that are connected to a Stanford network or used in support of Stanford services.

Exclusions:

  1. Network infrastructure components such as switches, routers, and WiFi access points. 
  2. Devices used entirely for personal use on Stanford residential networks (e.g., ResNet, Stanford West)
  3. Devices being developed for research purposes
    • Low Risk research systems must follow RPH 1.10 (Information Security)

Low Risk

Devices or systems that would not have an adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.

Examples might include:

  1. Devices without an IP network-accessible interface
  2. Smart devices used solely for personal entertainment purposes
  3. Networked washers and dryers
  4. Package delivery lockers

Moderate Risk

Systems that could have a mildly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.

Examples might include:

  1. Security cameras
  2. Conference room systems
  3. Printers*
  4. Building control systems without immediate critical impact
    • Chilled water systems
    • Lighting systems
    • HVAC systems
    • Irrigation systems

*Actual printer risk classification may be higher or lower depending on highest risk classification of output and implementation, i.e. location, connection method, user population.

High Risk

Systems that could have a significantly adverse impact on the mission, safety, finances, or reputation of the university should there be a loss of confidentiality, integrity, or availability.

Examples might include:

  1. Systems related to safety and critical infrastructure
    • Power generation or distribution systems
    • Life safety
    • Fire alarm/detection systems
    • Gas alarm/detection systems
    • Biosafety alarm/detection systems
    • Physical security systems (electronic door locks)
    • Medical devices
  2. Devices subject to regulatory obligations
    • Point of Sale Devices
    • Vending Machines
StandardsRecurring TaskWhat to doLow RiskModerate RiskHigh Risk
InventoryRecurring TaskMaintain an inventory of devices and associated risk classifications. All devices must be individually registered in NetDB.  Review and update records quarterly.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Network Isolation Under developmentRequired for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Credentials and Access ControlRecurring TaskChange passwords from the default.  Password length should be 15+ characters (if supported).Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Vulnerability ManagementRecurring TaskPerform a monthly internal Qualys scan of the device.  Mitigate any identified severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
PatchingRecurring TaskIf any of the above are not fully implemented, then apply high severity security patches (including firmware updates) within seven days of publish and all other security patches within 90 days.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Centralized Logging Forward logs to a remote log server (if supported). University IT Splunk service is recommended. Required for Moderate Risk DataRequired for High Risk Data
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.  Required for High Risk Data
Regulatory Compliance Obligations Implement PCI DSS, HIPAA, export controls, or other regulatory compliance requirements as applicable.  Required for High Risk Data