Contents

Acknowledgments .............................................................................................................................................2
Introduction........................................................................................................................................................3
Definition of Internet of Things ..........................................................................................................................3
Methodology ......................................................................................................................................................5
Scope ................................................................................................................................................................5
Terminology.......................................................................................................................................................5
Applicabiliy Overview ........................................................................................................................................6
CIS Controls 1–20 (Version 7): Internet of Things Security ........................................................................ 7-63
Acronyms and Abbreviations...........................................................................................................................64
Links and Resources .......................................................................................................................................66
Closing Notes ..................................................................................................................................................67

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International
Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode).

To further clarify the Creative Commons license related to the CIS Controls ® content, you are authorized to copy
and redistribute the content as a framework for use by you, within your organization and outside of your
organization for noncommercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link
to the license is provided. Additionally, if you remix, transform, or build upon the CIS Controls, you may not
distribute the modified materials. Users of the CIS Controls framework are also required to refer to
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are
employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of
CIS® (Center for Internet Security, Inc.®).

Acknowledgments
CIS® (Center for Internet Security, Inc.®) would like to thank the many security experts who volunteer their time
and talent to support the CIS Controls and other CIS work. CIS products represent the effort of a veritable army
of volunteers from across the industry, generously giving their time and talent in the name of a more secure
online experience for everyone.

Editors:

Mary C. Yang, MITRE

Joshua M. Franklin, CIS

Contributors:

Vytautas Kuliesius, NRD Cyber Security

Staffan Huslid, Knowit Secure
Tony Krzyzewski, SAM for Compliance Ltd.
Karen Scarfone, Scarfone Cybersecurity
Emilio Grande-Garcia
Joseph M. DiPipi, Zoetis
Stephanie Domas, MedSec
Brian Russell, Cloud Security Alliance
Robin Regnier, CIS
Philippe Langlois, CIS

2
Introduction
The CIS Controls are a prioritized set of actions that collectively form a defense-in-depth
approach and best practices that mitigate the most common attacks against systems and
networks. The CIS Controls are developed by a community of information technology (IT) experts
who apply their first-hand experience as cyber defenders to create these globally accepted
security best practices. The experts who develop the CIS Controls come from a wide range of
sectors, including retail, manufacturing, healthcare, transport, education, government, defense,
and others. While the CIS Controls address the general practices that most organizations should
take to secure their systems, some operational environments may present unique requirements
not addressed by the CIS Controls.

The purpose of the CIS Controls Internet of Things Community is to develop best practices and
guidance for implementing the CIS Controls in association with a variety of devices within the
Internet of Things (IoT). Enterprise use of IoT presents unique and complex challenges for
security professionals. IoT devices are being embedded into the enterprise across the globe and
often cannot be secured via standard enterprise security methods, such as running a monitoring
application on the device, as the devices can’t support these types of applications. Yet for ease of
use, enterprise IoT devices are often connected to the same networks that employees use day in
and day out and are often directly connected to the internet via a variety of network protocols
(e.g., Ethernet, Bluetooth, wireless fidelity [WiFi], cellular).

Definition of Internet of Things

There is no universally agreeable definition for IoT. The variety of perspectives from industry,
academia, governments, and others across the world have led to different definitions, each
focused on the needs of their sector, business, or area of interest. Each definition has relevant
strengths and weaknesses, and they do not act to invalidate each other. Instead these definitions
work within their desired context, and others may choose to use and apply them as they see fit for
the systems that will be procured and implemented.
• In The Internet of Things: An Overview, a 2015 report from The Internet Society, IoT is
defined as: “…scenarios where network connectivity and computing capability extends to
objects, sensors, and everyday items not normally considered computers, allowing these
devices to generate, exchange, and consume data with minimal human intervention.”
• A 2015 report from the Institute of Electrical and Electronics Engineers Incorporated
(IEEE) titled Towards a Definition of the Internet of Things, defines IoT as “A network of
items — each embedded with sensors — which are connected to the Internet.”
• IoT has been defined within a recommendation from the International Telecommunication
Union as “a global infrastructure for the information society, enabling advanced services
by interconnecting (physical and virtual) things based on existing and evolving
interoperable information and communication technologies.”
• Gartner's IT Glossary defines IoT as “the network of physical objects that contain
embedded technology to communicate and sense or interact with their internal states or
the external environment.”

3
Regardless of which definition an organization chooses to use, there are certain common
features:

• Communications – Whether this is via a local medium, such as radio frequency

identification (RFID), Bluetooth, WiFi, or via a wide area network (WAN) protocol, such as
cellular, IoT devices can communicate with other devices.
• Functionality – IoT devices have a core function as well as some additional functionality
but they do not do everything. Most IoT devices do one thing and do it well.
• Processing capability – IoT devices have sufficient processing capability to make their
own decisions and act on inputs received from outside sources, but not enough
intelligence to do complex tasks. For instance, they generally cannot run a rich operating
system designed for a traditional desktop or mobile device.

The lack of a consistent, agreed-upon definition is actually part of the challenge within the IoT
arena. IoT is a large, complex space and common issues include:

• Ubiquity – There are a large number of overall devices.

• Uniqueness – Devices are developed by different manufacturers with varying version
numbers.
• Ecosystem – Multiple vendors are involved in creating each device, including hardware,
firmware, and software.

Examples of IoT devices that might be included within an enterprise include smart speakers,
security cameras, door locks, window sensors, thermostats, headsets, watches, power strips, and
more—basically any device that may be integrated into a typical business IT environment.

4
Methodology
A consistent approach is needed for analyzing the CIS Controls in the context of IoT. For each of
the 20 CIS Controls, the following information is provided in this document:

• Applicability – This assesses the degree to which a CIS Control functions or pertains to
IoT.
• Challenges – These are unique issues that make implementing any of the relevant CIS
Controls, or Sub-Controls, for IoT devices difficult.
• Additional Discussion – This is a general area for any guidance that also needs to be
noted. For instance, relevant tools, products, or threat information that could be of use
can be found here.

Scope
The objective of this document is to have broad applicability across sectors. IoT affects all areas
of computing across multiple sectors, such as healthcare, aviation, public safety, and energy.
This has led to sector-specific IoT security guidance, but this document is purposefully sector-
agnostic. As such, this guide focuses on purchasing, deploying, and monitoring commercially
available IoT devices. This document does not provide guidance on how to design, develop, and
manufacture secure IoT devices, such as the secure system development process noted within
NIST Special Publication (SP) 800-160 Revision 1.

Terminology
As noted earlier, there are many definitions of IoT. Below are basic descriptions of IoT
components and terminology that we use throughout this document. Devices are the thing within
IoT and are the primary focus of this guide. Gateways are devices that multiple things connect to
in order to receive instructions, transfer data, etc. Multiple devices are often connected to a single
gateway, or a gateway may solely passively monitor IoT devices. A gateway has an internet
connection, whereas not all IoT devices will, and may only support local wireless protocols such
as RFID, WiFi, Bluetooth, and Zigbee. Gateways are one way to help reduce the attack surface of
legacy IoT devices that cannot be properly secured. Many consumer IoT devices are associated
with complex cloud platforms that can control the behavior of IoT devices and access and store
data.

5
 Applicability Overview
More than 60% of CIS Sub-Controls apply
Between 60% and 0% of CIS Sub-Controls apply
0% of CIS Sub-Controls apply

Control CIS Control Title Applicability

1 Inventory and Control of Hardware Assets

2 Inventory and Control of Software Assets

3 Continuous Vulnerability Management

4 Controlled Use of Administrative Privileges

Secure Configuration for Hardware and Software on Mobile Devices, Laptops,

5
Workstations and Servers

6 Maintenance, Monitoring and Analysis of Audit Logs

7 Email and Web Browser Protections

8 Malware Defenses

9 Limitation and Control of Network Ports, Protocols and Services

10 Data Recovery Capabilities

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

12 Boundary Defense

13 Data Protection

14 Controlled Access Based on the Need to Know

15 Wireless Access Control

16 Account Monitoring and Control

17 Implement a Security Awareness and Training Program

18 Application Software Security

19 Incident Response and Management

20 Penetration Tests and Red Team Exercises

6
CIS Control 1: Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only
authorized devices are given access, and unauthorized and unmanaged devices are found and
prevented from gaining access.

IoT Applicability
It is important to track which devices have access to the network and are accessing data and
organizational resources. IoT devices are no different and this Control is considered extremely
important. Traditional MAC (media access control) and IP (internet protocol) addresses can be
used for device identifiers. Unfortunately, not all IoT devices will have these identifiers present
(e.g., MAC address, IP address). For instance, while Zigbee devices support physical layer MAC
address, they use a Zigbee network address in lieu of an IP address. Very simple sensors and
devices used for location tracking may only beacon identifiers for RFID. When using devices that
do not support network-based authentication, network segmentation can be considered as a
possible way to mitigate risk. Additional information on segmentation is available in CIS
Control 12 (Boundary Defense) and CIS Control 15 (Wireless Access Control).

IoT Challenges
Organizations must deploy technology that tracks the myriad of IoT devices that can be deployed
across their enterprise. Understanding which device types and, in some cases, which specific
device instances are authorized to connect to the network is the starting point to adapting this
Control for IoT. For devices without traditional identifiers, physical tags can be placed onto the
devices themselves that integrate with asset management systems. For IoT devices with an
externally accessible physical interface, cellular devices can be inserted into that interface with
cloud-based asset management systems.

Some IoT devices are designed to work in relative isolation and never connect to an enterprise
network. These devices still may be network-connected though, as they can communicate with a
back-end cloud platform that the enterprise neither controls nor manages. Wireless IoT gateways
can also be used to monitor wireless traffic from IoT devices, which can then be relayed to an
asset management system, either in the cloud or physically hosted at the enterprise. Another
challenge can be using digital certificates in IoT devices. Finally, global positioning system (GPS)
can also be an effective way to monitor the location of IoT devices distributed outside the
enterprise.

IoT Additional Discussion

Typical asset tracking tools may not work out of the box with IoT devices. Network scans for
legacy and nontraditional devices may be dangerous to device, network, and system stability,
potentially leaving IoT endpoints in an error state. Before purchasing devices and using them
within an organization, it is worthwhile to understand how a device will respond to an asset
discovery tool, and how well it will integrate with any asset management tools being utilized by an
enterprise. The conventional approach of using ping responses, transmission control protocol
synchronization (TCP SYN) or acknowledge (ACK) scans can disrupt communications, or, in
some cases, even impact device operations. Passive methods are preferred and are less likely to
impact system availability or to interact with vendor systems in a manner that could cause
warranty issues. Where practical, non-intrusive methods should be leveraged, including media

7
 access control-address resolution protocol (MAC-ARP) tables, domain name system (DNS),
active directory (AD), or a variety of IoT-specific tools employed to control and collect data in
these systems for the express purpose of locating the variety of connected assets.

Wireless monitoring may be necessary to identify devices as many IoT devices lack wire-line
physical connections. Many newer IoT devices support integration into IoT management systems
via application programming interfaces (APIs). At the very least, organizations can make a listing
of device MAC address, device type, serial number, and other relevant information. "Smarter" IoT
devices can utilize digital certificates to enhance identity and access management.

CIS Control 1: Inventory and Control of Hardware Assets Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Active discovery tools should be

implemented to identify IoT devices,
Utilize an active discovery tool to although some types of scans could
Utilize an Active identify devices connected to the leave devices in a nonfunctional state.
1.1 
Discovery Tool organization's network and update the The types of scans run against high-
hardware asset inventory. value or critical IoT assets should be
contemplated before they are run, with
the outcomes known beforehand.

Utilize a passive discovery tool to

A passive asset discovery tool may not
Use a Passive identify devices connected to the
identify all IoT devices but is a solid step
1.2 Asset Discovery organization's network and 
forward to understanding the devices on
Tool automatically update the organization's
the network.
hardware asset inventory.

Use Dynamic Host Configuration

This Sub-Control should be applicable to
Use DHCP Protocol (DHCP) logging on all DHCP
IoT devices using Internet Protocol
1.3 Logging to Update servers or IP address management 
Version 4 (IPv4) and Internet Protocol
Asset Inventory tools to update the organization's
Version 6 (IPv6).
hardware asset inventory.

8
 CIS Control 1: Inventory and Control of Hardware Assets Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Maintain an accurate and up-to-date

This Sub-Control helps to ensure that IoT
inventory of all technology assets with
devices that are never intended to be
Maintain Detailed the potential to store or process
1.4  connected to the enterprise network, or
Asset Inventory information. This inventory shall include
only connected to an internal network,
all assets, whether connected to the
are still properly tracked.
organization’s network or not.

This can present a variety of challenges

Ensure that the hardware asset
for IoT devices, as the hardware asset
inventory records the network address,
information can drastically change from
Maintain Asset hardware address, machine name, data
manufacturer to manufacturer. It can be
1.5 Inventory asset owner, and department for each 
difficult to standardize field formats as
Information asset and whether the hardware asset
well. Broadly, it is best to collect
has been approved to connect to the
whatever hardware asset information is
network.
available.

Ensure that unauthorized assets are

Address Unknown IoT devices connected to
either removed from the network,
1.6 Unauthorized  enterprise networks and systems should
quarantined, or the inventory is updated
Assets be quickly investigated and removed.
in a timely manner.

It is unlikely that this will be possible for

Utilize port level access control,
most IoT devices, but if the capability is
following 802.1x standards, to control
available, it should be enabled. Note that
which devices can authenticate to the
Deploy Port Level 802.1x does not work on many IoT
1.7 network. The authentication system 
Access Control devices that do not support supplicant
shall be tied into the hardware asset
software. Network-level authentication
inventory data to ensure only authorized
can cause reliability issues if not strictly
devices can connect to the network.
maintained.

It is unlikely that this will be possible for

Utilize Client
Use client certificates to authenticate many IoT devices, but if the capability to
Certificates to
1.8 hardware assets connecting to the  store and utilize certificates within an
Authenticate
organization's trusted network. authentication protocol is available, it
Hardware Assets
should be enabled.

9
CIS Control 2: Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software on the network so that only authorized
software is installed and can execute, and that all unauthorized and unmanaged software is found
and prevented from installation or execution.

IoT Applicability
Network scanning and agent-based approaches are typical methods for software asset
management. As mentioned in CIS Control 1, network scanning can leave many IoT devices in
an unsafe or unusable state. Agent-based approaches will be ineffectual for IoT devices as there
is a not a common platform for the agent to be built to and installed on. Manual and procedural
methods can be used for asset tracking, such as a spreadsheet.

IoT Challenges
Identifying the versions of software and firmware of IoT devices within the enterprise is a
challenge. It may be possible to leverage central command and control systems, which are aware
of device firmware versions. However, custom and restricted operating systems may limit remote
query capability. In general, IoT device software is not patchable, but is loaded onto the device as
a new complete image. To obtain the listing of software applications on an embedded device, it
may be necessary to work with the device developer/manufacturer. Manual sampling or firmware
extraction via on-board direct maintenance ports (e.g., joint test action group [JTAG]) using
proprietary software and hardware tools may be required.

IoT Additional Discussion

In some cases, firmware must be delivered over the network to IoT devices. In these situations,
utilize best practices for securing firmware images, which often includes applying digital
signatures that are evaluated by the device before loading. The user or the device may check the
signature. This may require a secured space within the device to store credentials used for
signature validation.

Tracking versions of Bluetooth and WiFi in devices can be quite difficult and may not be possible
using traditional scanning methods. Applications like Airodump-ng for WiFi devices and hcitool or
ubertooth-scan for Bluetooth devices will provide broadcast advertisements and MAC addresses.
Note that for Bluetooth devices, MAC addresses do not conform to typical conventions and are
oftentimes represented as the device WiFi MAC address incremented by 1 bit. The information
available from WiFi and Bluetooth advertisements will allow enterprises to identify which versions
of wireless protocols are supported.

Whitelisting is generally not available on IoT devices. Whitelisting can occur at the application
layer, or specific libraries or scripts can be whitelisted. A more common capability is for devices to
perform command whitelisting, which only specifies a subset of commands that a device would
accept. This will more likely be available with IoT vendors that engage within a security
engineering process over the lifecycle of the product.

10
 CIS Control 2: Inventory and Control of Software Assets Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Maintain an up-to-date list of all

Maintain Inventory At minimum, a listing of the software
authorized software that is required in
2.1 of Authorized  versions associated with the IoT device
the enterprise for any business purpose
Software can be noted.
on any business system.

Ensure that only software applications

or operating systems currently Enterprises should check the period of
Ensure Software supported and receiving vendor time for which a device will be supported
2.2 Is Supported by updates are added to the organization's  before purchase. Additional support may
Vendor authorized software inventory. be available for purchase, but this is
Unsupported software should be tagged uncommon.
as unsupported in the inventory system.

Utilize software inventory tools Not all IoT devices will be able to
Utilize Software throughout the organization to automate integrate or be inventoried by an
2.3 
Inventory Tools the documentation of all software on automated tool, but those that have this
business systems. capability should use it.

The software inventory system should

Tracking this level of detail may be
Track Software track the name, version, publisher, and
difficult, and some systems may only
2.4 Inventory install date for all software, including 
allow you to track real-time inventory
Information operating systems authorized by the
data, not historical information.
organization.

11
 CIS Control 2: Inventory and Control of Software Assets Applicability

Included?
Sub-
Control Title Control Description Justification
Control

The software inventory system should The lack of information available for
Integrate Software be tied into the hardware asset software and hardware assets will likely
2.5 and Hardware inventory so all devices and associated  prevent the combination of these two
Asset Inventories software are tracked from a single inventories from being particularly
location. helpful.

Address Ensure that unauthorized software is Enterprises are often unable to control
2.6 Unapproved either removed or the inventory is the software that is running on an IoT
Software updated in a timely manner. device..

Utilize application whitelisting

This capability is unavailable on most IoT
technology on all assets to ensure that
Utilize Application devices, many of which will lack the
2.7 only authorized software executes and
Whitelisting processing power or security architecture
all unauthorized software is blocked
to perform whitelisting.
from executing on assets.

The organization's application

Implement
whitelisting software must ensure that
Application Whitelisting individual libraries is typically
2.8 only authorized software libraries (such
Whitelisting of not available on IoT devices.
as *.dll, *.ocx, *.so, etc.) are allowed to
Libraries
load into a system process.

The organization's application

Implement
whitelisting software must ensure that
Application Whitelisting individual scripts is typically
2.9 only authorized, digitally signed scripts
Whitelisting of not available on IoT devices.
(such as *.ps1, *.py, macros, etc.) are
Scripts
allowed to run on a system.

IoT devices are generally embedded

Physically or logically segregated
Physically or devices, meaning that an enterprise will
systems should be used to isolate and
Logically not have the ability to identify what
2.10 run software that is required for
Segregate High applications are running on the IoT
business operations but incurs higher
Risk Applications device. Additionally, they will not be able
risk for the organization.
to isolate applications from one another.

12
CIS Control 3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify
vulnerabilities, remediate, and minimize the window of opportunity for attackers.

IoT Applicability
Vulnerability monitoring and management are applicable to IoT devices, but it is a much more
difficult challenge in this context than with traditional systems or even mobile devices. Just as with
other devices on a network, regularly scheduled vulnerability assessments should be conducted
to determine non-secure configurations that lead to elevated threats to the enterprise. These
security holes should be remediated quickly, and the processes used for remediation should be
fed back into the organization's best practices for secure IoT device deployment.

IoT Challenges
Active vulnerability assessments of IoT devices in an operational environment may be dangerous,
as they can lead to system instability or failure. Ideally, how the device will behave when scanned
will be known before it is scanned. As an alternative, passive vulnerability assessment can be
one way to get the vulnerabilities identified without the risk of harming the operational
environment. These assessments can be done manually or with automated tools sold by a third-
party vendor. Although many IoT devices will be deployed internally, and not directly exposed to
the internet, it may be a worthwhile exercise to routinely scan your organization using tools like
Shodan or Censys. These tools can detect externally exposed devices and help administrators
either remove or properly configure them.

IoT Additional Discussion

For the subset of IoT devices that receive security patches from their vendor, they should be kept
up-to-date. Outdated firmware and software often contain exploitable vulnerabilities that an
attacker could leverage to access enterprise data.

A laboratory test environment may be appropriate for regularly scheduled assessments against
new threats and new IoT software configurations. Collaborative threat laboratories (e.g.,
sponsored by an Information Sharing & Analysis Center [ISAC] or other industry body) and IoT
vendor laboratories may be the best venues for implementing this Control. As with other
hardware and software vulnerabilities, these new vulnerabilities should also be evaluated against
the organization’s risk appetite to determine when a particular device or device class can no
longer be supported on the network, or when it must be isolated in some fashion.

13
 CIS Control 3: Continuous Vulnerability Management Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Utilize an up-to-date Security Content

Vulnerability assessment tools can be
Automation Protocol (SCAP) compliant
utilized in an automated manner for IoT
vulnerability scanning tool to
Run Automated systems, although how a device will
automatically scan all systems on the
3.1 Vulnerability  respond should be known beforehand,
network on a weekly or more frequent
Scanning Tools especially if the system undergoing scan
basis to identify all potential
is critical to operations and needs to be
vulnerabilities on the organization's
available.
systems.

Accounts for these types of scans are

unavailable on typical consumer-grade
Perform authenticated vulnerability
Perform IoT devices. Authenticated accounts are
scanning with agents running locally on
Authenticated generally associated with managing
3.2 each system or with remote scanners
Vulnerability configurations and settings on the
that are configured with elevated rights
Scanning device. On-device vulnerability scanning
on the system being tested.
applications are not generally available
for IoT.

Use a dedicated account for

authenticated vulnerability scans, which Accounts used within vulnerability
Protect Dedicated
should not be used for any other scanning tools for IoT devices need to be
3.3 Assessment 
administrative activities and should be protected in a manner similar to other
Accounts
tied to specific machines at specific IP high-value administrative accounts.
addresses.

Many IoT devices cannot be updated via

Deploy Automated Deploy automated software update a centralized tool. If updates are
Operating System tools in order to ensure that the available at all, they generally need to be
3.4 Patch operating systems are running the most individually updated. It is often difficult to
Management recent security updates provided by the separate operating system level patches
Tools software vendor. from the application providing the
device's primary function.

14
 CIS Control 3: Continuous Vulnerability Management Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Many IoT devices cannot be updated via

Deploy automated software update a centralized tool. If updates are
Deploy Automated
tools in order to ensure that third-party available at all, they generally need to be
Software Patch
3.5 software on all systems is running the individually updated. It is often difficult to
Management
most recent security updates provided separate operating system level patches
Tools
by the software vendor. from the application providing the
device's primary function.

Regularly compare the results from Enterprises using IoT devices will benefit
Compare Back-to-
consecutive vulnerability scans to verify from checking current IoT vulnerabilities
3.6 Back Vulnerability 
that vulnerabilities have been within a network against historical data
Scans
remediated in a timely manner. and vulnerability trends.

Administrators and security professionals

will benefit from rating IoT device
vulnerabilities. The Common
Utilize a risk-rating process to prioritize
Utilize a Risk- Vulnerability Scoring System (CVSS)
3.7 the remediation of discovered 
Rating Process does not differentiate between system
vulnerabilities.
types and is applicable to IoT devices
and any management or administration
systems.

15
CIS Control 4: Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and
configuration of administrative privileges on computers, networks, and applications.

IoT Applicability
Very few IoT devices include administrative accounts for management of the system. In some
situations, especially with enterprise or consumer-grade IoT devices, control or pseudo-
administrative access can be obtained through management applications on mobile devices.

IoT Challenges
Ensure that when evaluating IoT components for use in the enterprise, you investigate the
controls associated with administrative accounts, to include the type of authentication supported –
which will most likely be passwords – and the strength of the authentication implementation. For
administrator accounts, attempt to ensure that, at a minimum, strong password requirements are
used, and account access is audited. In addition, when feasible, attach the IoT component to a
directory, allowing for the use of domain administrator accounts when needed. This will allow for
the ability to more easily restrict the use of administrative privileges.

Administrators should be extremely careful when first working with a completely unmanaged
device.

IoT Additional Discussion

Many IoT devices are deployed in insecure areas (e.g., roadside units, or RSUs, in the
transportation sector). These devices are sometimes deployed with shared accounts that are
used by technicians to manage the devices. Consider alternative methods for restricting
administrative access to devices. For legacy devices without privileged access capability, a
compensating control may be applied, such as additional physical security. Newly designed IoT
devices and subsystems should integrate use of this Control.

Attackers may attempt to obtain administrator rights via operating system (OS) or firmware level
vulnerabilities so they can hide themselves from the user. This entire CIS Control is difficult to
enforce on a rooted device that has its security architecture broken. Although this may provide a
user with root access, they often have default administrator credentials that do not frequently
change. Furthermore, if an administrator is able to change their password, it is recommended
they comply with the password requirements set forth by National Institute of Standards and
Technology (NIST) SP 800-63-3. This means that memorized secrets (i.e., passwords) chosen by
a subscriber (i.e., human) should be at least 8 characters long. To the extent practical in IoT,
multifactor authentication (MFA) should always be used.

16
CIS Control 4: Controlled Use of Administrative Privileges Applicability

Included?
Sub-
Control Title Control Description Justification
Control

If an IoT management system is

Use automated tools to inventory all
available, which is rare, an inventory of
Maintain Inventory administrative accounts, including
the account accessing that system
4.1 of Administrative domain and local accounts, to ensure
should be maintained. Local
Accounts that only authorized individuals have
administrative accounts are often not
elevated privileges.
available within IoT.

Before deploying any new asset,

All default passwords should be changed
Change Default change all default passwords to have
4.2  to prevent unauthorized access to the
Passwords values consistent with administrative
device.
level accounts.

Ensure that all users with administrative

account access use a dedicated or
Ensure the Use of Where possible, administrative accounts
secondary account for elevated
Dedicated or accounts controlling a device should
4.3 activities. This account should only be 
Administrative use unique accounts with dedicated
used for administrative activities and not
Accounts administrative passwords.
Internet browsing, email, or similar
activities.

Where multi-factor authentication is not

supported (such as local administrator, Administrative accounts for management
Use Unique
4.4 root, or service accounts), accounts will  applications should use unique
Passwords
use passwords that are unique to that passwords.
system.

Use Multi-Factor
Use multi-factor authentication and Two-factor authentication (2FA) is not
Authentication for
4.5 encrypted channels for all generally available when managing or
All Administrative
administrative account access. using an IoT device.
Access

17
CIS Control 4: Controlled Use of Administrative Privileges Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Ensure administrators use a dedicated

machine for all administrative tasks or
tasks requiring administrative access.
Use Dedicated
This machine will be segmented from This presents significant challenges as
Workstations for
4.6 the organization's primary network and many IoT management consoles are
All Administrative
not be allowed Internet access. This publicly accessible web applications.
Tasks
machine will not be used for reading
email, composing documents, or
browsing the Internet.

Limit access to scripting tools (such as

Microsoft® PowerShell and Python) to
Limit Access to IoT environments do not commonly offer
4.7 only administrative or development
Scripting Tools these types of capabilities.
users with the need to access those
capabilities.

Log and Alert on

Configure systems to issue a log entry
Changes to
and alert when an account is added to Group memberships generally do not
4.8 Administrative
or removed from any group assigned exist in IoT.
Group
administrative privileges.
Membership

Log and Alert on This may be an option within a

Configure systems to issue a log entry
Unsuccessful management console. Where possible, it
4.9 and alert on unsuccessful logins to an 
Administrative should be enabled to monitor breach
administrative account.
Account Login attempts.

18
CIS Control 5: Secure Configuration for Hardware and Software
on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track/report on/correct) the security configuration of
mobile devices, laptops, servers, and workstations using a rigorous configuration management
and change control process in order to prevent attackers from exploiting vulnerable services and
settings.

IoT Applicability
A majority of the time, resource constrained IoT devices lack the configuration and customization
options provided by laptops or even mobile devices. Yet some devices can still be hardened in a
limited fashion. This is true even of embedded IoT devices. A common example is changing
default passwords. End users should familiarize themselves with the developer's or
manufacturer's documentation for a device and also take advantage of other available resources
(e.g., academic papers, conference proceedings) to understand what configuration options are
available and whether a device can be sufficiently configured to meet your needs.

IoT Challenges
A device or application's configuration may drift over time, even if efforts are made to properly
configure the device before or during deployment. This could be due to software updates, factory
resets, or potentially even software errors. Some IoT device configurations, especially for
consumer or typical enterprise use, are solely available within a corresponding mobile application.
Users will need to first connect the device to the application before configuration is an option.
Although this can make device configuration, monitoring, and maintenance easier, it also
expands the overall attack surface of the device as now the mobile device (and mobile
application) must also remain secure. Undocumented APIs and backdoors may offer original
equipment manufacturers (OEMs) and potentially malicious parties access to the device, and
subsequently consumer or enterprise information. For instance, many IoT devices run a web
server with network troubleshooting tools installed (e.g., ping, nslookup) that can be used to
profile any internal or external network to which the IoT device is connected.

IoT Additional Discussion

IoT devices sold and marketed as “appliances” with integrated software generally contain
proprietary software components, limiting applicability of post-development hardening. When
configuration options are available, cybersecurity professionals should review and decide if any
particular configurations are untenable for your organization. Additionally, if a certain
configuration setting is required to assure the security of the component on the network, then that
should also be documented. Cybersecurity professionals should baseline these configurations
and keep them documented as best practices. This information can be helpful as requirements
when selecting future devices.

A subset of IoT devices support real-time operating systems (RTOSs) that allow for some amount
of persistent storage. Oftentimes, this persistence comes in the form of startup scripts that can be
modified to affect the configuration of the device at boot time. It is worthwhile to take the time to
research if these configurations are written in a secure manner. When IoT devices support
access control via user or administrator accounts and passwords, default accounts and
passwords should be changed, and sound password update and strength guidelines promoted. If
available, MFA should be used to protect administrator accounts.

19
 CIS Control 5: Secure Configuration for Hardware
and Software on Mobile Devices, Laptops, Workstations Applicability
and Servers

Included?
Sub-
Control Title Control Description Justification
Control

Secure configurations generally cannot

be established in the same manner as
Maintain documented security traditional operating systems or
Establish Secure configuration standards for all applications. With that said, there may be
5.1 
Configurations authorized operating systems and certain configuration options available
software. such as changing a default password or
ensuring MFA is used to access any
management functions.

Maintain secure images or templates for

all systems in the enterprise based on
the organization’s approved
Maintain Secure configuration standards. Any new
5.2 This is not possible for IoT devices.
Images system deployment or existing system
that becomes compromised should be
imaged using one of those images or
templates.

Store the master images and templates

Maintaining secure images is generally
on securely configured servers,
Securely Store unfeasible for IoT, and accordingly
5.3 validated with integrity monitoring tools,
Master Images images for IoT devices cannot be
to ensure that only authorized changes
securely stored.
to the images are possible.

Deploy system configuration

Deploy System A select few IoT gateways or
management tools that will
Configuration management platforms may be able to
5.4 automatically enforce and redeploy 
Management manage basic settings, but this is not
configuration settings to systems at
Tools commonly available.
regularly scheduled intervals.

Utilize a Security Content Automation

Implement Protocol (SCAP) compliant
Automated configuration monitoring system to
This feature is unavailable for IoT
5.5 Configuration verify all security configuration
management tools.
Monitoring elements, catalog approved exceptions,
Systems and alert when unauthorized changes
occur.

20
CIS Control 6: Maintenance, Monitoring and Analysis of Audit
Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover
from an attack.

IoT Applicability
Logs on IoT devices can take a variety of formats, and there are no uniform standards for how to
store and transfer data. Each OEM is free to create their own format, making integrations from
multiple vendors within the same network difficult. Furthermore, devices may not be configured to
log events; they may store logs locally on the device; or they may be sending them off to a local
gateway or cloud platform. Organizations should ensure that IoT devices create detailed logs and
many IoT devices have this capability. Additionally, a trusted method of extracting and parsing
audit logs from relevant components should be available. However, this may prove challenging in
some instances where OS and application logs are not enabled or available. To the degree
possible, the default stance should always be to attempt to collect these logs.

IoT Challenges
Having logs from IoT devices is one measure of success but means little to an organization’s
cybersecurity posture if they are not being reviewed on a regular basis. Another challenging area
related to IoT security is how to integrate large security data from large quantities of components
into an enterprise’s Security Information and Event Management (SIEM) system. The creation of
custom connectors should be investigated when IoT components do not provide standards-based
log output. Just as important is a focus on how to make sense of the IoT log data when combined
with standard network data captured by the SIEM. The establishment of rules that correlate this
diverse data effectively will be an interesting challenge moving forward. Cloud-based analysis
may be a potential solution to these challenges.

Additionally, many developers are worried about logging too often to flash memory, which can
potentially lead to excessive wear on the flash memory modules. This is an open problem, and
developers must attempt to strike their own balance based on customer need.

IoT Additional Discussion

Legacy IoT systems are designed for reliable operations and rapid recovery. Accordingly, some
of these systems include the ability to generate logs, which may be sufficient. Command and
control subsystems may use alternative, out-of-band logging of activities that should be
considered when assessing the need for a separate control.

21
 CIS Control 6: Maintenance, Monitoring
Applicability
and Analysis of Audit Logs

Included?
Sub-
Control Title Control Description Justification
Control

Use at least three synchronized time

Developers of IoT devices may be able
Utilize Three sources from which all servers and
to design individual applications to utilize
6.1 Synchronized network devices retrieve time
additional time sources, but this is an
Time Sources information on a regular basis so that
extremely uncommon feature.
timestamps in logs are consistent.

Ensure that local logging has been

Activate Audit Where possible, IoT devices should have
6.2 enabled on all systems and networking 
Logging audit logging enabled.
devices.

Enable system logging to include

detailed information such as an event The level of detail offered by a platform is
Enable Detailed
6.3 source, date, user, timestamp, source  generally set in stone pending major
Logging
addresses, destination addresses, and updates from the device manufacturer.
other useful elements.

This is particularly important for IoT

devices with constrained memory
storage. It is difficult to ascertain before a
Ensure that all systems that store logs purchase if a device contains sufficient
Ensure Adequate
6.4 have adequate storage space for the  local storage capacity for detailed event
Storage for Logs
logs generated. logs. If sufficient storage is not available,
old logs may be written over. Another
solution is to send the logs off-device to
a gateway or cloud platform.

Log management at scale can provide

Ensure that appropriate logs are being
useful information about the state and
Central Log aggregated to a central log
6.5  health of fielded devices. This
Management management system for analysis and
information should be stored and
review.
processed via a single resource.

22
 CIS Control 6: Maintenance, Monitoring
Applicability
and Analysis of Audit Logs

Included?
Sub-
Control Title Control Description Justification
Control

SIEMs can help to correlate security

Deploy Security Information and Event events occurring on IoT devices with
Deploy SIEM or
6.6 Management (SIEM) or log analytic  mobile, server, network appliances, or
Log Analytic Tools
tools for log correlation and analysis other events within the enterprise
network.

Logging is one thing, and reviewing them

is another. After an incident occurs, logs
can provide some of the most valuable
Regularly Review On a regular basis, review logs to
6.7  sources of information. SIEMs and other
Logs identify anomalies or abnormal events.
automated log analysis tools can also
help to identify small issues before they
become large problems.

On a regular basis, tune your SIEM

Regularly Tune Customizing rules and alerts to your
6.8 system to better identify actionable 
SIEM enterprise’s unique needs is important.
events and decrease event noise.

23
 CIS Control 7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior
through their interaction with web browsers and email systems.

IoT Applicability
IoT devices generally do not use email or external web browser applications or interfaces,
although some stand-alone IoT management systems may leverage standard web browser
technologies for visualization and a common user experience. The majority of IoT devices will use
email and browsers in a "headless" fashion.

IoT Challenges
Some devices will run a web server in order to support Representational State Transfer (RESTful)
web services. It is uncommon to be able to apply hardening guidance (e.g., CIS Benchmarks) to
these devices.

IoT Additional Discussion

IT equipment that is used to transfer or bridge data between an IoT network and an IT corporate
or other non-IoT operational network may incorporate email or web browser functionality. These
applications should be protected according to best practice. In cases where web browser
technologies are incorporated in stand-alone IoT networks, a risk analysis should be performed to
address the need to update the applications when patches and new versions are released.

CIS Control 7: Email and Web Browser Protections Applicability

Included?

Sub-
Control Title Control Description Justification
Control

Ensure that only fully supported web

Ensure Use of Although browsers and email clients
browsers and email clients are allowed
Only Fully should be kept up-to-date, it is difficult to
to execute in the organization, ideally
7.1 Supported  do this for IoT devices. Enterprises
only using the latest version of the
Browsers and should attempt to verify that updates are
browsers and email clients provided by
Email Clients regularly applied to IoT devices.
the vendor.

Disable
Unnecessary or Uninstall or disable any unauthorized
Email client and browser plugins
7.2 Unauthorized browser or email client plugins or add-
generally do not exist for IoT devices.
Browser or Email on applications.
Client Plugins

Limit Use of
Scripting Ensure that only authorized scripting
Obtaining this level of granularity is often
7.3 Languages in languages are able to run in all web
not possible.
Web Browsers browsers and email clients.
and Email Clients

24
 CIS Control 7: Email and Web Browser Protections Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Enforce network-based URL filters that

Network-based proxies, firewalls, and
limit a system's ability to connect to
other proxies can be configured for IoT
Maintain and websites not approved by the
devices, or specifically support
7.4 Enforce Network- organization. This filtering shall be 
capabilities to filter IoT traffic. Content
Based URL Filters enforced for each of the organization's
blockers can be developed for certain
systems, whether they are physically at
applications.
an organization's facilities or not.

Subscribe to URL-categorization
services to ensure that they are up to
Subscribe to URL- In order for this mitigation to be put into
date with the most recent website
7.5 Categorization place, it would have to be done at the
category definitions available.
Service network level.
Uncategorized sites shall be blocked by
default.

Log all URL requests from each of the

organization's systems, whether on-site
In order for this mitigation to be put into
Log All URL or a mobile device, in order to identify
7.6 place, it would have to be done at the
Requests potentially malicious activity and assist
network level.
incident handlers with identifying
potentially compromised systems.

Use Domain Name System (DNS) In order for this mitigation to be put into
Use of DNS
7.7 filtering services to help block access to place, it would have to be done at the
Filtering Services
known malicious domains. network level.

To lower the chance of spoofed or

modified emails from valid domains,
implement Domain-based Message
Implement Although DMARC is an important Sub-
Authentication, Reporting and
DMARC and Control, there is little to be done
7.8 Conformance (DMARC) policy and
Enable Receiver- specifically on IoT devices to enable this
verification, starting by implementing
Side Verification mitigation.
the Sender Policy Framework (SPF)
and the Domain Keys Identified Mail
(DKIM) standards.

Block all email attachments entering the

Block
organization's email gateway if the file This is generally not possible with
7.9 Unnecessary File
types are unnecessary for the common IoT devices.
Types
organization's business.

Use sandboxing to analyze and block Email is typically used as an egress data
Sandbox All Email
7.10 inbound email attachments with transfer method and receiving email
Attachments
malicious behavior. attachments may not be possible.

25
CIS Control 8: Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points in the
enterprise, while optimizing the use of automation to enable rapid updating of defense, data
gathering, and corrective action.

IoT Applicability
Malware most certainly affects IoT devices, as seen with recent, high-profile attacks utilizing
distributed denial of service (DDoS) and explored in greater detail in the paper DDoS in the IoT:
Mirai and Other Botnets. Both malware and exploits are now tailored to affect IoT devices and
platforms, which highlights the need for a robust strategy to defend against malware and
malicious code.

IoT Challenges
Given the limited processing ability and limited power capacity of many IoT components, host-
based malware protections may consume too many cycles and too much energy, necessitating
alternative protections. Using commercial, network-based malware detection systems (e.g., in-
line monitoring) may not be feasible due to latency requirements or the use of non-IP protocols,
but this is changing. IoT-specific network monitoring devices are beginning to be available for
both enterprises and consumers. Continuous monitoring at corporate or other gateways through
which IoT device information (updates and/or data) flows may be used to detect adversary
malware or to correlate observed activity with known, legitimate, and/or planned activity.

IoT Additional Discussion

Traditional anti-malware techniques are not feasible on IoT devices. At the very least, preventing
your IoT devices from being publicly exposed to and facing the internet will act as a barrier of
sorts.

A primary attack vector for malware against an IoT device is through maintenance action of a new
IoT device software load (also known as the software or firmware update process). Supply chain
risk management can help to address these risk factors. Additionally, periodic validation of IoT
device operation via alternative information channels (e.g., analog records, operational anomaly
detection through long-term analytics) may be possible but will require collection and long-term
storage of what is normally perishable data.

In certain industries where availability is the overriding concern (e.g., healthcare, energy), IoT
devices may be uniquely vulnerable to DDoS. Anti-malware tools and techniques should be
properly regression-tested to ensure that availability and reliability of the system will not be
adversely affected. Additionally, all anti-malware tools should be configured such that a false
positive detection will not negatively impact the availability or reliability of any critical processes.
Testing may need to occur whenever a change is made to the anti-malware software such as a
configuration change, software hotfix, or repository update. It is important to understand the
attack patterns used to affect IoT devices in your industry.

Another product category that can assist in defense against the threat of malware is threat
intelligence focused on IoT devices. These services review Tactics, Techniques, and Procedures
(TTPs) and provide a risk rating or threat score to analysts based on behavior and other factors.

26
 Finally, whitelisting of software can provide malware protection by preventing malicious code from
executing in the first place.

CIS Control 8: Malware Defenses Applicability

Included?
Sub-
Control Title Control Description Justification
Control

It can be difficult to find anti-malware

products that also integrate with
Utilize centrally managed anti-malware solutions already being used within an
Utilize Centrally
software to continuously monitor and enterprise. Regardless of whether the
8.1 Managed Anti- 
defend each of the organization's solution is centrally managed or not, a
Malware Software
workstations and servers. plan for dealing with malware, including
incident response, should be in place
prior to the introduction of IoT.

As with other solutions, the ways in

Ensure Anti- Ensure that the organization's anti- which malware behaves (e.g., initial
Malware Software malware software updates its scanning infection vectors) may change over time.
8.2 
and Signatures engine and signature database on a Updating centrally managed anti-
Are Updated regular basis. malware software will keep the defenses
up-to-date against new threats.

Enable anti-exploitation features such

These are either enabled by default on
as Data Execution Prevention (DEP)
Enable Operating the operating system or they are not.
and Address Space Layout
System Anti- Unfortunately, IoT devices typically do
Randomization (ASLR) that are
Exploitation not have these features enabled. If these
8.3 available in an operating system or
Features/ Deploy important anti-exploit technologies are
deploy appropriate toolkits that can be
Anti-Exploit necessary, verification of these features
configured to apply protection to a
Technologies in IoT devices should be conducted
broader set of applications and
before purchase and implementation.
executables.

Configure Anti- Configure devices so that they

IoT devices do not typically have
Malware Scanning automatically conduct an anti-malware
8.4 physical ports for removable devices and
of Removable scan of removable media when inserted
cannot perform scanning activities.
Media or connected.

27
 CIS Control 8: Malware Defenses Applicability

Included?
Sub-
Control Title Control Description Justification
Control

IoT devices typically do not have these

Configure Devices features enabled. If this is necessary,
Configure devices to not auto-run
8.5 to Not Auto-Run verification of these features in IoT
content from removable media.
Content devices should be conducted before
purchase and implementation.

Send all malware detection events to

Logs associated with IoT devices should
Centralize Anti- enterprise anti-malware administration
8.6  be collected and analyzed to the degree
Malware Logging tools and event log servers for analysis
possible.
and alerting.

If this capability exists within an

Enable Domain Name System (DNS) enterprise’s network, it should also work
Enable DNS
8.7 query logging to detect hostname for IoT devices with the necessary
Query Logging
lookups for known malicious domains. networking protocols without a change
from the enterprise.

Enable Enable command-line audit logging for Interacting with the device via a
8.8 Command-Line command shells, such as Microsoft® command line interface is often not
Audit Logging PowerShell and Bash. supported for IoT.

28
CIS Control 9: Limitation and Control of Network Ports,
Protocols and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on
networked devices in order to minimize windows of vulnerability available to attackers.

IoT Applicability
Most IoT devices communicate via specific ports and protocols just as other IT assets, though
some embedded devices and sensors are not fully network aware. Defining allowable ports,
protocols, and services that may be used by IoT devices must be performed and then enforced.
However, IoT devices may implement other communication protocols that do not ride over the
corporate network. As an example, IoT devices that implement Bluetooth could be used as a
jumping-off point for an attacker, and, once exploited, allow the attacker to move to a nearby
target that does not have Bluetooth locked down. It is important to fully understand the protocols
employed by each IoT device, which of those protocols are allowed within an enterprise, and then
design an overarching security strategy that mitigates the risk associated with these
implementations.

IoT Challenges
IoT network traffic is highly predictable and repetitious, in comparison with commodity enterprise
traffic. Commercial and/or industrial IoT traffic generally leverages a private network or specific
and unchanging ports, protocols, and services on a corporate network. IoT devices may be tested
to assess their susceptibility to messaging that does not conform to expectations; related risks
may be mitigated through application of this Control.

Vendors may require internet access to IoT devices or subsystems to support and verify licensing
or maintenance agreements, or to perform maintenance or support; such access should be
monitored and limited. Another challenge of securing IoT is related to employees, customers, or
others bringing consumer IoT devices into the enterprise. Research has shown that employees
often associate IoT software on their corporate assets (laptops or phones) with their personal IoT
devices (e.g., fitness trackers), or bring their personal IoT devices directly into the network (e.g.,
smart speaker or digital assistant). This opens up command and control channels between the
device’s installed software or hardware and internet sites used for data collection or
management. Organizations should monitor for personal IoT-related traffic and take actions to
deny that traffic when necessary.

IoT Additional Discussion

A related concept to this Control is the management of various network interfaces, such as WiFi,
Bluetooth, or Near Field Communications (NFC). These should be managed, as WiFi, Bluetooth,
and cellular beacons/advertisements may broadcast the presence of any IoT device to the
surrounding area. For example, specific mobile applications may be directly correlated to an open
port on Android. Accordingly, removing superfluous applications on any mobile OS is an attack
surface reduction approach. Additional attack surface reduction activities can likely be done in
high-risk scenarios, specifically for Android, but this is not a traditional approach. Interfaces
should be limited to only those required for the necessary purpose. Any management platforms
used for administering IoT devices should be treated as regular servers and scanned accordingly
alongside other enterprise systems.

29
 CIS Control 9: Limitation and Control of Network Ports,
Applicability
Protocols and Services

Included?
Sub-
Control Title Control Description Justification
Control

Although the ports that are listed may not

Associate Active be directly associated with services
Associate active ports, services, and
Ports, Services, running on a device, it is worthwhile to
9.1 protocols to the hardware assets in the 
and Protocols to understand which ports are considered
asset inventory.
Asset Inventory baseline for any enterprise devices and
monitor for changes.

Ensure Only This can be impractical for many

Ensure that only network ports,
Approved Ports, embedded IoT devices, but the usage of
protocols, and services listening on a
9.2 Protocols, and  IoT gateways can act to firewall or
system with validated business needs
Services Are segment IoT devices from the larger
are running on each system.
Running network and decrease overall exposure.

Perform automated port scans on a

Perform Regular Just as with traditional systems,
regular basis against all systems and
9.3 Automated Port  automated port and other types of
alert if unauthorized ports are detected
Scans network scans should be performed.
on a system.

Apply host-based firewalls or port-

Apply Host-Based filtering tools on end systems, with a The privileges to do such a thing are
9.4 Firewalls or Port- default-deny rule that drops all traffic generally not available on mobile
Filtering except those services and ports that are operating systems.
explicitly allowed.

Place application firewalls in front of any

Implement critical servers to verify and validate the
Host-based application firewalls are
9.5 Application traffic going to the server. Any
generally not available on IoT products.
Firewalls unauthorized traffic should be blocked
and logged.

30
CIS Control 10: Data Recovery Capabilities
The processes and tools used to properly back up critical information with a proven methodology
for timely recovery of it.

IoT Applicability
Many IoT devices may provide onboard storage for data and logs, though some IoT devices do
not. Devices that store data may transfer it to dedicated network storage locations for near-term
or permanent storage. This can be done periodically or in near real-time. When taking an
inventory of the types of IoT devices to be used within an enterprise, it is important to understand
whether data is at risk of being lost at any given point in the architecture and to devise a plan for
ensuring that data can be recovered in case of component failure.

IoT Challenges
Backing up IoT data can be very difficult as traditional backup strategies simply will not work. For
instance, even simple utilities such as rsync will not be available and are therefore not a valid
option. However, native backup capabilities may be present, and those should be understood
before purchase and be implemented accordingly. Native capabilities may automatically back up
to the cloud or a phone, and enterprises should understand this before implementation.

IoT Additional Discussion

When IoT message traffic is perishable and temporary, the value of data recovery is limited to
maintenance actions. Data recovery capabilities may be required for operational data at
consolidation and action points for compliance or maintenance purposes. Security engineers
should understand that some IoT devices maintain data until an online connection (e.g., via
Bluetooth, WiFi, etc.) is established with a gateway application. In these instances, sensitive data
may continue to be resident on the device and may require a recovery capability.

Organizations should verify and review backup settings from the device manufacturer, including
any associated service within the IoT ecosystem, to make sure the proper information is backed
up and that improper information is not backed up. Proper authentication mechanisms should be
in place to protect any enterprise cloud backup. IoT devices may also unintentionally back up
information to any desktop environment they are connected to, including gateways or mobile
devices. The creation of these backups should be prevented unless specifically authorized by the
enterprise.

31
 CIS Control 10: Data Recovery Capabilities Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Users should regularly back up

enterprise IoT data to approved backup
Ensure Regular Ensure that all system data is
locations. This includes backing up
10.1 Automated automatically backed up on a regular 
monitoring and administration-oriented
Backups basis.
data, such as logs that are stored on a
system separate from the IoT device.

Ensure that all of the organization's key

IoT devices generally lack the notion of a
systems are backed up as a complete
Perform Complete system image, and information is often
10.2 system, through processes such as
System Backups needed to be configured and backed up
imaging, to enable the quick recovery of
on a per-application basis.
an entire system.

Employees and administrators should

Test data integrity on backup media on regularly perform tests of restoring
Test Data on a regular basis by performing a data backed up data. An easy way of testing
10.3 
Backup Media restoration process to ensure that the this is going through the motions of
backup is properly working. provisioning a new phone or application
to a new device.

Some cloud-based services will do this

Ensure that backups are properly
automatically, but users and enterprises
protected via physical security or
need to check on the mitigations in place
encryption when they are stored, as
10.4 Protect Backups  before electing to use a service. Any
well as when they are moved across the
removable media for the device,
network. This includes remote backups
alongside desktop backups, also needs
and cloud services.
to be protected.

Ransomware and its related offshoots

Ensure All
Ensure that all backups have at least (e.g., destructive malware) typically
Backups Have at
one offline (i.e., not accessible via a perform malicious activities on the device
10.5 Least One Offline
network connection) backup itself. This includes preventing access to
Backup
destination. the device, yet it rarely affects third-party
Destination
cloud storage providers.

32
CIS Control 11: Secure Configuration for Network Devices, such
as Firewalls, Routers and Switches
Establish, implement, and actively manage (track/report on/correct) the security configuration of
network infrastructure devices using a rigorous configuration management and change control
process in order to prevent attackers from exploiting vulnerable services and settings.

IoT Applicability
This Control is not directly applicable to IoT devices but is relevant for the security of certain types
of IoT gateways (e.g., small office, home office [SoHo] routers used as IoT gateways) as well as
for the secure usage of general network devices. There is guidance on WiFi security, but it
applies to all computing devices and not necessarily IoT. When there is a plan to do a medium- to
large-scale deployment of IoT devices within an enterprise, take the opportunity to review the
configurations for firewalls, routers, and switches to ensure that additional vulnerabilities are not
introduced through misconfiguration. Additionally, take care to revisit the guidance provided within
CIS Control 9 (Limitation and Control of Network Ports, Protocols and Services).

IoT Challenges
Legacy IoT systems may favor proprietary byte-oriented protocols, but legacy systems that
migrate to TCP/IP (e.g., Modbus TCP) are often fragile and insecure. The absence of
commercially available network devices for legacy networks limits the value of this Control for
those networks.

IoT Additional Discussion

Newer IoT devices often use RESTful APIs that require supporting web services be implemented
securely. In addition, many IoT devices implement IPv6 communications and sometimes use
protocols such as IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN) to support
the ability for constrained IoT devices to connect to the internet. The introduction of IPv6 opens a
whole new set of security considerations across network devices for operation in a secure
manner.

33
 CIS Control 11: Secure Configuration for Network Devices,
Applicability
such as Firewalls, Routers and Switches

Included?
Sub-
Control Title Control Description Justification
Control

Maintain Standard
Maintain documented security See the Applicability statement above.
Security
11.1 configuration standards for all authorized This Control is not directly applicable to
Configurations for
network devices. IoT.
Network Devices

All configuration rules that allow traffic to

flow through network devices should be
documented in a configuration
Document Traffic See the Applicability statement above.
management system with a specific
11.2 Configuration This Control is not directly applicable to
business reason for each rule, a specific
Rules IoT.
individual’s name responsible for that
business need, and an expected duration
of the need.

Use Automated
Compare all network device
Tools to Verify
configurations against approved security See the Applicability statement above.
Standard Device
11.3 configurations defined for each network This Control is not directly applicable to
Configurations
device in use, and alert when any IoT.
and Detect
deviations are discovered.
Changes

34
 CIS Control 11: Secure Configuration for Network
Applicability
Devices, such as Firewalls, Routers and Switches

Included?
Sub-
Control Title Control Description Justification
Control

Install the Latest

Stable Version of
Install the latest stable version of any See the Applicability statement above.
Any Security-
11.4 security-related updates on all network This Control is not directly applicable to
Related Updates
devices. IoT.
on All Network
Devices

Manage Network
Devices Using
Manage all network devices using multi- See the Applicability statement above.
Multi-Factor
11.5 factor authentication and encrypted This Control is not directly applicable to
Authentication
sessions. IoT.
and Encrypted
Sessions

Ensure network engineers use a

dedicated machine for all administrative
Use Dedicated tasks or tasks requiring elevated
Workstations for access. This machine shall be See the Applicability statement above.
11.6 All Network segmented from the organization's This Control is not directly applicable to
Administrative primary network and not be allowed IoT.
Tasks Internet access. This machine shall not
be used for reading email, composing
documents, or surfing the Internet.

Manage the network infrastructure

Manage Network across network connections that are
Infrastructure separated from the business use of that See the Applicability statement above.
11.7 Through a network, relying on separate VLANs or, This Control is not directly applicable to
Dedicated preferably, on entirely different physical IoT.
Network connectivity for management sessions
for network devices.

35
CIS Control 12: Boundary Defense
Detect/prevent/correct the flow of information transferring across networks of different trust levels
with a focus on security-damaging data.

IoT Applicability
This is a particularly important control for IoT devices, and strategies for traditional boundary
defense apply. Defenses and mitigations, such as network monitoring tools, email security,
intrusion detection system (IDS) and intrusion prevention system (IPS) alerts, logging of events
and alerts and virtual private network (VPN) concatenators, are all important and should be
utilized to the extent possible. These can be implemented in segmented networks where IoT
devices are utilized and routed instead of through the trusted enterprise network. Controlling the
flow of information within a network is important.

IoT Challenges
IoT devices are increasingly being used in stand-alone scenarios or connected to cloud-based
platforms. Full infrastructures dedicated to IoT may be needed that support capture, processing,
and analysis of data from IoT endpoints in the cloud. In addition, IoT devices may share and
collate information from many different organizations. For cloud-based systems that support IoT,
consider cloud security best practices, and move to a data-centric security approach to support
the sharing of IoT data across many different organizations. The CIS Controls™ Cloud
Companion Guide offers additional guidance for securing cloud environments.

As discussed in other Controls within this guide, the use of segregation strategies is
recommended to keep IoT components operating in their own zones or on their own separate
networks. In cases where there must be a connection point between an IoT segment and the
corporate network, boundary defense mechanisms must be put in place. Firewalls, IDS, and IPS
can provide assurance that a compromise of the less-trusted IoT network will have limited effect
on the more secure corporate network.

IoT Additional Discussion

In many instances, a decision will be made to place IoT devices outside of the trusted network
boundary. Even with the few devices utilizing data-in-transit encryption with vetted algorithms and
reasonable key sizes, certain types of traffic will be leaked. Examples of this type of information
may include diagnostic information about the device, OS traffic back and forth with the ecosystem
provider, and wireless traffic using WiFi, Bluetooth, and cellular networks. These types of
information leaks allow passively sniffing malicious actors to fingerprint the device. Some devices
may automatically attempt to access or connect to WiFi networks to which they have previously
been associated. Blacklisting certain service set identifiers (SSIDs) on devices, such as those
from major retailers and cafes, can help prevent an IoT device from accessing a rogue version of
that network and sending sensitive enterprise data over it. Many enterprises will use a
combination of network segmentation approaches for better vetted devices that provide critical
enterprise functions.

36
 CIS Control 12: Boundary Defense Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Maintain an
Maintain an up-to-date inventory of all Network boundaries with insecure,
Inventory of
12.1 of the organization's network  legacy, or untrusted devices should be
Network
boundaries. inventoried and monitored.
Boundaries

Scan for
Perform regular scans from outside
Unauthorized IoT devices may be making connections
each trusted network boundary to
Connections to networks not approved by the
12.2 detect any unauthorized connections 
Across Trusted enterprise. This could be due to
which are accessible across the
Network malware, misconfiguration, or by design.
boundary.
Boundaries

Deny communications with known

Deny
malicious or unused Internet IP This is generally impractical to implement
Communications
addresses and limit access only to on an IoT device. This is more generally
12.3 with Known
trusted and necessary IP address possible at the IoT gateway or network
Malicious IP
ranges at each of the organization's level.
Addresses
network boundaries.

Deny communication over unauthorized

Botnets and other malware distribution
Deny TCP or UDP ports or application traffic
nodes that are specific to IoT should be
Communication to ensure that only authorized protocols
administered at the organization level.
12.4 Over are allowed to cross the network
This Sub-Control is better and more
Unauthorized boundary in or out of the network at
easily enforced when IoT devices are
Ports each of the organization's network
taking advantage of an IoT gateway.
boundaries.

Configure
Configure monitoring systems to record Although this Sub-Control is quite useful,
Monitoring
network packets passing through the this is generally not an IoT-specific
12.5 Systems to
boundary at each of the organization's configuration, although some developer
Record Network
network boundaries. options may support this.
Packets

37
 CIS Control 12: Boundary Defense Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Enterprises can ensure that signatures

Deploy network-based Intrusion
and other information used by the IDS
Detection Systems (IDS) sensors to
Deploy Network- are IoT-specific, and that their IDS is “IoT
look for unusual attack mechanisms
12.6 Based IDS  aware.” This Sub-Control is better and
and detect compromise of these
Sensors more easily enforced when an IoT
systems at each of the organization's
gateway is in use or when devices route
network boundaries.
traffic through the enterprise.

Enterprises can ensure that any relevant

Deploy Network- Deploy network-based Intrusion
IPS is “IoT aware.” This Sub-Control is
Based Intrusion Prevention Systems (IPS) to block
12.7  better and more easily enforced when an
Prevention malicious network traffic at each of the
IoT gateway is in use or when devices
Systems organization's network boundaries.
route traffic through the enterprise.

Deploy NetFlow
Enable the collection of NetFlow and
Collection on This is a useful Sub-Control yet there is
12.8 logging data on all network boundary
Networking nothing specific to IoT within its scope.
devices.
Boundary Devices

Ensure that all network traffic to or from

Deploy Application the Internet passes through an
Although this Sub-Control is quite useful,
12.9 Layer Filtering authenticated application layer proxy
there is nothing specific to IoT about it.
Proxy Server that is configured to filter unauthorized
connections.

Decrypt all encrypted network traffic at

the boundary proxy prior to analyzing
This is most easily done when an IoT
Decrypt Network the content. However, the organization
12.10  gateway is in use or when devices route
Traffic at Proxy may use whitelists of allowed sites that
traffic through the enterprise.
can be accessed through the proxy
without decrypting the traffic.

Require All Require all remote login access to the VPN applications and their back-end
Remote Logins to organization's network to encrypt data components can integrate with external
12.11 
Use Multi-Factor in transit and use multi-factor authentication services and identity
Authentication authentication. providers.

Scan all enterprise devices remotely

Manage All logging into the organization's network Administrators should attempt to obtain
Devices Remotely prior to accessing the network to ensure some degree of control over the security
12.12 
Logging Into that each of the organization's security and configuration of any IoT devices
Internal Network policies has been enforced in the same accessing an internal network.
manner as local network devices.

38
CIS Control 13: Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data,
and ensure the privacy and integrity of sensitive information.

IoT Applicability
Protecting the security of data being stored, transmitted, and manipulated on IoT devices can be
critical depending on use case or sector. Certain industries may not contain any sensitive data in
the traditional sense. In other instances, certain IoT devices will be dedicated to environments
that have an informal set of standards and norms, or their usage may be directly regulated (e.g.,
Payment Card Industry Data Security Standard [PCI DSS], Health Insurance Portability and
Accountability Act [HIPAA], General Data Protection Regulation [GDPR]). The level of data
protection needed is often specific to the use case at hand, depending on factors such as data
sensitivity and likelihood of exposure.

Some IoT devices will process and transmit complex enterprise or customer information in
modern formats, whereas other devices will read and transmit physical attributes such as
temperature or pressure. This latter information is sometimes not deemed to be especially
sensitive or proprietary on its own, though it may become more sensitive when coupled with other
data points, such as location. In some cases, these “simple” IoT use cases can be absent of any
particular protections in the way it is collected, transferred, stored, and analyzed.

IoT Challenges
Detecting and preventing the flow of data out of IoT devices is a difficult task, as is preventing
unauthorized disclosure. IoT devices will often have a diverse supply chain, utilizing numerous
hardware manufacturers alongside cloud services. This makes data protection that much more
difficult. If possible, data-in-transit security, through protocols such as IPsec or Transport Layer
Security (TLS), must be implemented to guard against eavesdropping on data flowing between
IoT and other enterprise components. This is difficult as most IoT devices will ship with a set of
security protocols that are supported, and this may never change over the lifetime of the device.

Protections must also be implemented for the data stored on any cloud platform or the device
itself, including integrated memory or removable storage media. This is another area typically
outside of enterprise control and may need to be screened for pre-purchase if it is a necessary
enterprise security control, as does any IoT device's ability to manage cryptographic keys.

IoT Additional Discussion

Legacy or low-end IoT devices often do not encrypt data in transit or in storage. Typically, IoT
traffic is perishable, near real-time, of limited historical value, and tolerant of loss. Sophisticated
attacks looking to manipulate data often require deep system knowledge and serious mission
benefit to justify the cost of technique and exploit development. In cases where actual threats or
observed threat intelligence indicates the need, methods such as multi-path redundancy, cross-
sensor correlation, or a custom in-line device may be put into place. Many IoT devices will
attempt to store data in the cloud by default without enterprise approval. This may also include
storing data on any mobile devices used to control a device. This makes data protection hard, as
enterprises may not have visibility into what information is being transmitted.

Traditional enterprise data loss protection (DLP) systems can be helpful for email and network
stored data. It is important to perform methodical threat modeling for every new IoT system being

39
 implemented. Consider the value of, and the threats to, data when determining whether
encryption should be applied to protect that data. In some instances, the need to support near
real-time communications outweighs the need to apply an encryption layer to the data. The output
of a threat analysis will provide the foundation for an effective data protection strategy.

CIS Control 13: Data Protection Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Maintain an inventory of all sensitive

Maintain an information stored, processed, or
Inventory of transmitted by the organization's Sensitive information on IoT devices
13.1 
Sensitive technology systems, including those should be recorded and inventoried.
Information located on-site or at a remote service
provider.

Remove sensitive data or systems not

regularly accessed by the organization These could include unused IoT devices,
Remove Sensitive
from the network. These systems shall third-party cloud services, or
Data or Systems
only be used as stand-alone systems unnecessary management systems or
13.2 Not Regularly 
(disconnected from the network) by the gateways. The implementation of this
Accessed by
business unit needing to occasionally Sub-Control will depend on how the IoT
Organization
use the system or completely virtualized devices are used.
and powered off until needed.

Deploy an automated tool on network

perimeters that monitors for
Monitor and Block
unauthorized transfer of sensitive Although an important Sub-Control, this
13.3 Unauthorized
information and blocks such transfers is not specific to IoT.
Network Traffic
while alerting information security
professionals.

Only Allow Access

to Authorized Only allow access to authorized cloud This will often need to be decided before
13.4 
Cloud Storage or storage or email providers. IoT device purchase.
Email Providers

Monitor and
Monitor all traffic leaving the This can be extremely difficult for IoT,
Detect Any
13.5 organization and detect any especially if the network is not “IoT
Unauthorized Use
unauthorized use of encryption. aware.”
of Encryption

40
 CIS Control 13: Data Protection Applicability

Included?
Sub-
Control Title Control Description Justification
Control

This Control is specific to mobile. CIS

Utilize approved cryptographic provides the CIS Controls™ Mobile
Encrypt Mobile
13.6 mechanisms to protect enterprise data Companion Guide to assist with
Device Data
stored on all mobile devices. deploying mobile devices in the
enterprise.

If universal serial bus (USB) storage

devices are required, enterprise
This generally does not affect IoT
Manage USB software should be used that can
13.7 devices as USB storage devices are not
Devices configure systems to allow the use of
utilized for IoT.
specific devices. An inventory of such
devices should be maintained.

Manage System's
External Configure systems not to write data to
Removable external removable media, if there is no
13.8 In most cases this cannot be managed.
Media's business need for supporting such
Read/Write devices.
Configurations

IoT devices do not commonly utilize USB

storage; however, other removable
storage media (such as SD cards) might
Encrypt Data on If USB storage devices are required, all be used. Based on the sensitivity of
13.9 USB Storage data stored on such devices must be  stored data, encryption should be used
Devices encrypted while at rest. to mitigate risks related to data theft and
disclosure.

41
CIS Control 14: Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets
(e.g., information, resources, systems) according to the formal determination of which persons,
computers, and applications have a need and right to access these critical assets based on an
approved classification.

IoT Applicability
Authentication to IoT devices is sometimes not a built-in capability. This can cause significant
problems for controlling access to enterprise data stored on IoT devices. Access control
mechanisms should be in place for all entities accessing any IoT device, alongside any
associated cloud service, web application, or mobile application. Sub-Controls relating to private
VLANs may not be applicable, as are those relating to sensitive information or data.

IoT Challenges
Legacy IoT systems often lack automated access control functionality. If this is the case,
organizations should still consider developing policies around secure usage of IoT devices,
especially regarding which networks legacy IoT devices can access. Manual or physical security
solutions that are consistent with an assessed risk profile can also be created. Similarly,
determinations for enterprise data access should be made for all users, applications (including
mobile applications), IoT devices, and any requisite management infrastructure. Plans should be
in place to permanently remove or render device data inaccessible for all devices outside the
physical perimeter of the enterprise.

IoT Additional Discussion

Organizations should look to purchase IoT devices that require, at a minimum, password
protections and should ensure that passwords and authentication mechanisms should be able to
be changed from their default setting. Additionally, passwords should be able to be set to a
sufficient strength for a modern threat environment. In addition, organizations should work to
integrate IoT component authentication with an enterprise authentication capability such as
lightweight directory access protocol (LDAP) or active directory (AD) where practical. As a design
goal for new IoT systems, IoT components should authenticate themselves to the network when
joining.

Although traditional network security mitigations apply, holistic approaches to IoT security may
need to include cellular security if a cellular modem is present. CIS provides the CIS Controls™
Mobile Companion Guide to assist with deploying mobile devices in the enterprise. Cellular
networks are not always properly encrypted and authenticated, and, as the security of these
networks is difficult to independently validate, enterprises can elect to use devices that can
establish an authenticated and encrypted session back to the cloud service or enterprise.
Although 3G universal mobile telecommunications system (UMTS) networks perform mutual
authentication, the improvements made within 4G long-term evolution (LTE) systems are
worthwhile to ensure that device and network properly authenticate each other. Enterprises
should not count on 2G global system for mobile communication (GSM) networks for device
authentication or encryption.

42
 CIS Control 14: Controlled Access Based on the
Applicability
Need to Know

Included?
Sub-
Control Title Control Description Justification
Control

Segment the network based on the

label or classification level of the Organizations should look to segment
Segment the
information stored on the servers, legacy IoT devices from modern IoT
14.1 Network Based on 
locate all sensitive information on devices and all enterprise networks
Sensitivity
separated Virtual Local Area Networks handling sensitive information.
(VLANs).

Enable firewall filtering between VLANs

Enable Firewall to ensure that only authorized systems
This is generally outside the scope of an
14.2 Filtering Between are able to communicate with other
IoT device.
VLANs systems necessary to fulfill their specific
responsibilities.

Disable all workstation-to-workstation

The typical workstation does not fall
Disable communication to limit an attacker's
within the scope of IoT. CIS Control 15
Workstation-to- ability to move laterally and compromise
14.3 discusses the need for peer-to-peer
Workstation neighboring systems, through
(P2P) communication in certain use
Communication technologies such as private VLANs or
cases.
micro segmentation.

Encrypt All This is an important Sub-Control for IoT

Sensitive Encrypt all sensitive information in devices, but enterprises will need to
14.4 
Information in transit. verify if this capability is available for the
Transit specific device before device purchase.

Utilize an active discovery tool to

identify all sensitive information stored,
Utilize an Active processed, or transmitted by the
Discovery Tool to organization's technology systems, This is not specific to IoT devices or their
14.5
Identify Sensitive including those located on-site or at a management platforms.
Data remote service provider, and update the
organization's sensitive information
inventory.

43
 CIS Control 14: Controlled Access Based on the
Applicability
Need to Know

Included?
Sub-
Control Title Control Description Justification
Control

Protect all information stored on

systems with file system, network
share, claims, application, or database
Protect
specific access control lists. These
Information
14.6 controls will enforce the principle that This is not specific to IoT devices.
Through Access
only authorized individuals should have
Control Lists
access to the information based on their
need to access the information as a part
of their responsibilities.

Enforce Access Use an automated tool, such as host-

Control to Data based Data Loss Prevention, to enforce This feature is generally not available on
14.7
Through access controls to data even when the IoT systems.
Automated Tools data is copied off a system.

Encrypt all sensitive information at rest

This is an important Sub-Control for IoT
Encrypt Sensitive using a tool that requires a secondary
devices, but enterprises will need to
14.8 Information at authentication mechanism not 
verify if this capability is available for the
Rest integrated into the operating system, in
specific device before device purchase.
order to access the information.

Enforce Detail Enforce detailed audit logging for

Logging for access to sensitive data or changes to
This feature is generally not available on
14.9 Access or sensitive data (utilizing tools such as
IoT systems.
Changes to File Integrity Monitoring or Security
Sensitive Data Information and Event Monitoring).

44
CIS Control 15: Wireless Access Control
The processes and tools used to track/control/prevent/correct the secure use of wireless local
area networks (WLANs), access points, and wireless client systems.

IoT Applicability
Many IoT devices will make use of a variety of wireless communication protocols, although some
rely on wired mediums, such as Ethernet, for functions like building automation controls and other
use cases. Devices may use the global and ubiquitous highway addressable remote transducer
(HART) protocol, while others use proprietary solutions with built-in access control.
Geographically distributed systems may use elements of cellular stacks. WiFi is a very common
communication protocol for IoT devices, and controls can be implemented within the device and
at the network level. Vulnerabilities may exist within the protocols being used or within the
firmware used to connect and maintain a network connection.

IoT Challenges
Disabling wireless network interfaces can be a challenge as it is not normally a user-customizable
option in off-the-shelf IoT devices. If there is a concern around the usage of wireless, it may be
possible to perform radio frequency (RF) environment characterization and continuous RF
monitoring to see if any pertinent interfaces are in use. IoT devices in the enterprise may
implement several protocols, such as Zigbee, Z-Wave and Bluetooth Low Energy (BLE). To the
extent possible, security engineers should ensure that only needed protocols are allowed within
the organization. Regardless, proper network segmentation will be an ongoing challenge for IoT
devices used within an enterprise.

IoT Additional Discussion

For wireless IoT devices, ensuring that only authorized devices/components connect to an
enterprise wireless network is a first step in meeting the objectives of this Control. In order to
accomplish this, an organization must first define the types of devices that are allowed to be
connected to the enterprise network and which protocols are allowed to be used. IoT devices are
susceptible to network-level man-in-the-middle attacks, such as TLS stripping and address
resolution protocol (ARP) poisoning. These attacks can allow an attacker to sniff unencrypted
traffic or reroute traffic to insecure websites, leading to potential credential theft. Some mobile
threat defense (MTD) on-device agents can detect these attacks and notify a user and/or
administrator. Developers can implement certificate pinning to help stop these types of network-
based attacks as well. Traditional guidance on WiFi security applies, such as using strong
credentials and restricting unauthorized device connectivity. If WiFi Protected Access 2 Pre-
Shared Key (WPA2-PSK) is used, a strong password is necessary, although 802.1x is preferred.

45
 CIS Control 15: Wireless Access Control Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Maintain an The wireless access points used by

Inventory of Maintain an inventory of authorized enterprises will not be within scope for
15.1 Authorized wireless access points connected to the  this Sub-Control, but any IoT gateways
Wireless Access wired network. acting as a gateway for wireless IoT
Points traffic will need to be inventoried.

Detect Wireless Configure network vulnerability

Access Points scanning tools to detect and alert on Although important, there is nothing
15.2
Connected to the unauthorized wireless access points specific to IoT within this Sub-Control.
Wired Network connected to the wired network.

Traditional IDS technology has not

Use a wireless intrusion detection necessarily caught up with IoT yet,
Use a Wireless
system (WIDS) to detect and alert on although this is an actively researched
15.3 Intrusion
unauthorized wireless access points topic within academia and industry. IoT
Detection System
connected to the network. gateways may be the best place to
deploy this type of technology.

Disable Wireless
Disable wireless access on devices that IoT devices will likely rely upon some
Access on
15.4 do not have a business purpose for form of wireless as their primary
Devices if Not
wireless access. communication mechanism.
Required

Configure wireless access on client

machines that do have an essential
Limit Wireless IoT devices will likely rely upon some
wireless business purpose, to allow
15.5 Access on Client form of wireless as their primary
access only to authorized wireless
Devices communication mechanism.
networks and to restrict access to other
wireless networks.

Some enterprises may deem it

Disable Peer-to- necessary to limit P2P functionality, yet
Peer Wireless many IoT devices are specifically
Disable peer-to-peer (ad hoc) wireless
15.6 Network designed to utilize machine-to-machine
network capabilities on wireless clients.
Capabilities on (M2M) communication. Disabling this
Wireless Clients functionality would significantly reduce
the utility of the device.

46
 CIS Control 15: Wireless Access Control Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Leverage the
This is an important capability that is not
Advanced
Leverage the Advanced Encryption always available for IoT. Enterprises will
Encryption
15.7 Standard (AES) to encrypt wireless data  need to verify this before purchase, but
Standard (AES) to
in transit. this is possible to determine with online
Encrypt Wireless
research.
Data

Use Wireless Ensure that wireless networks use

Authentication authentication protocols such as
This protocol is not supported on most
Protocols That Extensible Authentication Protocol-
15.8 IoT devices. Enterprises will need to
Require Mutual, Transport Layer Security (EAP-TLS)
verify this before purchase.
Multi-Factor that requires mutual, multi-factor
Authentication authentication.

Disable wireless peripheral access of

Disable Wireless devices [such as Bluetooth and Near IoT devices will likely rely upon some
15.9 Peripheral Access Field Communication (NFC)], unless form of wireless peripheral as their
to Devices such access is required for a business primary communication mechanism.
purpose.

This Sub-Control is one of the most

Create a separate wireless network for
Create Separate critical for IoT devices, especially when
personal or untrusted devices.
Wireless Network insecure devices utilizing legacy
15.10 Enterprise access from this network 
for Personal and protocols with aging software/firmware
should be treated as untrusted and
Untrusted Devices need to function on an enterprise
filtered and audited accordingly.
network.

47
CIS Control 16: Account Monitoring and Control
Actively manage the lifecycle of system and application accounts — their creation, use,
dormancy, deletion — in order to minimize opportunities for attackers to leverage them.

IoT Applicability
The need exists to manage accounts on IoT devices and associated platforms throughout their
lifecycle. IoT devices will have a series of accounts already created and in use when the device is
purchased and shipped. Account management is also applicable to mobile applications, IoT
management platforms, and cloud platforms. Additionally, enterprises and potentially individual
users may also create new accounts. All of these accounts need to be actively managed.

IoT Challenges
It can be challenging to manage accounts on a single system with different user accounts
developed by different vendors. Realistically, it may not be possible to manage all accounts on a
device from all of the companies involved in development. Still, though all accounts may not be
properly documented upon receipt of a device, creating as thorough an inventory of these
accounts as possible is important. It is difficult to identify all root accounts that a developer may
use, and it may be preferable to use devices that can disable all accounts that the organization
has not explicitly approved.

IoT Additional Discussion

Registering devices within an enterprise directory system such as AD or LDAP may be a valid
method for restricting access and for effectively monitoring who has authenticated to the devices.
However, this is only applicable for those devices that can be configured for AD. Organizations
should ensure that IoT implementation plans include strategies for authentication and monitoring
the accounts used to access devices. This data should then be fed back to the organization’s
SIEM for monitoring and control. Administrators should regularly review user accounts on all
systems utilized by the enterprise. Privileges should be adjusted accordingly on a regular basis
with over-privileged users addressed and accounts deactivated when necessary.

Legacy IoT systems with stand-alone consolidating or command and control hosts should
leverage system tools, augmenting them with manual recording and audit processes as required,
to enable this Control. Cloud-based applications supported by the enterprise should be monitored
and have their credentials disabled during employee separation. Enterprise applications should
be analyzed and reviewed for proper authentication techniques. Special attention should be paid
to areas where integration occurs between third-party services and when identities are federated.
Logging should be enabled within back-end management services to monitor activity, with the
logs regularly reviewed.

48
 CIS Control 16: Account Monitoring and Control Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Maintain an Maintain an inventory of each of the

Although an important Sub-Control, IoT-
Inventory of organization's authentication systems,
16.1 specific authentication systems are not
Authentication including those located on-site or at a
commonplace.
Systems remote service provider.

A majority of IoT devices do not allow for

Configure access for all accounts a centralized point of authentication. For
Configure
through as few centralized points of instance, IoT devices utilizing a cloud
16.2 Centralized Point
authentication as possible, including platform will not allow enterprises to
of Authentication
network, security, and cloud systems. insert themselves into the authentication
process.

Require multi-factor authentication for

Require Multi- Although most IoT devices will not
all user accounts, on all systems,
16.3 Factor support this capability, where possible it
whether managed on-site or by a third-
Authentication should be set up and utilized.
party provider.

16.4 Encrypt or Hash Encrypt or hash with a salt all This is typically a feature that will need to
All Authentication authentication credentials when stored. be built-in to the device and verified by
Credentials the enterprise before purchase.

16.5 Encrypt Ensure that all account usernames and This feature will need to be built into the
Transmittal of authentication credentials are device beforehand, but IoT devices
Username and transmitted across networks using  should be cryptographically protecting
Authentication encrypted channels. authentication data using modern
Credentials means.

16.6 Maintain an Maintain an inventory of all accounts This is an important Sub-Control but will
Inventory of organized by authentication system. need to be accomplished via technical
Accounts and procedural means. To accomplish it,

enterprises must be aware of all the
cloud platforms and user accounts
associated with an IoT device.

49
 CIS Control 16: Account Monitoring and Control Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Establish and follow an automated

process for revoking system access by
disabling accounts immediately upon In addition to typical workstations and
Establish Process
termination or change of responsibilities servers, administrators should define this
16.7 for Revoking 
of an employee or contractor. Disabling process specifically for IoT devices and
Access
these accounts, instead of deleting gateways.
accounts, allows preservation of audit
trails.

Disable Any Disable any account that cannot be Just as with traditional systems,
16.8 Unassociated associated with a business process or  accounts that are not linked to an
Accounts business owner. approved user should be disabled.

In a manner similar to traditional

Disable Dormant Automatically disable dormant accounts systems, dormant accounts should be
16.9 
Accounts after a set period of inactivity. disabled after a pre-defined time of
inactivity.

Ensure All Ensure that all accounts have an To the extent possible on IoT devices
16.10 Accounts Have An expiration date that is monitored and  and within applications, accounts should
Expiration Date enforced. not be created to be used in perpetuity.

Lock Workstation IoT devices are often "headless"

Automatically lock workstation sessions
16.11 Sessions After embedded devices that do not directly
after a standard period of inactivity.
Inactivity interact with users.

Monitor Attempts
Attempts to access disabled or
to Access Monitor attempts to access deactivated
16.12  deactivated accounts should be logged
Deactivated accounts through audit logging.
to the extent possible.
Accounts

Alert on Account Alert when users deviate from normal When abnormal behavior for an account
16.13 Login Behavior login behavior, such as time-of-day,  occurs, the necessary parties are
Deviation workstation location, and duration. properly notified.

50
CIS Control 17: Implement a Security Awareness and Training
Program
For all functional roles in the organization (prioritizing those mission-critical to the business and its
security), identify the specific knowledge, skills, and abilities needed to support defense of the
enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate
through policy, organizational planning, training, and awareness programs.

IoT Applicability
Administrators and any potential employees interacting with IoT devices should be trained on
risks and threats specific to IoT platforms. The deployment of IoT components brings with it new
operational capabilities as well as new system and security management requirements. Security
awareness training should be tailored to all employees regularly using these devices.

IoT Challenges
Ensuring that administrators and employees understand the threats IoT devices pose to their
networks can be a challenging task. Special notice should be taken regarding the connection of
insecure legacy devices to enterprise networks handling sensitive enterprise information.
Consumer IoT devices are often cheaply available and becoming ubiquitous in daily living, and
employees will likely bring unapproved devices into the office to use. This could include
connecting enterprise systems to these devices, or connecting the IoT devices directly to the
network. Employees need to understand the security policies surrounding these actions.

IoT Additional Discussion

It is important that organizations understand if a skills gap exists for current staff and work toward
identifying appropriate training to fill those gaps. Specifically, training related to the new threats
that an organization may be exposed to as they implement aspects of IoT would prove valuable
to those charged with protecting the enterprise. Legacy operators that migrate to remote
operations or reporting capabilities that leverage commodity IT solutions for remote situational
awareness or command and control need to ensure their remote operators have the skills and
training to address the additional risks of leveraging internet-facing IoT devices for their work.

Additionally, IoT introduces new concepts that include a heavy focus on RF communications, with
a range of purpose-built protocols. Security engineering teams must understand the intricate
details of these protocols to be able to configure devices in a secure manner. In many cases, IoT
subsystems must also be integrated into the larger enterprise through cloud-based APIs. This
requires that security engineering teams be well versed in the cloud-based technologies that
support IoT.

51
 CIS Control 17: Implement a Security Awareness and
Applicability
Training Program

Included?
Sub-
Control Title Control Description Justification
Control

Understanding the habits of employees

using enterprise-approved IoT devices
Perform a skills gap analysis to can help focus future cybersecurity
understand the skills and behaviors awareness training. It can also be
Perform a Skills
17.1 workforce members are not adhering to,  beneficial to analyze the list of IoT
Gap Analysis
using this information to build a baseline devices used in the organization and
education roadmap. plan specific training for staff with
administrative privileges for those IoT
devices.

Deliver training to address the skills gap Once a gap analysis has been
Deliver Training to
17.2 identified to positively impact workforce  performed, specific training should be
Fill the Skills Gap
members' security behavior. provided to those users.

Create a security awareness program

for all workforce members to complete
on a regular basis to ensure they
Implement a A strategy should be developed to
understand and exhibit the necessary
Security address and educate users on security
17.3 behaviors and skills to help ensure the 
Awareness concerns surrounding the use of IoT
security of the organization. The
Program devices.
organization's security awareness
program should be communicated in a
continuous and engaging manner.

Ensure that the organization's security

Update
awareness program is updated Consistent updates to user awareness
Awareness
17.4 frequently (at least annually) to address  training can help ensure employees
Content
new technologies, threats, standards, know the latest threats.
Frequently
and business requirements.

Secure authentication is different on IoT

Train Workforce Train workforce members on the platforms, and employees should know
17.5 on Secure importance of enabling and utilizing  the security risks and implications of
Authentication secure authentication. insecurely connecting IoT devices to
corporate networks.

52
 CIS Control 17: Implement a Security Awareness and
Applicability
Training Program

Included?
Sub-
Control Title Control Description Justification
Control

Train Workforce This is important as IoT devices may

Train the workforce on how to identify
on Identifying purport to perform one purpose (e.g.,
different forms of social engineering
17.6 Social  Bluetooth speaker) but be configured to
attacks, such as phishing, phone
Engineering record information about a user and send
scams, and impersonation calls.
Attacks it back to a malicious actor.

Train workforce members on how to Users should understand what data is

Train Workforce
identify and properly store, transfer, sensitive on their IoT devices and how to
17.7 on Sensitive Data 
archive, and destroy sensitive prevent commingling alongside personal
Handling
information. information.

Train workforce members to be aware

Train Workforce This can be tailored to IoT-specific
of causes for unintentional data
on Causes of needs, such as what can happen if an
17.8 exposures, such as losing their mobile 
Unintentional Data insecure IoT device is connected to an
devices or emailing the wrong person
Exposure enterprise network.
due to autocomplete in email.

Train Workforce
Train workforce members to be able to Employees can be trained on what
Members on
identify the most common indicators of successful attacks on IoT devices look
17.9 Identifying and 
an incident and be able to report such like and to whom they should be
Reporting
an incident. reported.
Incidents

53
CIS Control 18: Application Software Security
Manage the security lifecycle of all in-house developed and acquired software in order to prevent,
detect, and correct security weaknesses.

IoT Applicability
This CIS Control can be applied in a few distinct ways as application software security can apply
to 1) creating IoT devices; 2) deploying cloud-based applications that IoT devices utilize; 3)
writing mobile or other applications that govern the usage of an IoT device; and 4) creating an
application that integrates with a device in some way, such as leveraging an API. Note that this
guide is not focused on the development and manufacturing of IoT devices and instead guides
enterprises on their usage of IoT.

IoT Challenges
Most enterprises will not be provided with the source code used to run and operate IoT devices
on their networks. This also includes the associated mobile applications and cloud platforms. In
many instances, those responsible for application security for IoT devices would have to perform
analysis on compiled binaries pulled from the devices, which can be an arduous and time-
consuming task. Mobile applications may be more easily acquired, but again the analysis would
not be directly on the source, which limits the benefit somewhat. But this can still be a valuable
effort. For instance, privileged credentials for accessing an IoT device have been found inside of
its corresponding mobile application. Or, in another instance, credentials can be shared between
distinct devices from the same manufacturer.

IoT Additional Discussion

Enterprises may like some level of assurance that device manufacturers of IoT components
practiced software assurance fundamentals when developing the firmware/software that powers
these devices. There will also likely be a number of proprietary applications (e.g., cloud service,
mobile application) that communicate with the IoT components and devices located throughout
the enterprise. For procured IoT devices, enterprises should understand which security best
practices were employed by the manufacturer and help to push vendors toward secure software
development methodologies. This should also be a part of acquisition requirements and
evaluation.

Software being developed by enterprises to connect to IoT components should follow the same
secure development standards that the organization is already using for other internally
developed applications. The IoT Security Testing Guide from the Open Web Application Security
Project (OWASP) can be a useful resource for IoT device software security.

54
 CIS Control 18: Application Software Security Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Establish secure coding practices

Establish Secure appropriate to the programming The OWASP IoT Project provides helpful
18.1 
Coding Practices language and development guidance for secure IoT coding practices.
environment being used.

Ensure That For in-house developed software,

Explicit Error ensure that explicit error checking is
Error checking is an important software
Checking Is performed and documented for all input,
assurance concept and is still necessary
18.2 Performed for All including for size, data type, and 
in the languages used to develop
In-House acceptable ranges or formats.
software that integrates with IoT devices.
Developed
Software

Verify that the version of all software The use of unsupported

acquired from outside your organization software/firmware and applications for
Verify That is still supported by the developer or IoT devices to conduct enterprise tasks
18.3 Acquired Software appropriately hardened based on  is dangerous and potentially exposes
Is Still Supported developer security recommendations. sensitive enterprise data via application-
level vulnerabilities and
misconfigurations.

Only Use Up-to- Only use up-to-date and trusted third-

All of the libraries and development kits
Date and Trusted party components for the software
18.4  used for device development should be
Third-Party developed by the organization.
supported.
Components

Use only Use only standardized, currently As with any device, only standardized
Standardized and accepted, and extensively reviewed cryptographic algorithms with sufficient
Extensively encryption algorithms. key sizes should be utilized. Specialized
18.5 
Reviewed lightweight crypto is available and
Encryption undergoing standardization for resource
Algorithms constrained use cases.

55
 CIS Control 18: Application Software Security Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Ensure Software Ensure that all software development

Classes and training materials are easily
Development personnel receive training in writing
available online and in-person to
18.6 Personnel Are secure code for their specific 
educated developers on the common
Trained in Secure development environment and
pitfalls of secure software development.
Coding responsibilities.

Apply Static and Apply static and dynamic analysis tools Many companies offer these types of
Dynamic Code to verify that secure coding practices services for IoT applications. There is no
Analysis Tools are being adhered to for internally single tool that will operate with 100%
18.7 
developed software. efficiency and correctness, necessitating
a toolbox approach of various tools good
at performing different types of analysis.

Establish a Establish a process to accept and

Process to Accept address reports of software
Enterprises should set up processes for
and Address vulnerabilities, including providing a
18.8  vulnerability disclosure associated with
Reports of means for external entities to contact
IoT software.
Software your security group.
Vulnerabilities

Separate Maintain separate environments for Non-production systems should not be

Production and production and non-production systems. exposed to untrusted parties, as they
18.9 Non-Production Developers should not have  commonly store sensitive data, but are
Systems unmonitored access to production often not hardened or running up-to-date
environments. software.

56
 CIS Control 18: Application Software Security Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Protect web applications by deploying

web application firewalls (WAFs) that
inspect all traffic flowing to the web
application for common web application
attacks. For applications that are not Web application firewalls (WAFs) are not
web-based, specific application firewalls an appropriate control within the context
Deploy Web
should be deployed if such tools are of embedded IoT devices. With that said,
18.10 Application 
available for the given application type. many IoT devices use a web portal to
Firewalls
If the traffic is encrypted, the device display IoT data or to manage an IoT
should either sit behind the encryption device.
or be capable of decrypting the traffic
prior to analysis. If neither option is
appropriate, a host-based web
application firewall should be deployed.

Use Standard For applications that rely on a database, Enterprises generally have little say in
Hardening use standard hardening configuration the methodologies and standards used
18.11 Configuration templates. All systems that are part of to harden IoT devices. The device
Templates for critical business processes should also manufacturer can provide such
Databases be tested. information before procurement.

57
CIS Control 19: Incident Response and Management
Protect the organization's information, as well as its reputation, by developing and implementing
an incident response infrastructure (e.g., plans, defined roles, training, communications,
management oversight) for quickly discovering an attack and then effectively containing the
damage, eradicating the attacker's presence, and restoring the integrity of the network and
systems.

IoT Applicability
Traditional incident response guidance applies and can be tailored to IoT. This includes the need
for planning, defining roles and responsibilities, and having an escalation path. Like with
traditional computer systems, the need to identify, investigate, respond, and recover from
incidents involving IoT devices is important.

IoT Challenges
Just as security professionals establish incident response plans to react to the compromise of a
traditional IT asset, response plans should be tailored to address the course of action to take
when one or more IoT components are compromised. This should include taking into account the
need to perform forensics on the compromised component as well as the need to quickly ensure
that the device is taken offline to limit the spread of the incident. It should be noted that IoT
forensics requires specialized knowledge and can be difficult to perform. When considering data
forensics for IoT devices, there are a wealth of different types of data available to support the
objective of the acquisition, be it eDiscovery, misuse, or evidence collection to support a criminal
case.

IoT Additional Discussion

IoT systems are generally operational and come with a complete maintenance-oriented incident
response and management subsystem of technology and business processes. Cybersecurity
incident response and management controls should be integrated into these maintenance
operations. Operations personnel and incident responders need to be trained on what unusual
behavior looks like for an IoT device. As IoT extends to support new business processes, perform
a mapping of IoT systems to those business processes. This will aid in determining the continuity
of operations planning (COOP) approach to maintaining IoT operations. As with traditional
incident response processes, this part of the response process should be tested or exercised
regularly.

58
 CIS Control 19: Incident Response and Management Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Ensure that there are written incident

Document Written plans for IoT and supporting
response plans that define roles of
19.1 Incident Response  system breaches are key to IoT incident
personnel as well as phases of incident
Procedures response.
handling/management.

Assign job titles and duties for handling Especially if an enterprise is supporting
Assign Job Titles computer and network incidents to an in-house application that integrates
19.2 and Duties for specific individuals, and ensure tracking  with an IoT device that is critical to
Incident Response and documentation throughout the business operations, personnel should
incident through resolution. be dedicated to IoT incident response.

Designate
Designate management personnel, as
Management Management and backup personnel
well as backups, who will support the
19.3 Personnel to  should be specifically appointed for IoT
incident handling process by acting in
Support Incident incident response.
key decision-making roles.
Handling

Devise organization-wide standards for

the time required for system Standards for reporting IoT incidents
Devise
administrators and other workforce should be put in place that are mandated
Organization-wide
members to report anomalous events to across the enterprise. This should
19.4 Standards For 
the incident handling team, the include time to report, types of
Reporting
mechanisms for such reporting, and the anomalous events, and details of any
Incidents
kind of information that should be relevant incident.
included in the incident notification.

Assemble and maintain information on

third-party contact information to be
Maintain Contact Contact information for specific
used to report a security incident, such
Information For individuals and external organizations
19.5 as Law Enforcement, relevant 
Reporting Security regarding IoT security incidents should
government departments, vendors, and
Incidents be maintained.
Information Sharing and Analysis
Center (ISAC) partners.

Publish
Publish information for all workforce
Information
members, regarding reporting computer Information regarding IoT breaches and
Regarding
anomalies and incidents, to the incident other incidents should be made available
19.6 Reporting 
handling team. Such information should to internal employees. This information
Computer
be included in routine employee can be fed back into awareness training.
Anomalies and
awareness activities.
Incidents

59
 CIS Control 19: Incident Response and Management Applicability

Included?
Sub-
Control Title Control Description Justification
Control

Plan and conduct routine incident

response exercises and scenarios for
the workforce involved in the incident
IoT devices can be periodically assessed
Conduct Periodic response to maintain awareness and
in order to test IoT incident response
Incident Scenario comfort in responding to real-world
19.7  procedures. This also helps to keep the
Sessions for threats. Exercises should test
necessary individuals aware of the IoT
Personnel communication channels, decision
procedures.
making, and incident responder’s
technical capabilities using tools and
data available to them.

Create incident scoring and

Create Incident prioritization schema based on known Depending on their criticality to the
Scoring and or potential impact to your organization. organization, a security incident affecting
19.8 
Prioritization Utilize score to define frequency of IoT systems may be more or less
Schema status updates and escalation important to the enterprise.
procedures.

60
CIS Control 20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization's defense (the technology, the processes, and the
people) by simulating the objectives and actions of an attacker.

IoT Applicability
Using traditional penetration testing exercises, such as scanning to identify what ports are open
and what services are running to find vulnerable or exploitable versions doesn’t apply. Legacy
devices may need to be omitted from these activities, especially if they are supporting an
important business function. IoT typically expands the threat model facing an organization in
unique ways that sometimes cannot be easily rectified or mitigated.

IoT Challenges
Many IoT systems do not have mature IP stacks (or any IP stacks) to scan. Errors in scanning
may severely impact business operations. All such tests and scans should be tested thoroughly in
a non-operational testbed (including code review or architecture review), preferably under
simulated practical load-in operations. Strict rules of engagement must be applied that preclude
any possibility of unintended, unexpected, or unwanted operational impact. A good example is a
realistic, offline, threat-driven scenario. The usage of automated penetration (pen) testing tools
with offline configurations can give a hint as to how the real environment will perform.

Penetration testers and red team members should pay extra care in securing authorization to
perform vulnerability assessment and pen testing activities on cloud-based services supporting
IoT devices and any mobile devices with an application supporting an IoT device. Specific user or
service-level approval may be necessary, more so than what is typically provided by the
enterprise.

IoT Additional Discussion

Areas of focus for penetration testing could include sniffing wireless communications, reverse
engineering firmware, and scanning for unknown services. The use of a test lab and devices for
more thorough hardware examination is relevant to IoT. The Attify IoT Penetration Testing Guide
can be a useful starting point to begin IoT penetration testing exercises. The use of IoT
components within an enterprise should result in a tailoring of pen tests and red team exercises
to focus specifically on methods to gain access to the network by leveraging weaknesses in the
design, configuration, or deployment of those IoT components.

61
 CIS Control 20: Penetration Tests and Red Team
Applicability
Exercises

Included?
Sub-
Control Title Control Description Justification
Control

Establish a program for penetration

A penetration testing program geared
Establish a tests that includes a full scope of
toward IoT will include any relevant IoT
20.1 Penetration blended attacks, such as wireless, 
devices, applications, cloud services,
Testing Program client-based, and web application
and gateways.
attacks.

Conduct regular external and internal

Conduct Regular The frequency of testing can be difficult
penetration tests to identify
External and to determine, but changes or updates to
20.2 vulnerabilities and attack vectors that 
Internal firmware are a reasonable place to level-
can be used to exploit enterprise
Penetration Tests set a frequency.
systems successfully.

Perform periodic Red Team exercises Red team exercises focused on IoT will
Perform Periodic
to test organizational readiness to include any relevant IoT devices,
20.3 Red Team 
identify and stop attacks or to respond applications, cloud services, and
Exercises
quickly and effectively. gateways.

Include tests for the presence of

Include Tests for unprotected system information and
Presence of artifacts that would be useful to Red team tests should look for
Unprotected attackers, including network diagrams, passwords, digital certificates, and other
20.4 
System configuration files, older penetration test artifacts that will allow them to access
Information and reports, emails or documents containing devices and cloud services.
Artifacts passwords or other information critical
to system operation.

Create a test bed that mimics a

production environment for specific
Create a Test Bed
penetration tests and Red Team attacks
for Elements Not This will likely include purchasing
20.5 against elements that are not typically 
Typically Tested in additional devices and services.
tested in production, such as attacks
Production
against supervisory control and data
acquisition and other control systems.

Use vulnerability scanning and

Use Vulnerability
penetration testing tools in concert. The
Scanning and Although this can be done in a manner
results of vulnerability scanning
20.6 Penetration  similar to normal desktop systems, it may
assessments should be used as a
Testing Tools in not be as effective for IoT.
starting point to guide and focus
Concert
penetration testing efforts.

62
 CIS Control 20: Penetration Tests and Red Team
Applicability
Exercises

Included?
Sub-
Control Title Control Description Justification
Control

Ensure Results IoT results can be documented in a

Wherever possible, ensure that Red
From Penetration similar manner as traditional systems.
Team results are documented using
Test Are The Mobile version of ATT&CK can also
open, machine-readable standards
Documented provide value for helping to explain test
20.7 (e.g., SCAP). Devise a scoring method 
Using Open, results to outside parties. Although it's
for determining the results of Red Team
Machine- not directly applicable to IoT, it is focused
exercises so that results can be
Readable on embedded devices that often contain
compared over time.
Standards wireless communication capabilities.

Any user or system accounts used to

Control and
perform penetration testing should be
Monitor Accounts Any tools designed to penetrate IoT
controlled and monitored to make sure
20.8 Associated With  devices should be monitored and
they are only being used for legitimate
Penetration routinely audited.
purposes, and are removed or restored
Testing
to normal function after testing is over.

63
Acronyms and Abbreviations

2FA Two-Factor Authentication

2G 2nd Generation
3G 3rd Generation
4G 4th Generation
6LoWPAN IPv6 over Low-Power Wireless Personal Area Network
ACK Acknowledge
AD Active Directory
AES Advanced Encryption Standard
API Application Programming Interface
ARP Address Resolution Protocol
ASLR Address Space Layout Randomization
ATT&CK Adversarial Tactics Techniques and Common Knowledge
BLE Bluetooth Low Energy
CIS Center for Internet Security
COOP Continuity of Operations Planning
CVSS Common Vulnerability Scoring System
DDoS Distributed Denial of Service
DEP Data Execution Prevention
DHCP Dynamic Host Configuration Protocol
DLP Data Loss Protection
DNS Domain Name System
DSS Data Security Standard
EAP-TLS Extensible Authentication Protocol-Transport Layer Security
GDPR General Data Protection Regulation
GPS Global Positioning System
GSM Global System for Mobile Communication
HART Highway Addressable Remote Transducer
HIPAA Health Insurance Portability and Accountability Act
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IoT Internet of Things
IP Internet Protocol
IPS Intrusion Prevention System
ISAC Information Sharing & Analysis Center
IT Information Technology
JTAG Joint Test Action Group
LDAP Lightweight Directory Access Protocol

64
LTE Long-Term Evolution
M2M Machine-to-Machine
MAC Media Access Control (address)
MFA Multifactor Authentication
MTD Mobile Threat Defense
NFC Near Field Communication
NIST National Institute of Standards and Technology
OEM Original Equipment Manufacturer
OS Operating System
OWASP Open Web Application Security Project
P2P Peer-to-Peer
PCI Payment Card Industry
REST(ful) Representational State Transfer
RF Radio Frequency
RFID Radio Frequency Identifier
RSU Roadside Unit
RTOS Real-Time Operating System
SD Secure Digital
SIEM Security Information and Event Management
SP Special Publication
SSID Service Set Identifier
SYN Synchronization
TCP Transmission Control Protocol
TLS Transport Layer Security
TTP Tactics, Techniques, and Procedures
UMTS Universal Mobile Telecommunications System
USB Universal Serial Bus
VPN Vritual Private Network
WAF Web Application Firewall
WAN Wide Area Network
WiFi Wireless Fidelity
WPA2-PSK WiFi Protected Access 2 Pre-Shared Key

65
Links and Resources
Attify IoT Penetration Testing Guide
https://www.iotpentestingguide.com

CIS Controls™
https://www.cisecurity.org/controls/

CIS Controls™ Cloud Companion Guide

https://www.cisecurity.org/white-papers/cis-controls-cloud-companion-guide/

CIS Controls™ Mobile Companion Guide

https://www.cisecurity.org/white-papers/cis-controls-mobile-companion-guide-2/

CVSS
https://www.first.org/cvss/

DDoS in the IoT: Mirai and Other Botnets

https://ieeexplore.ieee.org/abstract/document/7971869

ICS Cert
https://ics-cert.us-cert.gov/

ICS ISAC
http://ics-isac.org/blog/

Mobile version of ATT&CK

https://attack.mitre.org/tactics/mobile/

NIST SP 800-160 Revision 1

https://csrc.nist.gov/publications/detail/sp/800-160/vol-1/final

OWASP IoT Project

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

OWASP IoT Testing Guide

https://www.owasp.org/index.php/IoT_Testing_Guides

The Internet of Things: An Overview

https://www.internetsociety.org/wp-content/uploads/2017/08/ISOC-IoT-Overview-20151221-
en.pdf

Towards a Definition of the Internet of Things

https://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Internet_of_Things_Revision1
_27MAY15.pdf

66
Closing Notes
In this document, we provide guidance on how to apply the security best practices found in CIS
Controls Version 7 to IoT environments. The newest version of the CIS Controls and other
complementary documents may be found at www.cisecurity.org.

As a nonprofit organization driven by its volunteers, we are always in the process of looking for
new topics and assistance in creating cybersecurity guidance. If you are interested in
volunteering and/or have questions, comments, or have identified ways to improve this guide,
please write us at: [email protected].

All references to tools or other products in this document are provided for informational purposes
only, and do not represent the endorsement by CIS of any particular company, product, or
technology.

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, N.Y. 12061
518.266.3460
[email protected]

67