V4: Communication Requirements
Control Objective
Devices use network communication to exchange data and receive commands within their ecosystem. So that the different parties can trust the contents of communications, they need to be protected, ensuring the authenticity of parties, integrity against malicious changes, and confidentiality against information leakage. In practice, this translates to deploying up-to-date communication protocols and configuring their security features, including cryptography. Since industry guidelines on secure TLS, Bluetooth, and Wi-Fi change frequently, configurations should be periodically reviewed to ensure that communications security is always effective.
Always use TLS or equivalent strong encryption and authentication, regardless of the sensitivity of the data being transmitted.
Other security practices include certificate-based authentication with pinning and mutual authentication.
Use up to date configurations to enable and set the preferred order of algorithms and ciphers used for communication.
Disable deprecated or known insecure algorithms and ciphers.
Use the strongest security settings available for wired and wireless communication protocols.
Security Verification Requirements
General
Machine-to-Machine
Bluetooth
Wi-Fi
References
For more information, see also:
OWASP Transport Layer Protection Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
NIST SP800-52r2 - Guidelines for the Selection, Configuration, and Use of TLS Implementations: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
IETF RFC 7525 - Recommendations for Secure Use of TLS and DTLS: https://tools.ietf.org/html/rfc7525
NIST SP800-121r2 - Guide to Bluetooth Security: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2.pdf
NIST SP800-97 - Establishing Wireless Robust Security Networks: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-97.pdf
Last updated