IGF 2022 Day 0 Event #16 Internet of Things security: achieving greater trust through the deployment of security by design principles

Monday, 28th November, 2022 (06:30 UTC) - Monday, 28th November, 2022 (08:30 UTC)

Wout de Natris, IS3C, private sector, Western Europe Mark Carvell, IS3C, private sector, Western Europe Nicolas Fiumarelli, LACNIC, Technical community, Latin America Janice Richardson, Insight S.A., Education, Oceania Mallory Knodel, Center for Democracy and Technology, U.S.A. Awao Aidam Amenyah, civil society, Africa


Wout de Natris, coordinator IS3C, The Netherlands

Nicolas Fiumarelli, WG 1 chair, Uruguay

All participants

Onsite Moderator

Wout de Natris

Online Moderator

Mark Carvell


João Moreno Falcão / Savyo Vinicius de Moraies


9. Industry, Innovation and Infrastructure

Targets: 9. Industry, innovation and infrastructure A more secure IoT environment equals a more secure internet infrastructure. As such the infrastructure protects privacy, entrepreneurship and innovation, which will lead to a higher level of development everywhere.


The workshop comprises two parts. The first half hour will be a presentation by the lead researcher. The second part will be for interaction and receiving feedback of the experts and users present. The detailed format of the presentations cannot be decided until after the research has been concluded in late September. The results will determine how mature the recommendations and potential toolkits are and the level of information which the WG needs from stakeholders. The most likely format will be break-out groups which will each consider a cluster of possible recommendations. Another option may be to ask a representative of a stakeholder group (e.g. business users) to respond to individual recommendations. This will be decided in October at the latest.


The IGF’s dynamic coalition on Internet Standards, Security and Safety (IS3C) has one overarching goal: to make the Internet more secure and safer by achieving more widespread and rapid deployment of existing internet standards and related ICT best practices.

This workshop focuses on the outcomes and recommendations of IS3C’s Working Group 1 on Security by Design – Internet of Things’ research project in 2022 which aims to reinforce and promote the adoption of security by design principles in the development of IoT networks and connected devices. The research compared legal documents from 22 countries/supra national organisations and IoT certification documents. The report provides recommendations to policy makers and decision takers in industry about IoT security best practices. The research will also contribute to promoting greater awareness of IoT security requirements amongst IoT developers and manufacturers by drawing up a single authoritative resource that compiles examples of current best practices drawn from national and regional policies worldwide with a listing of related IoT security standards.

The draft report is currently up for public consultation, of which this workshop is a part. All participants are invited to comment on the outcomes and provide feedback. This is your opportunity to respond in order to reach a rough consensus on the draft report’s findings and recommendations. Your comments, online and on site will be worked into the report that is slated for publication in January 2023.

This workshop is hybrid and interactive. The onsite and online moderators will ensure that all participants are able to engage and interact with speakers and presenters on an equal basis.

Key Takeaways (* deadline 2 hours after session)

Securing the Internet of Things by design, is a topic of utmost importance. The deployment of existing related Internet standards and ICT best practices is a must. This was widely recognised as a way to achieve this level of security. The world as a whole needs to join in the effort to achieve this goal in order to become more secure and safer. IS3C's draft report was recognised as timely and adds positively to previous work within the IGF.

Call to Action (* deadline 2 hours after session)

1. Public consultation starting in December. 2. The report is released in 02-23. 3.The theory of IoT security by design must become practice. 4. How do IS3C's recommendations coincide with current work within the European Commission. 5. Multistakeholder teams need to define the recommendations leading to deployment. 6. The recommendations need to become part of capacity building programmes around the globe.

Session Report (* deadline 26 October) - click on the ? symbol for instructions

Wout de Natris opens the session, introducing the speakers involved in the session and the effort made by the Internet Standards, Security and Safety Coalition (IS3C) to make the Internet more secure and safer. Mr. de Natris highlighted the importance of deploying the current Best Practices and Standards for achieving IS3C’s global objective. In this context, Wout introduced the research carried out by the Working Group on Internet of Things Security-by-Design (WG 1). This research's aim is to bridge the gap between the theory and the practice of best practices and standards for IoT Security, and to archive that, the research built a map of the current policy, governmental, and regulatory documents around the world that target improving the security of the Internet of Things ecosystem with the concept of security-by-design.


Nicolas Fiumarelli, chair of the WG 1, contextualized the current scenario of the Internet of Things (IoT), showing the magnitude of the number of connected devices and how they can be impacted by insecure software and configurations. He explained that the research covered 30 documents, from over 20 countries from different regions of the world. The analyzed documents could contain security requirements or recommendations for the whole IoT ecosystem. Nicolas also highlighted the low number of published documents from the African and Latin America and Caribbean regions, but he also mentioned that countries from all the regions have currently some initiatives to publish documents on Iot security in the near future.


Mr. Fiumarelli explained that one of the outputs of the research is a compilation of all the Security Best Practices that could be collected from the documents. These best practices are divided into four categories: Privacy and Exposure; Update; Non-technical; and Operation/Community. He announced a public consultation on the draft report that will start in the second half of December after which the final report is to be published in the winter of 2023.


In the first round of contributions from the participants, Maarten Botterman (former chair of the DC-IoT and ICANN) pointed out the necessity for authorization schemes to identify bad actors and to prevent backdoors in the context of IoT. Lito Ibara showed his concern with the small number of documents from the African and Latin America and Caribbean regions and asked if the research report will contain some advice for the policymakers of those regions. Nicolas agreed with the point raised by Mr. Ibarra and mentioned that there are some works in progress on the development of more documents in the less-represented regions. The report will contain recommendations on current good practices, all working on documents now and in the future can profit from.


Roberto Zambrana asked about capacity-building programs, and Wout replied that capacity-building is planned in the next phase of the Coalition for all the WGs, including IoT. He also pointed out that recognition of Dynamic Coalitions' outputs by the IGF will play a crucial role to be able to succeed here. One participant made a question about the legal measures in order to punish cyber criminals that exploit IoT systems. Here Wout explained this kind of analysis is out of the scope of the study. Another comment was on the universal acceptance of outcomes. Here Wout answered that the work of IS3C is neutral. No matter where you live in the world, he thinks that everyone will agree that they do not want their data stolen or compromised. IS3C creates guidelines and tools that assist in preventing this, accessible for all. Someone also pointed to the work currently underway at the European Commission on Internet standards. This point was well received. The Commission will be contacted on our work.


The workshop closed with a call to arms to the global community. Please work with us and comment or add to the draft report in our upcoming public consultation. The more input IS3C receives the stronger the report becomes, including a far better chance at a positive adoption.