The Internet of Things (IoT) is enabling a wave of innovation and operational intelligence across industries. In manufacturing, connected sensors enable predictive maintenance and process optimization. In healthcare, smart devices support real-time patient monitoring and personalized care. In rail transportation, automated systems enhance safety and efficiency. In hospitality, IoT enriches the guest experience while improving operational responsiveness.

This growth is essential, and inevitable.

But as IoT systems extend into every corner of the enterprise, they also extend the attack surface. These devices often live outside conventional IT asset inventories. They may lack endpoint protection, have long patch cycles, or rely on insecure default configuration. And may have direct impacts on the physical world, making their security lapses more than just a data risks, they become safety, trust, and social good issues.

That’s why CISOs and security teams must bring IoT under the umbrella of enterprise security governance with the rest of IT.

This primer provides a practical, control-based guide to doing exactly that, built on the principle that IoT systems are not exempt from security governance, they are subject to it.

The mission is clear: Secure innovation is sustainable innovation, and IoT starts with applying the right controls, through the right architecture, in the context of your real-world risks.

 

When Does OT Become IoT?

Not all Operational Technology (OT) is Internet of Things (IoT), but the boundary is narrowing. OT refers to hardware and software systems used to monitor and control industrial operations, such as programmable logic controllers (PLCs), SCADA systems, and distributed controls systems.

IoT refers to devices that are able to be network connected, often IP-based, and capable of transmitting data, often to centralized systems or the cloud.

OT becomes IoT when it:

  • Connects to enterprise or external networks, usually over IP.
  • Sends or receives data beyond its immediate control environment.
  • Is remotely managed or updated using standard protocols.
  • Interfaces with IT systems, analytics platforms, or cloud services.

 

The Expanding IoT Landscape

The Internet of Things (IoT) is no longer limited to smart home gadgets or edge sensors, it’s the connective tissue of modern business operations. Across critical sectors, IoT devices are embedded deep within supply chains, safety systems, customer experiences, and frontline services. The systems gather data, automate decisions, and drive real-time responses, often in ways invisible to end users.
But this expansion brings with it a layered, fast evolving ecosystem that blurs traditional boundaries between IT, OT (Operational Technology), and physical infrastructure.

Healthcare: From infusion pumps and patient monitors to smart beds and mobile diagnostics, IoT underpins critical care workflows. It supports continuous monitoring, remote telemetry, and asset tracking. These devices often interface with other systems or cloud platforms and must comply with HIPAA, FDA regulations, and strict safety requirements. (U.S. Department of Health and Human Services, 2013) The lifecycle of medical devices is long, and security updates may be limited or complex.

Rail and Transportation: Modern rail systems rely on a complex mesh of connected assets, from trackside sensors and signaling controls to real-time passenger information and onboard telemetry. Many components operate in remote, unstaffed locations and interface with national infrastructure. IoT supports predictive maintenance, train automation, and environmental monitoring, while demanding strict uptime and physical safety standards.

Hospitality: Smart thermostats, company sensors, connected locks, voice assistants, and energy management systems are now common in hotels. These systems elevate the guest experience, but they also collect sensitive data, interface with third-party platforms, and often operate in high-turnover environments. Many are cloud-managed and vendor-supported, making visibility and control and persistent challenges.

Pipelines and Energy Transport: IoT in the pipeline sector is transforming how fuel, gas, and critical chemicals are monitored and moved. Field-deployed sensors, telemetry endpoints, automated valve controls, and SCADA-connected systems now span vast geographies, often in physically isolated or unmanned environments. While these advances improve efficiency and response time, they also introduce new cyber-physical risks.

Threat actors do not need sophistication to disrupt pipeline operations, a point underscored by recent federal alerts. Vulnerable remote access pathways, weak segmentation between IT and OT, and legacy field hardware lacking modern protection all create low-complexity, high-impact surfaces. CISA and TSA both emphasize the importance of system visibility, access control, and network isolation to contain and defend these environments.

 

Key Observations Across Industries:

  • IoT systems are not peripheral, they are central to operations, safety, and user experience.
  • Many devices are unmanaged or vendor-controlled, limiting direct security configuration.
  • Device diversity is enormous, ranging from low-power sensors to full OS-based embedded platforms.
  • IoT ecosystems often bypass traditional IT governance, creating visibility, patching, and policy gaps.

 

 

As IoT adoption accelerates, it is no longer sufficient to treat the devices as exceptions. They are endpoints. They are part of the business, and part of the attack surface. The challenge ahead is not just to secure “IoT devices,“ but to govern the systems they belong to, with the same care and accountability as any other part of the enterprise.

 

What Makes IoT Security Unique (and Risky)

To the uninitiated, IoT devices seem like any other endpoint, in practice they introduce a fresh take on enterprise security assumptions. While they must be governed by the same security outcomes, confidentiality, integrity, availability, and security, the way these outcomes are achieved must adapt to the realities of IoT ecosystems.

This section outlines why IoT systems demand a specific perspective within your risk management program.

Long Device Lifecycles with Limited “Patchability”: Unlike desktops, laptops, servers, or cloud workloads, IoT devices are often deployed with minimal resource footprint and the expectation they will operate for five to fifteen years or more. Many lack over-the-air update capabilities, rely on proprietary firmware, or depend on vendor-controlled patch schedules. As a result, vulnerabilities may persist longer than acceptable in traditional IT environments. This elevates the importance of secure configuration, access control, isolation, and network monitoring.

Wide Variability in Hardware and Communication Protocols: IoT devices span a broad spectrum of architectures, from microcontroller-based sensors to embedded Linux systems. They often communicate using non-standard or vendor specific protocols and may connect over Wi-Fi, Zigbee, Bluetooth, serial, or cellular links. This diversity complicates asset inventory, traffic inspection, and vulnerability assessment. It also introduces blind spots in conventional visibility and enforcement modes.

Always On, Often Unmanaged: IoT devices typically operate continuously and without user interaction. Many are installed by operational teams, facilities personnel, or external vendors, outside the reach of IT asset management. These devices may remain undocumented, misconfigured, or unsupported, even while performing mission-critical functions. Without deliberate coordination, IoT can become a source of unmanaged risk that undermines existing security investments.

Deep Integration with Core Operations: In many industries, IoT is not ancillary, it is foundational. Manufacturing lines rely on real-time telemetry and control. Healthcare providers depend on patient-monitoring equipment and diagnostic tools. Rail operators use connected systems to manage signaling, train positioning, and maintenance schedules. Any security incident affecting these systems risks operational downtime, regulatory exposure, and safety consequences.

Limited Interfaces and Embedded Risk: IoT devices often operate without viable user interfaces or traditional login mechanisms. Many ship with hardcoded credentials, insecure firmware defaults, open debug ports, or limited access control features. Some use outdated libraries and minimal operating systems, making it difficult to deploy standard endpoint security tools. These devices are frequently treated as “black boxes,” even when embedded in critical workflows.

Outside the IT Governance Model: Procurement, installation, and maintenance of IoT systems often fall outside the purview of IT or security. They may be handled by contractors, facilities, biomedical engineers, or third-party integrators. Without governance policies that extend to IoT, devices can enter the environment without review, threat modeling, or baseline configuration. This disconnect between ownership and oversight introduces persistent security gaps.

IoT systems disrupt traditional assumptions about visibility, control, and accountability. However, the appropriate response is not to create a separate security program, but to extend your existing risk and governance frameworks to accommodate the characteristics of IoT.

These devices must be identified, governed, and protected using the same core principles that apply to all enterprise systems, adapted to meet the technical and operational constraints of connected environments.

 

Threat Landscape: How IoT Systems Are Compromised

IoT systems are frequently targeted, not because they are inherently weak, but because they are often deployed without sufficient governance, visibility, or security controls. When advisories identify these gaps, IoT becomes a low-effort, high-impact vector, one that can lead to operational disruption, data compromise, or even physical harm.

While IoT breaches may not always be distinctly referenced in public breach reports, patterns from real-world data sets, such as the VERIS Community Database (VCDB), confirm that unauthorized access, misconfiguration, malware infections, and unpatched vulnerabilities are common across environments where IoT and operational technologies intersect.

 

Table 1: Common IoT Threat Vectors and Associated Controls

 

Real World Incident Patterns

Data from the VERIS Community Database reinforces that incidents involving IoT and OT systems often involve:

  • Integrity or availability impacts rather than just data confidentiality.
  • Unauthorized access due to poor authentication hygiene
  • Delayed detection and response, especially in environments lacking centralized monitoring.
  • Multi-stage attacks, where an IoT device is the foothold used to pivot into the business-critical systems.

While these incidents span industries, they consistently show that the presence of IoT without appropriate controls introduces disproportionate risk. (The VERIS Community Database, n.d.)

 

Implications

The takeaway for security leaders in clear: IoT systems expand both the attack surface and the blast radius. They are viable targets, pivot points, and amplifiers for broader compromises.

Security teams must assume that adversaries, whether opportunistic or strategic, will target IoT environments just as they do enterprise IT. The lack of distinction in attacker intent is exactly why IoT systems must be protected with the same rigor as any other critical asset.

 

Security Integration: Applying Governance to IoT

IoT systems cannot be treated as exceptions to enterprise security governance. While they introduce unique characteristics, such as limited ability to be patched, vendor-managed firmware, and constrained interfaces, they still fall within the scope of your organization’s responsibility to ensure confidentiality, integrity, and availability.

The approach is not to reinvent your security model, but to ensure your existing model can accommodate the realities of IoT based on risk management, control baselines, and architectural enforcement.

 

Use Existing Security Control Frameworks

Organizations should start by applying a recognized set of baseline security controls to IoT systems. Two widely used frameworks include:

NIST SP 800-53 Rev 5: A comprehensive catalog of security and privacy controls used by federal agencies and widely adopted across critical infrastructure sectors.

CIS Control v8.1: A prioritized, implementation-friendly framework with mappings to NIST and other standards, ideal for organizations seeking prescriptive guidance.

These frameworks are not IoT specific, though they are IoT-relevant. IoT assets must be considered in scope for control categories such as:

  • Access Control (AC)
  • System and Communication Protection (SC)
  • Configuration Management (CM)
  • System Integrity (SI)
  • Audit and Accountability (AU)
  • Risk Assessment (RA)
  • Supply Chain Management (SR)

 

Leverage Your Existing Risk Management Framework

IoT security decisions should be governed by your existing risk management processes. Whether based on the NIST Risk Management Framework (RMF), ISO/IEC 27005, or another enterprise methodology, the steps are consistent:

  1. Categorize IoT assets by criticality and exposure.
  2. Select applicable controls from your baseline (e.g., NIST 800-53)
  3. Assess implementation gaps, accounting for technical constraints.
  4. Apply compensating or alternative controls where necessary.
  5. Monitor and adapt as environments change.

This ensures IoT risks are managed with the same accountability, rigor, and traceability as any other part of your enterprise “infrastructure.”

 

Secure IoT Within Your Governance Program

IoT security isn’t a separate problem, it’s a specific application of your broader governance framework. The difference is in the implementation details, not the control objectives.

By applying control baselines through a Zero Trust Architecture (ZTA), guided by a formal risk management approach and tailored with IoT-specific guidance, organizations can secure their IoT environments with the same discipline and confidence they apply elsewhere.

 

What CISOs Must Do: Strategic Security Foundations for IoT

For most organizations, IoT systems are already present whether formally governed or not. The role of the CISO is to integrate these systems into the enterprise security model by focusing on controls enforcement, architectural discipline, and cross-functional coordination.

This section outlines the high-impact action CISOs must take to govern IoT environments effectively. See the appendix for a consolidated reference table.

  1. Adopt a Zero Trust Model for IoT Systems

Assume that no device or communication path is trustworthy by default. Apply the principles of Zero Trust to IoT environments by:

  • Requiring authentication and authorization for all device communications
  • Enforcing least-privilege access for devices, users, and services
  • Using identity-aware policies to limit lateral movement
  • Segmenting IoT systems from IT and OT infrastructure

Core controls: (NIST) AC-3, AC-6, SC-7, SC-11, SC-13; (CIS) 4, 6, 13

 

  1. Segment IoT Devices by Function and Criticality

IoT systems should never operate on flat networks. Implement segmentation to:

  • Separate IoT traffic from business-critical systems
  • Isolate devices by function (e.g., HVAC vs. patient monitoring)
  • Use VLANs, software-defined segmentation, or hardware-based zones.
  • Apply micro-segmentation

Core controls: (NIST) SC-7, SC-7(12), AC-4; (CIS) 3, 13

 

  1. Enforce Identity and Access Management

Strong identity and access control is foundational for securing IoT, even when devices lack user interfaces. Key actions:

  • Remove all default credentials from all devices
  • Use certificate-based device authentication where possible
  • Enforce MFA for administrative access to IoT dashboards and management tools.
  • Maintain an inventory of all user and service accounts with access to IoT systems

Core controls: (NIST) IA-2, IA-3, IA-5, AC-17; (CIS) 5, 6

 

  1. Establish and Maintain an Accurate Asset Inventory

Know what is connected to your environment. Effective asset management includes:

  • Continuous discovery of IoT devices across networks
  • Classification of devices by type, function, and criticality
  • Ownership mapping for governance and response accountability
  • Integration with CMDB or other asset repositories

 Core Controls: (NIST) CM-8, RA-9; (CIS) 1

 

  1. Monitor Device Behavior and Network Traffic

IoT systems often lack onboard security agents, so monitoring must happen at the network and behavioral level. Steps include:

  • Baseline normal behavior for device types or models
  • Monitor for anomalous traffic, protocol misuse, or unexpected flows.
  • Feed data into SIEM, NDR, or behavioral analytics platforms.
  • Alert on deviations from expected behavior

Core controls: (NIST) AU-6, SI-4, CA-7; (CIS) 8, 13

 

  1. Patch What You Can, Contain What You Can’t

Where firmware updates are available, apply them through a controlled process. Where they are not:

  • Segment the device from critical infrastructure.
  • Monitor closely for behavioral anomalies.
  • Apply compensating controls such as ACLs and jump boxes.

Core controls: (NIST) SI-2, SC-7, SC-7(5), SC-7(12); (CIS) 7, 12

 

  1. Secure the Device Lifecycle

IoT security is not just a runtime concern. It starts with procurement and continues through decommissioning. Actions include:

  • Define secure onboarding procedures, including device validation and configuration.
  • Ensure secure retirement of devices, including credential revocation and data wiping.
  • Require vendors to provide updates and patch timelines.
  • Review of SLAs and supply chain obligations for security guarantees

Core controls: (NIST) CM-8, MP-6, SR-3, SR-5; (CIS) 2.4, 15, 16

 

  1. Vet Vendors and Require Transparency

Vendors must be accountable for the security of the products they provide. As part of procurement and ongoing evaluation:

  • Require Software Bills of Materials (SBOMs)
  • Evaluate the vendor’s vulnerability disclosure and patching policies.
  • Assess the security of third-party cloud platforms used for device management.
  • Require testing validation of vendor provided devices in the field (time clocks, POS devices, handhelds, etc., prior to deployment.)
  • Align contracts and SLAs with your enterprise security policies to address these concerns.

Core controls: (NIST) SR-3, SR-5, SR-6, SR-11, SR-12; (CIS) 15, 16

 

Sector-Specific Priorities and Recommendations

While core governance principles apply across industries, the specific risks, regulatory requirements, and operational realities of IoT deployments vary widely. The following sector-specific guidance outlines where CISOs should focus their attention to protect connected systems without disrupting workflows.

 

Manufacturing

Primary concerns: Uptime, safety, intellectual property theft, IT/OT convergence

Security Priorities:

  • Segment OT and IoT systems from IT networks to reduce lateral movement and contain potential compromise.
  • Monitor network traffic at IT/OT boundaries for unauthorized protocol use or command injection attempts.
  • Baseline behavior of critical production equipment using network or flow analytics, especially for legacy devices.
  • Apply zero trust principles between IT, OT, and IoT layers, including service and data flow restrictions.
  • Isolate or virtualize legacy systems that cannot be patched but are still required for operational continuity.
  • Engage plant engineering teams to incorporate security requirements into equipment procurement upgrades.

 

Rail and Transportation

Primary concerns: Safety, infrastructure integrity, remote asset exposure, compliance with TSA directives

Security priorities:

  • Secure communications between remote assets (e.g., sensors, switches) and central control systems.
  • Apply zero trust principles to inter-facility and cross-network traffic, even over private lines.
  • Segment operational control networks from administrative systems to reduce blast radius.
  • Monitor telemetry for tampering or unexpected data signatures, especially from remote or unmanned endpoints.
  • Implement secure device onboarding for mobile or field-deployed systems, using cert-based identity of strong provisioning.

 

Hospitality

Primary concerns: Guest privacy, brand trust, high device turnover, third-party system integration

Security priorities:

  • Segment guest-facing IoT devices (e.g., smart locks, lighting, thermostats) from enterprise back-of-house systems.
  • Rotate access credentials between guests and clean device state upon checkout or turnover.
  • Enforce secure configuration baselines for all room or facility-level IoT systems before activation.
  • Require SBOMS and update schedules from third-party IoT platform vendors.
  • Monitor for abuse or manipulation of in-room technology, especially those connected to voice, video, or account systems.
  • Ensure vendor cloud platforms meet organizational and regulatory security standards.
  • Align privacy policies and data retention practices with the use of occupancy or behavior-tracking devices.

 

Pipelines and Energy Transport

Primary concerns: Physical safety, OT integrity, regulatory compliance, remote site exposure

Security priorities:

  • Enforce strict segmentation between IT, OT, and IoT environments, especially at remote or unmanned locations where physical access controls may be limited.
  • Apply identity-based access control and logging for all remote access to pipeline control systems and telemetry endpoints.
  • Monitor for command injection attempts, abnormal commands, or unauthorized logins using behavioral baselining and anomaly detection tools.
  • Review all external dependencies and vendor access paths, particularly those tied to cloud-managed monitoring or SCADA interfaces.
  • Align implementation with TSA’s Pipeline Security Guidelines, which emphasize system inventory, logical separation, and incident response preparedness.
  • Seriously consider the threat posed by even “unsophisticated” attackers, as highlighted in the recent CISA alert, as low complexity intrusions can lead to high-consequence outcomes in pipeline systems.

 

Manufacturers of IoT Devices: Security by Design

The security of IoT begins not at deployment, but at design. Organizations that develop and manufacture connected devices play a foundational role in the overall security ecosystem. If products are shipped with weak default settings, limited ability to be patched, or suspicious software composition, downstream customers are forced into compensating strategies that increase cost and complexity.

NISTIR 8259 and its companion documents establish a security baseline for IoT device manufacturers. These documents provide actional guidance on the capabilities devices should support out of the box, including:

  • Device Identification: Devices must be uniquely identifiable.
  • Secure Default Settings: Devices should ship in a secure state, not require hardening post-deployment.
  • Update Mechanisms: Manufacturers must enable secure and verifiable patching, ideally over-the-air.
  • Data Protection: IoT devices should ensure data confidentiality, integrity, and authenticity in transit and at rest.
  • Access Control: Device interfaces must implement authentication and authorization, avoiding hardcoded credentials.
  • Logging and Monitoring: Devices should support security logging features to aid detection and response.
  • Cybersecurity State Awareness: Devices must be able to report their security posture to centralized systems.

Manufacturers who follow NISTIR 8259 reduce downstream burden for integrators, operators, and CISOs. Their devices become easier to onboard securely, easier to monitor, and safer to rely on in mission-critical environments. This also supports the broader industry shift toward procurement policies that require security by design as a condition of purchase.

Each industry faces unique challenges and opportunities when securing IoT. By aligning technical controls, policy frameworks, and stakeholder relationships to sector-specific needs, CISOs can effectively govern connected systems without sacrificing innovation, availability, or user trust.

 

Governance, Compliance, and Policy Alignment

Effective IoT security does not begin with technology, it begins with governance. As connected systems become more deeply embedded in business operations, CISOs must ensure that security controls, risk management processes, and regulatory requirements extend to the full IoT ecosystem.

While the earlier section, “Security Integration: Applying Governance to IoT,” focused on how to apply technical controls and architecture to secure IoT systems, this section addresses how to embed those practices into enterprise governance, policy frameworks, and regulatory alignment.

 

Align IoT Security with Existing Control Frameworks

Organizations should not create separate policies or frameworks for IoT. Instead, they should apply and adapt their existing security program using one or more of the following models:

  • NIST SP 800-53 Rev. 5: A comprehensive, control-oriented framework applicable to all enterprise systems, including IoT. It provides the full range of technical, administrative, and physical controls needed to govern IoT risk.
  • CIS Controls v8.1: A prioritized set of implementation-ready practices that offer fast alignment, especially for organizations that require prescriptive guidance or third-party assessments.
  • ISO/IEC 27001 and 27005: International standards for information security management and risk governance. These frameworks support cross-border compliance and vendor accountability.

NIST SP 800-213 should be used in conjunction with these frameworks to interpret how specific controls apply to IoT systems, particularly for procurement, architecture, and system integration decisions.

NIST SP 800-82 Rev. 3; Guide to Operational Technology (OT) Security, Appendix F, provides an OT overlay that is a partial tailoring of the controls and control baselines in NIST SP 800-53, Rev. 5 and adds supplementary guidance specific to OT. The purpose of this overlay is to provide guidance for securing OT systems.

 

Integrate IoT into Policy and Governance Artifacts

Review and update core policy documents to ensure they explicitly cover IoT systems, devices, and data flows. This includes:

  • Acceptable Use Policies: Define who can deploy, manage, or access IoT systems.
  • Configuration Management Policies: Specify secure baselines and update expectations.
  • Incident Response Plans (IRP): Include IoT-specific playbooks and escalation paths.
  • Vendor Management Policies: Require SBOMS, patch timelines, and security SLAs.
  • Procurement Standards: Enforce security-by-design criteria at the sourcing stage.

 

Map Regulatory Requirements to IoT Contexts

IoT systems often fall into scope of existing regulatory frameworks, even when not explicitly names. Sector-specific considerations can include:

 

Audit, Document, and Report

IoT systems should be auditable to the same standard as enterprise IT. Ensure that:

  • Asset inventories include IoT devices.
  • Control assessments cover segmented and embedded systems.
  • Policy exceptions are documented and justified.
  • Compliance reporting frameworks can reference IoT-specific actions and outcomes.

Where full control implementation is not possible due to vendor limitations or device constraints, document and review compensating controls as part of governance oversight.

Governance is where IoT security become demonstratable. By embedding IoT into control frameworks, policy documents, risk processes, and compliance reporting, CISOs can ensure that connected systems are not only protected, but that it is provable.

 

The Path Forward: Building a Sustainable IoT Security Strategy

IoT is no longer an emerging challenge, it is an operational reality. These systems are already present across enterprise environments, driving efficiency, insight, and innovation. The security imperative is clear: integrate IoT into the enterprise cybersecurity program with the same rigor and accountability applied to traditional IT and OT systems.

The good news is that most organizations already have the tools they need.

By extending existing governance frameworks, such as NIST PS 800-53 or CIS Controls, through a Zero Trust Architecture and a formal risk management program, CISOs can manage IoT risk without introducing unnecessary complexity or fragmentation.

The challenge is technical capability. It’s discipline, visibility, and coordination.

 Elements of a Forward-Looking IoT Security Strategy:

  1. Treat IoT as a First-Class Citizen of the Enterprise Risk Model
    Every connected device is part of your attack surface. Inventory, categorize, and govern IoT systems as you would any other endpoint.
  2. Design for Control and Containment, Not Just Protection

Assume that not all devices can be hardened or updated. Focus on network segmentation, behavioral monitoring, and compensating controls.

  1. Formalize Governance Through Policy and Process

Update policies, processes, and procedures to include procurement and incident response plans to reflect the presence and lifecycle of IoT devices.

  1. “Push Security Left” into Procurement, Vendor Evaluation, and Deployment

Require security by design, Software Bill of Materials (SBOM), and update guarantees before purchase, not after deployment.

  1. Invest in Cross-Functional Collaboration

Security teams must partner with facilities, clinical engineering, operations, legal, and procurement to ensure alignment and accountability.

  1. Plan for What Comes Next

IoT is not a temporary trend, and the convergence with IT will only continue. Does anyone remember when voice services were treated separately from network? The organizations that govern it well will not only reduce risk, they will build resilience, enable innovation, and position themselves as leaders in secure digital operations.

Emerging technologies, AI-enabled IoT, edge computing, autonomous systems, will only accelerate complexity. The governance model you build today must be flexible enough to absorb what’s coming tomorrow.

 

Key Takeaways to Execute Strategy:

  • Use NIST SP 800-53 Rev. 5 as the authoritative control baseline.(National Institute of Standards and Technology, 2020) IoT systems must be held to the same cybersecurity outcomes as any other enterprise system: confidentiality, integrity, and availability.
  • Apply those controls within a Zero Trust Architecture, ensuring no device or communication is implicitly trusted.
  • Use your existing risk management framework (such as the NIST Risk Management Framework, or ISO 27005) to identify how IoT affects your current control environment, and where gaps or adjustments are needed.
  • Leverage NIST SP 800-213 to interpret how those controls apply to IoT contexts, helping clarify device-specific cybersecurity requirements.(National Institute of Standards and Technology, 2021)
  • Alternatively, organizations may choose to implement the CIS Controls (v8,1).(Center for Internet Security, 2024) The CIS framework is especially useful for organizations seeking simplicity, third-party accountability, or quick alignment across operational teams.
  • Apply this strategy contextually across key verticals, manufacturing, healthcare, rail, and hospitality, where IoT adoption intersects with safety, compliance, customer trust, and operational continuity.

 

Appendix: 

Table 2: Strategic Security Foundations for IoT

 

Works Cited

American Petroleum Institute. (2021, August 1). API Standard 1164: Pipeline Control Systems Cybersecurity (3rd ed.). Retrieved from American Petroleum Institute (API): https://www.api.org/oil-and-natural-gas/security/api-1164

California Department of Justice. (2018, June 28). California Consumer Privacy Act (CCPA). Retrieved from State of California – Department of Justice: https://oag.ca.gov/privacy/ccpa

Capgemini Research Institute. (2017, October 30). Smart Factories: How can manufacturers realize the potential of digital industrial revolution? Retrieved from Capgemini: [Archived – original report no longer publicly available]

Center for Internet Security. (2024). CIS Controls Version 8.1. Retrieved from Center for Internet Security: https://www.cisecurity.org/controls/cis-controls-list

Center for Internet Security. (2024). CIS Controls Version 8.1. Retrieved from Center for Internet Security: https://www.cisecurity.org/controls/cis-controls-list

Cybersecurity and Infrastructure Security Agency. (2025, May 6). Unsophisticated Cyber Actors Targeting Operational Technology. Retrieved from Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology

Cynerio. (2022). The State of Healthcare IoT Device Security 2022. Retrieved from Cynerio: https://www.cynerio.com/landing-pages/the-state-of-healthcare-iot-device-security-2022

ECRI. (2017, November 13). Top 10 Health Technology Hazards for 2018. Retrieved from ECRI: https://www.ecri.org/Resources/Whitepapers_and_reports/Haz_18.pdf

European Union. (2016, April 27). General Data Protection Regulation (GDPR). Retrieved from GDPR Info: https://gdpr-info.eu/

European Union Agency for Railways. (n.d.). Railway Cybersecurity Report. Retrieved from ERA (European Union Agency for Railways): https://www.era.europa.eu/content/railway-safety-and-interoperability-2022-report_en

Federal Railroad Administration. (2020). Cyber Security Risk Management for Connected Railroads (DOT/FRA/ORD-20/09). Retrieved from U.S. Department of Transportation – Federal Railroad Administration: https://railroads.dot.gov/elibrary/cyber-security-risk-management-connected-railroads

Healthcare and Public Health Sector Coordinating Council. (2023). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved from U.S. Department of Health and Human Services: https://www.aha.org/system/files/media/file/2023/04/health-industry-cybersecurity-practices-managing-threats-and-protecting-patients-2023-by-healthcare-and-public-health-sector-coordinating-council.pdf

International Electrotechnical Commission. (2023, May). ISAGCA Quick Start Guide to the IEC/ISA 62443 Series of Standards. Retrieved from ISA Global Cybersecurity Alliance: https://21577316.fs1.hubspotusercontent-na1.net/hubfs/21577316/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/ISAGCA%20Quick%20Start%20Guide%20FINAL.pdf

International Organization for Standardization. ( 2022, October 25). ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection. Retrieved from ISO: https://www.iso.org/isoiec-27001-information-security.html

IoT Security Foundation. (2019, May 30). IoT Security Reference Architecture for the Healthcare Industry. Retrieved from IoT Security Foundation: https://iotsecurityfoundation.org/wp-content/uploads/2019/05/IoT-Security-Reference-Architecture-For-The-Healthcare-Industry.pdf

IoT Security Foundation. (2021, November 1). IoT Security Assurance Framework: Release 3.0. Retrieved from IoT Security Foundation: https://iotsecurityfoundation.org/wp-content/uploads/2021/11/IoTSF-IoT-Security-Assurance-Framework-Release-3.0-Nov-2021-1.pdf

National Institute of Standards and Technology (NIST). (2022, February 15). Guide to Industrial Control Systems (ICS) Security (SP 800-82 Rev. 3). Retrieved from National Institute of Standards and Technology (NIST): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

National Institute of Standards and Technology. (2020, May). NISTIR 8259: Foundational cybersecurity activities for IoT device manufacturers. Retrieved from NIST.gov: https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf

National Institute of Standards and Technology. (2020, September 23). Security and Privacy Controls for Information. Retrieved from NIST Computer Security Resource Center (CSRC): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

National Institute of Standards and Technology. (2021, November 29). IoT Device Cybersecurity Guidance for the Federal. Retrieved from NIST Computer Security Resource Center (CSRC): https://csrc.nist.gov/publications/detail/sp/800-213/final

Oracle Hospitality. (2023). Hospitality Industry Trends for 2025: Creating Guest Experiences That Truly Matter. Retrieved from Oracle: https://www.oracle.com/a/ocom/docs/industries/hospitality/hospitality-industry-trends-for-2025.pdf

PCI Security Standards Council. (2022, March 31). PCI Data Security Standard v4.0. Retrieved from PCI Security Standards Council: https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

The VERIS Community Database. (n.d.). Retrieved from VERIS: https://verisframework.org/vcdb.html

Transportation Security Administration. (2021, April 8). Pipeline Security Guidelines. Retrieved from U.S. Department of Homeland Security: https://www.tsa.gov/sites/default/files/pipeline_security_guidelines.pdf

Transportation Security Administration. (2022, Oct 24). Surface Transportation Cybersecurity Toolkit. Retrieved from TSA: https://www.tsa.gov/for-industry/surface-transportation-cybersecurity-toolkit

U.S. Department of Health and Human Services. (2013, May 26). HIPAA Security Rule. Retrieved from U.S. Department of Health and Human Services (HHS): https://www.hhs.gov/hipaa/for-professionals/security/index.html

U.S. Department of Homeland Security. (2016, November 15). Strategic Principles for Securing the Internet of Things. Retrieved from Department of Homeland Security (DHS): https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

U.S. Food and Drug Administration. (2023, September 27). Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions. Retrieved from U.S. Food and Drug Administration (FDA): https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions

U.S. Government Publishing Office. (2023, January 10). Electronic Records; Electronic Signatures (21 CFR Part 11). Retrieved from Electronic Code of Federal Regulations (eCFR): https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11