Smart Systems & IoT Security
IoT Security Baselines: NIST, ETSI EN 303 645, and OWASP
February 15, 2026
A practical guide to the three leading IoT security frameworks and what they mean for connected spaces.
Why IoT security baselines matter
Connected devices are now common in homes and offices. But most deployments treat security as an afterthought: default credentials left unchanged, no update mechanism, devices on the same network as sensitive data.
NIST IoT Cybersecurity (NISTIR 8259)
- Device identification — unique, non-guessable identifiers per device
- Device configuration — ability to change configuration securely
- Data protection — encryption at rest and in transit
- Logical access — authentication and authorisation controls
- Software updates — authenticated, integrity-checked update mechanism
- Cybersecurity event awareness — logging for security-relevant events
ETSI EN 303 645
- No universal default passwords
- Secure update mechanism
- Communications security — TLS required
- Minimal attack surface
- Personal data protection
OWASP IoT Top 10
- Weak, guessable, or hardcoded passwords
- Insecure network services
- Insecure ecosystem interfaces
- Lack of secure update mechanisms
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
In practice
- Change all default credentials before deployment
- Put IoT devices on a dedicated VLAN
- Use TLS for all device-to-cloud communication