IoT-OT Security Policy

The IoT / OT Security Policy (P35) establishes a comprehensive set of mandatory information security requirements for the deployment, operation, monitoring, and decommissioning of Internet of Things (IoT) and Operational Technology (OT) systems throughout the organization. Its primary aim is to integrate these technologies into the organization’s overall cybersecurity management system, ensuring robust protection against compromise, misuse, or operational sabotage. Scope of this policy encompasses all IoT and OT systems, whether they are company-owned, leased, or sourced from third parties, used within any operational, administrative, or production environment. IoT devices covered include environmental sensors, access control mechanisms, smart lighting, surveillance, and wearables, while OT systems range from programmable logic controllers (PLCs) and SCADA/DCS platforms to human-machine interfaces and field controllers. The policy outlines requirements across all environments (on-premises, cloud, edge), lifecycle stages (design, procurement, deployment, operation, decommissioning), and stakeholders, including internal users, integrators, third-party vendors, and contractors. Key objectives center on safeguarding these infrastructures from threats such as denial-of-service, unauthorized access, ransomware, and firmware tampering. The policy mandates the adoption of security-by-design and defense-in-depth methodologies, requiring that all deployments comply with core standard controls such as ISO/IEC 27001 and sector-relevant guidance (IEC 62443, NIST SP 800-82). Secure integration with security operations, including incident response escalation, classification of business-critical OT events, and the documentation of cross-departmental procedures is an integral component. Governance requirements specify device security configurations (unique credentials, hardware certificates, secure boot), enforce strict network segmentation between IT/OT, and prohibit insecure protocols unless secured and risk-accepted. Monitoring and threat detection are continuous, with device and network activities scrutinized using industrial network detection tools, SIEM rules, deep packet inspection, and log retention practices. Security patching and firmware validation are integral, and decommissioning of end-of-life devices requires data wiping, credential revocation, and asset inventory updates. Exception handling and risk treatment are clearly defined for legacy systems unable to meet requirements, necessitating formal documentation, mitigation controls, dedicated subnets, and monitoring. The policy is tightly integrated with related policies governing risk management, asset inventory, endpoint protection, logging and monitoring, incident response, and audit/compliance. Reviews are conducted annually or upon significant system, vendor, or threat landscape changes, ensuring continued alignment with regulatory, contractual, and operational demands. Enforcement mechanisms include audit reviews, disciplinary procedures, vendor sanctions, and escalation of legal actions in cases of regulatory breach or sabotage.