Per-user keying / MAC filtering for IoT
Demonstrate that each IoT device authenticates using unique per-device cryptographic keys or approved MAC addresses mapped to authorized accounts, and that unauthorized devices are blocked at the network layer.
Description
What this control does
Per-user keying and MAC filtering for IoT restricts network access to authorized IoT devices by binding unique cryptographic keys or hardware MAC addresses to individual user accounts or device identities. Each device is authenticated using a distinct credential set rather than shared pre-shared keys, and network infrastructure enforces MAC address allow-lists that prevent unauthorized devices from connecting. This control ensures granular accountability, prevents credential sharing across devices, and enables rapid device revocation without impacting other endpoints.
Control objective
What auditing this proves
Demonstrate that each IoT device authenticates using unique per-device cryptographic keys or approved MAC addresses mapped to authorized accounts, and that unauthorized devices are blocked at the network layer.
Associated risks
Risks this control addresses
- Attackers reuse compromised shared credentials to impersonate multiple IoT devices across the network
- Rogue IoT devices connect using cloned or spoofed MAC addresses, bypassing network access controls
- Inability to revoke access for a single compromised device without rotating credentials for all IoT endpoints
- Lack of forensic traceability linking network activity to specific devices or responsible users
- Lateral movement by adversaries who extract shared keys from one IoT device and apply them to attacker-controlled hardware
- Insider threats deploying unauthorized IoT devices using legitimate but shared authentication credentials
- Operational disruption when a single credential compromise forces organization-wide key rotation across all IoT assets
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of IoT devices on the network, including make, model, MAC address, assigned VLAN, and associated user or asset owner.
- Review the wireless access point, switch port security, or network access control (NAC) configuration to identify MAC filtering policies and authentication mechanisms for IoT subnets.
- Export the MAC address allow-list from network infrastructure and cross-reference it against the authorized IoT device inventory to identify discrepancies.
- Select a sample of 10–15 IoT devices spanning different device types and network segments, and verify each device possesses a unique certificate, API key, or PSK stored in configuration files or device management consoles.
- Attempt to connect an unauthorized test device with a spoofed MAC address from the allow-list to confirm whether the network correctly blocks or quarantines the connection.
- Review identity and access management (IAM) or certificate authority logs to confirm unique key issuance events correspond to approved device onboarding records.
- Interview the network operations team to confirm the process for adding, modifying, or revoking device-specific keys or MAC entries, and request evidence of at least two recent revocation actions.
- Test device revocation by selecting one active IoT device, removing its MAC address or key from the access control system, and confirming the device loses network connectivity within the documented timeframe.
Where this control is tested