国际物联网安全标准与认证大解析

Realize Ultimate Security every step starts with the labs
www.onwardsecurity.com
2021最佳物聯網資安公司
国际物联网
安全标准与认证大解析
仲至信息科技 CTO 刘作仁
2021/10/13

© 2021 Onward Security Corp. All rights reserved. 1
物联网资安合规解决方案
200+ Customers
Served
10+ Awards
资安实务
经验丰富
国际认可
实验室
国际奖项
• 2014成立
• 超过80位员工 400+ Products
Validated
Best IT Company
of the Year
Best Cybersecurity
Company – ASIA
Gold Winner
Hot Company in
Cybersecurity Internet of
Things

2
© 2021 Onward Security Corp. All rights reserved.
57% of IoT devices are currently vulnerable to medium or high-severity attacks
$500,000
IoT Vulnerabilities Cost More Than per month

Device Vulnerabilities in mid of 2021
• https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
• https://www.securityweek.com/vulnerability-affecting-routers-many-vendors-exploited-days-after-disclosure

• SB-327
• IoT Cybersecurity Improvement Act
• IoT Consumer TIPS Act
• Content of Premarket Submissions
for Management of Cybersecurity
in Medical Devices, FDA
• EU Cybersecurity Act
• FIPS 140-3
• NISTIR 8228
• NIST 8259 Series
• Amazon, Google, Apple
• CTIA
• ioXt
• Major telecom company (AT&T,
Sprint, Verizon, T-Mobile)
• ISO 15408 (Common Criteria)
• IEC 62443
• ISO/SAE 21434
• ETSI EN 303 645
• Major telecom company (Orange,
BT, DT, Vodafone, EE, Telefonica)
• Nokia
Regulration
Standard
Guideline
Industrial
Certificate
欧美连网产品安全法规/标准/指引

法规与国际标准
01

EU Cybersecurity Act
• Activated on June 2019
• EU Cybersecurity Certification
Framework
ü Covering ICT products, services
and processes.
ü Each scheme will specify one or
more level(s) of assurance (basic,
substantial or high)
High
(CABs)
Substantial
(CABs)
Basic
(CABs, No CABs)
• ETSI EN 303 645
• CC EAL2
• IEC 62443-4-2
• CC EAL3+
• CC EAL 4+
https://www.enisa.europa.eu/events/towards_security_framework/Presentation%20-%20Meister/

ETSI EN 303 645 (EU)
• Become operative on January 1, 2020.
• A manufacturer of a connected device
shall equip the device with a reasonable
security feature or features
• If a connected device is equipped with a
means for authentication outside a local
area network
Require vendors of Internet-connected devices
purchased by the federal government ensure their
devices are patchable, rely on industry standard
protocols, do not use
hard-coded passwords, and do not contain any
known security vulnerabilities.
The preprogrammed password is unique to
each device manufactured.
The device contains a security feature that
requires a user to generate a new means of
authentication before access is granted to
the device for the first time
SB-327 Information privacy :
connected devices (US)
https://www.etsi.org/newsroom/press-releases/1789-2020-06-
etsi-releases-world-leading-consumer-iot-security-standard
IoT Security In United States and Europe

FDA Premarket Submission for Management of
Cybersecurity in Medial Devices (2018)
Establish cybersecurity risk management plan and submit the related
documentations
Product Design Risk Management
• Cybersecurity design
control
• System diagrams
• Summary of design
features
• System level threat model
• List of cybersecurity
controls
• Testing report
• Traceability matrix
• CBOM
• device performance
• security effectiveness of third-party
OTS software
• testing for credential
• vulnerability scanning
• robustness testing
• boundary analysis
• penetration testing
• 3rd party test reports

国际资安认证
02

終止
Termination
Common Criteria 资安产品生命周期之安全保证
操作
Operation
交付
安装启动
Delivery
生产
Production
产品原型
测试
Testing
低阶设计
实作
Low-level
Design
架构设计
高阶设计
High-level
Design
功能规格
Functional
Requirements
安全需求
Security
Requirements
安全需求
Security
Requirements
设计发展
Development
测试
Testing
生产行销
Production
操作使用
Operation
符合性(≥ EAL1) 符合性(≥ EAL2) 符合性(≥ EAL3)
一致性一致性一致性
模組測試 (≥ EAL4)
子系統測試 (≥ EAL3)
產品黑箱測試 (≥ EAL2)
產品整合性測試 (≥ EAL1)
共同准则安全评估 Common Criteria for IT Security Evaluation
Module Testing (≥ EAL3)
Subsystem Testing (≥ EAL3)
Black-box Testing (≥ EAL2)
Conformance Testing (≥ EAL1)

FIPS 140-3
密码模组
Cryptographic
Module
软件
固件
硬件/固件/软件组合
1. Cryptographic Module Specification
2. Cryptographic module interfaces
3. Roles, Services, and Authentication
4. Software/Firmware security
5. Operational Environment
6. Physical Security
7. Non-invasive security
8. Sensitive security parameter management
9. Self Tests
10. Life-cycle assurance
11. Mitigation of Other Attacks

IEC 62443-4-2 Technical security requirements
for IACS components
IAC
Identification and
Authentication
Control
UC
User
Control
SI
System
Integrity
DC
Data
Confidentiality
RDF
Restricted
Data Flow
TRE
Timely Response
to Event
RA
Resource
Availability
detailed technical control system
component requirements

IEC 62443-4-1 / 62443-4-2 CBTL

Automotive Security - ISO 21434
• Define a well-defined process to
ensure that the cybersecurity is taken
care to reduce the intensity of the
cyber-attack
• The final standard has been
published on Aug 31, 2021.
https://www.pathpartnertech.com/an-overview-of-iso-sae-21434-road-vehicles-cybersecurity-engineering/

客户要求与产业资安认证
03

Amazon Alexa Service (AVS)

ioXt Alliance
The mission of the ioXt Alliance is to build confidence in Internet of Things products through multi-stakeholder,
international, harmonized, and standardized security and privacy requirements, product compliance programs,
and public transparency of those requirements and programs.

CTIA IoT Cybersecurity Certification Program
Cybersecurity for Devices on Wireless Networks
This program was developed with the support of wireless operators with the goal of
voluntarily establishing device cybersecurity best practices in the wireless industry.
This is the first mobile device cybersecurity program of its kind to have the backing of
wireless operators in collaboration with technology companies and certification test
labs.
The Cybersecurity Certification Program:
• Certifies security elements of LTE and 5G devices, including those
with Wi-Fi connections
• Creates an industry best practice for IoT security on wireless
networks
• Helps protect consumers and wireless infrastructure, while creating a
more secure foundation for smart cities, connected cars, mHealth,
and other IoT applications

Cybersecurity Certification for Products
300+ Clients get product certification in 10+ Countries
Smart Home IoT Products
Smartphone and built-in apps
Smart Bus Video
Surveillance
Cloud System
Smart Lighting
Mobile App
IACS
5G Products
Finance
EN 303 645

制造商与开发商的因应之道
04

仲至信息科技资安标准库
IEC 62443
EN 303 645
IEC 62351
ioXt
CTIA IoT
SB-327
Authentication
Physical
Firmware
Authorization
Audit
Encrytion
Questionnaire
Standards
Product Type
• Phase 1 - SR
• 安全功能清单
• PM / SA / RD
• Phase 4 - SVV
• 测试项目清单
• RD / QA

• Unique Password
• Vulnerability Reporting
(PSIRT)
• Authentication
• Secure Interface
• Cryptography
Critical Factor for Product Security
• Risk Management
• Software Update
IoT
(Consumer)
ICS/SCADA Medical Automotive
SBOM
(Software Bill of Material)
Privacy Protection SSDLC
Fuzz Testing
Integrity
Session Management
Audit Activity
Input Validation
Availability
Debug Interface
Input Validation
Privacy Protection
SSDLC

国际物联网安全标准与认证大解析

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 国际物联网安全标准与认证大解析

Similar to 国际物联网安全标准与认证大解析 (20)

Recently uploaded

Recently uploaded (19)

国际物联网安全标准与认证大解析