SlideShare a Scribd company logo
1 of 27
Download to read offline
Fraunhofer FOKUS
Institute for Open Communication Systems
Towards a certification scheme for
IoT security evaluation
R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21
Agenda
1 Background
2 ENISA recommendations
3 Certification schemes
4 IoTAC project approach
5 Conclusion
2
1 Background
Fraunhofer is Europe’s largest application oriented research
organization:
Fraunhofer Society
©
Michael
Zalewski/
Fraunhofer
FOKUS
©
Fraunhofer-Gesellschaft
> 29.000
Employees
75
Institutes and research units
> 2.8 billion €
Budget (1/3 government, 1/3 public, 1/3 industry)
4
Fraunhofer Institute
for Open Communication Systems (FOKUS)
We connect everything
secure, reliable, sustainable
Fraunhofer Institute FOKUS
The largest Fraunhofer ICT institute (~450 employees).
Located in Berlin.
Fields of application and strategic topics of Fraunhofer FOKUS
5
STRATEGIC TOPICS
FIELDS OF APPLICATION
Sustainability
Artificial
Intelligence
Digital
Life
Security/
Certification
Digital
Governance
Digital
Networking
(e.g. 5G/6G)
Quantum
Computing
2 ENISA recommendations
➢ European Union Agency for Cybersecurity
❖ achieving a high common level of cybersecurity
across Europe
➢ ENISA’s Stakeholder Cybersecurity Certification
Group (SCCG)
❖ development of a cybersecurity certification scheme for
IoT products
❖ EUCC, a candidate cybersecurity certification scheme to
serve as a successor to the existing SOG-IS
❖ Indication of selected international standards to be
considered for IoT certification
Who is ENISA?
7
Agenda
1 Background
2 ENISA recommendations
3 Certification schemes
4 IoTAC project approach
5 Conclusion
8
3 Certification schemes
IEC 62443 Industrial communication networks –
IT security for networks and systems
10
➢ security requirements definition, secure design, secure
implementation, including coding guidelines, verification and
validation, defect management, patch management and
product end-of-life
➢ focus on the design aspects for the target industrial security
product
➢ provides development guidance to ensure an advanced
development process
➢ content is on a general level and can be described as a best
practice guide without much detail on functionality and
evaluation aspects
➢ do not contain concrete test scenarios
Part 4-1: Secure product
development lifecycle requirements
11
➢ technical security requirements for the product itself
➢ requirements address
− identification and authentication control,
− use control,
− system integrity,
− data confidentiality,
− restricted data flow,
− timely response to events, and
− resource availability
➢ considers all Security functional requirement (SFR) classes
from the CommonCriteria
➢ product requirements have been related to security levels 0
to 4
Part 4-2: Technical security
requirements for IACS components
12
ISO/IEC
Joint Technical Committee (JTC1)
13
➢ device that enables trust in computing platforms in general
➢ TPMs require hardware protections to provide three roots of
trust: storage, measurement, and reporting
➢ root of trust for storage consists primarily of creating, managing
and protecting cryptographic keys and other data values
➢ Artefacts protected by or associated with encryption keys, like
passwords, certificates or other credentials, can be used for
authentication and many other security scenarios
ISO/IEC 11889 consists of the following four parts:
• Part 1: Architecture
• Part 2: Structures
• Part 3: Commands
• Part 4: Supporting routines
➢ standard provide many design recommendations
➢ no scenarios for quality testing
ISO/IEC 11889 Trusted Platform Module
14
➢ standard is intended to specify a security baseline or platform
for ‘IoT devices’ [things] supporting information security and
privacy controls.
➢ Examples of baseline [information security] requirements cover
the following topics:
• Unique device identifier that should be immutable and
verifiable
• Factory reset functionality
• Delete all user data information’ functionality
• Protection of data
• Patching/updating capability for firmware and software)
➢ provides concrete requirements for the security product itself
➢ In comparison with CC: small selection towards ten SFRs (FIA,
FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA)
ISO/IEC 27402 (committee draft)
15
Global Platform (GP)
Security Evaluation Standard for IoT Platforms (SESIP)
16
➢ designed specifically for the IoT platforms and platform parts
on which IoT products are based
➢ SESIP provides a common and optimized approach for
evaluating the security of connected products that meets the
specific compliance, security, privacy and scalability
challenges of the evolving IoT ecosystem
➢ follows all mandatory aspects of ISO 15408 Common
Criteria standard
➢ addresses both SFRs and SARs
➢ does not provide concrete design decisions or test
objectives
GP Security Evaluation Standard for
IoT Platforms (SESIP)
17
ETSI
TC CYBER series
18
➢ specifies high-level security and data protection provisions
for consumer IoT devices
➢ connected to network infrastructure (such as the Internet or
home network) and their interactions with associated
services
➢ basic guidance through examples and explanatory text on
how to implement these requirements
➢ addresses requirements for the security product itself
➢ also assurance requirements (software update process)
➢ possible to find relationships both to SFRs and to SARs
ETSI EN 303 645
Cyber Security for Consumer IoT:
Baseline Requirements
19
➢ specifies test scenarios for assessing consumer IoT products
against the provisions of EN 303 645
➢ mandatory and recommended assessments, guidance and
examples to support implementations
➢ targeting testing labs and certification bodies that provide
assurance on the security of relevant products
➢ targeting manufacturers that wish to carry out a self-
assessment
➢ document does not set out detailed testing protocols
➢ intended as input to a future EU common cybersecurity
certification scheme as proposed in the Cybersecurity Act
➢ addresses the definition of concrete tests using an informal
description of test purposes, test actions and conditions for the
assignment of verdicts
ETSI TS 103 701 (draft)
20
4 IoTAC project approach
➢ Security By Design IoT Development and Certificate
Framework with Front-end Access Control
➢ aims to deliver a novel, secure and privacy-friendly
IoT architecture
➢ EU-funded H2020 research and innovation project
➢ Start date: 01 September 2020
IoTAC project
22
Industry
Consumer
System
Device
Product
Assess
Process
Design
Quality
Test
Level #req
IEC 62443-4-1 I S (X) (X) (X) - 48
IEC 62443-4-2 I S X (X) SL 88
ISO/IEC 11889 S X X - N/A
ISO/IEC 27402 D (X) (X) - 13
GP SESIP S X (X) X EAL 53
ETSI EN 303645 C D X X o 67
ETSI TS 103701 C D (X) X X 109
Content classification of selected standards
23
Proposed Certification Process
5 Conclusions
➢ Multiple different aspects of Certification are under
discussion
❖ Various working groups of standardization bodies and
industrial associations
❖ Technical viewpoints differ due to the various
stakeholders
➢ ENISA documents already support the interested experts
and public community
❖ Missing QA, Testing and Certification
➢ A need for harmonization and common strategies
❖ More emphasise on quality and testing
➢ European research project IoTAC work
❖ https://iotac.eu/
Summary
26
Fraunhofer FOKUS
Institute for Open Communication Systems
Kaiserin-Augusta-Allee 31
10589 Berlin, Germany
https://www.fokus.fraunhofer.de/en/sqc
ramon.barakat@fokus.fraunhofer.de
faruk.catal@fokus.fraunhofer.de
sascha.hackel@fokus.fraunhofer.de
axel.rennoch@fokus.fraunhofer.de
martin.schneider@fokus.fraunhofer.de
Thank you for your attention!
Acknowledgement: The contribution have been partly supported by the European commission
H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.

More Related Content

What's hot

IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialSamsung Open Source Group
 
Tech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemTech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemRISC-V International
 
OCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableOCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableJonathan Jeon
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsChantalWauters
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under ThreatPriyanka Aash
 

What's hot (7)

IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 
Tech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemTech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystem
 
OCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableOCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/Wearable
 
C12 Profinet diagnostics during the entire life cycle of production lines a...
C12   Profinet diagnostics during the entire life cycle of production lines a...C12   Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
 
Vahid nazaritalooki cv
Vahid nazaritalooki cvVahid nazaritalooki cv
Vahid nazaritalooki cv
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under Threat
 

Similar to Towards a certification scheme for IoT security evaluation

Testing Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingTesting Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingAxel Rennoch
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
Key Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksKey Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksDesign World
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián GallegoRedit
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
德國TSI公司簡報-2
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2俠客科技
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
Edge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesEdge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesAxel Rennoch
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentIntland Software GmbH
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practiceteam-WIBU
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Jonathan Jeon
 
KATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaKATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaGabriela Ehrlich
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyICS
 

Similar to Towards a certification scheme for IoT security evaluation (20)

Testing Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingTesting Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge Computing
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
Key Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksKey Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety Networks
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
德國TSI公司簡報-2
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
Edge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesEdge Computing Standardisation and Initiatives
Edge Computing Standardisation and Initiatives
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
 
KATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaKATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , Korea
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case Study
 

Recently uploaded

React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Nikki Chapple
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 

Recently uploaded (20)

React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
Microsoft 365 Copilot: How to boost your productivity with AI – Part two: Dat...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 

Towards a certification scheme for IoT security evaluation

  • 1. Fraunhofer FOKUS Institute for Open Communication Systems Towards a certification scheme for IoT security evaluation R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21
  • 2. Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 2
  • 4. Fraunhofer is Europe’s largest application oriented research organization: Fraunhofer Society © Michael Zalewski/ Fraunhofer FOKUS © Fraunhofer-Gesellschaft > 29.000 Employees 75 Institutes and research units > 2.8 billion € Budget (1/3 government, 1/3 public, 1/3 industry) 4 Fraunhofer Institute for Open Communication Systems (FOKUS) We connect everything secure, reliable, sustainable Fraunhofer Institute FOKUS The largest Fraunhofer ICT institute (~450 employees). Located in Berlin.
  • 5. Fields of application and strategic topics of Fraunhofer FOKUS 5 STRATEGIC TOPICS FIELDS OF APPLICATION Sustainability Artificial Intelligence Digital Life Security/ Certification Digital Governance Digital Networking (e.g. 5G/6G) Quantum Computing
  • 7. ➢ European Union Agency for Cybersecurity ❖ achieving a high common level of cybersecurity across Europe ➢ ENISA’s Stakeholder Cybersecurity Certification Group (SCCG) ❖ development of a cybersecurity certification scheme for IoT products ❖ EUCC, a candidate cybersecurity certification scheme to serve as a successor to the existing SOG-IS ❖ Indication of selected international standards to be considered for IoT certification Who is ENISA? 7
  • 8. Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 8
  • 10. IEC 62443 Industrial communication networks – IT security for networks and systems 10
  • 11. ➢ security requirements definition, secure design, secure implementation, including coding guidelines, verification and validation, defect management, patch management and product end-of-life ➢ focus on the design aspects for the target industrial security product ➢ provides development guidance to ensure an advanced development process ➢ content is on a general level and can be described as a best practice guide without much detail on functionality and evaluation aspects ➢ do not contain concrete test scenarios Part 4-1: Secure product development lifecycle requirements 11
  • 12. ➢ technical security requirements for the product itself ➢ requirements address − identification and authentication control, − use control, − system integrity, − data confidentiality, − restricted data flow, − timely response to events, and − resource availability ➢ considers all Security functional requirement (SFR) classes from the CommonCriteria ➢ product requirements have been related to security levels 0 to 4 Part 4-2: Technical security requirements for IACS components 12
  • 14. ➢ device that enables trust in computing platforms in general ➢ TPMs require hardware protections to provide three roots of trust: storage, measurement, and reporting ➢ root of trust for storage consists primarily of creating, managing and protecting cryptographic keys and other data values ➢ Artefacts protected by or associated with encryption keys, like passwords, certificates or other credentials, can be used for authentication and many other security scenarios ISO/IEC 11889 consists of the following four parts: • Part 1: Architecture • Part 2: Structures • Part 3: Commands • Part 4: Supporting routines ➢ standard provide many design recommendations ➢ no scenarios for quality testing ISO/IEC 11889 Trusted Platform Module 14
  • 15. ➢ standard is intended to specify a security baseline or platform for ‘IoT devices’ [things] supporting information security and privacy controls. ➢ Examples of baseline [information security] requirements cover the following topics: • Unique device identifier that should be immutable and verifiable • Factory reset functionality • Delete all user data information’ functionality • Protection of data • Patching/updating capability for firmware and software) ➢ provides concrete requirements for the security product itself ➢ In comparison with CC: small selection towards ten SFRs (FIA, FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA) ISO/IEC 27402 (committee draft) 15
  • 16. Global Platform (GP) Security Evaluation Standard for IoT Platforms (SESIP) 16
  • 17. ➢ designed specifically for the IoT platforms and platform parts on which IoT products are based ➢ SESIP provides a common and optimized approach for evaluating the security of connected products that meets the specific compliance, security, privacy and scalability challenges of the evolving IoT ecosystem ➢ follows all mandatory aspects of ISO 15408 Common Criteria standard ➢ addresses both SFRs and SARs ➢ does not provide concrete design decisions or test objectives GP Security Evaluation Standard for IoT Platforms (SESIP) 17
  • 19. ➢ specifies high-level security and data protection provisions for consumer IoT devices ➢ connected to network infrastructure (such as the Internet or home network) and their interactions with associated services ➢ basic guidance through examples and explanatory text on how to implement these requirements ➢ addresses requirements for the security product itself ➢ also assurance requirements (software update process) ➢ possible to find relationships both to SFRs and to SARs ETSI EN 303 645 Cyber Security for Consumer IoT: Baseline Requirements 19
  • 20. ➢ specifies test scenarios for assessing consumer IoT products against the provisions of EN 303 645 ➢ mandatory and recommended assessments, guidance and examples to support implementations ➢ targeting testing labs and certification bodies that provide assurance on the security of relevant products ➢ targeting manufacturers that wish to carry out a self- assessment ➢ document does not set out detailed testing protocols ➢ intended as input to a future EU common cybersecurity certification scheme as proposed in the Cybersecurity Act ➢ addresses the definition of concrete tests using an informal description of test purposes, test actions and conditions for the assignment of verdicts ETSI TS 103 701 (draft) 20
  • 21. 4 IoTAC project approach
  • 22. ➢ Security By Design IoT Development and Certificate Framework with Front-end Access Control ➢ aims to deliver a novel, secure and privacy-friendly IoT architecture ➢ EU-funded H2020 research and innovation project ➢ Start date: 01 September 2020 IoTAC project 22
  • 23. Industry Consumer System Device Product Assess Process Design Quality Test Level #req IEC 62443-4-1 I S (X) (X) (X) - 48 IEC 62443-4-2 I S X (X) SL 88 ISO/IEC 11889 S X X - N/A ISO/IEC 27402 D (X) (X) - 13 GP SESIP S X (X) X EAL 53 ETSI EN 303645 C D X X o 67 ETSI TS 103701 C D (X) X X 109 Content classification of selected standards 23
  • 26. ➢ Multiple different aspects of Certification are under discussion ❖ Various working groups of standardization bodies and industrial associations ❖ Technical viewpoints differ due to the various stakeholders ➢ ENISA documents already support the interested experts and public community ❖ Missing QA, Testing and Certification ➢ A need for harmonization and common strategies ❖ More emphasise on quality and testing ➢ European research project IoTAC work ❖ https://iotac.eu/ Summary 26
  • 27. Fraunhofer FOKUS Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin, Germany https://www.fokus.fraunhofer.de/en/sqc ramon.barakat@fokus.fraunhofer.de faruk.catal@fokus.fraunhofer.de sascha.hackel@fokus.fraunhofer.de axel.rennoch@fokus.fraunhofer.de martin.schneider@fokus.fraunhofer.de Thank you for your attention! Acknowledgement: The contribution have been partly supported by the European commission H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.