SlideShare a Scribd company logo
1 of 27
Download to read offline
Fraunhofer FOKUS
Institute for Open Communication Systems
Towards a certification scheme for
IoT security evaluation
R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21
Agenda
1 Background
2 ENISA recommendations
3 Certification schemes
4 IoTAC project approach
5 Conclusion
2
1 Background
Fraunhofer is Europe’s largest application oriented research
organization:
Fraunhofer Society
©
Michael
Zalewski/
Fraunhofer
FOKUS
©
Fraunhofer-Gesellschaft
> 29.000
Employees
75
Institutes and research units
> 2.8 billion €
Budget (1/3 government, 1/3 public, 1/3 industry)
4
Fraunhofer Institute
for Open Communication Systems (FOKUS)
We connect everything
secure, reliable, sustainable
Fraunhofer Institute FOKUS
The largest Fraunhofer ICT institute (~450 employees).
Located in Berlin.
Fields of application and strategic topics of Fraunhofer FOKUS
5
STRATEGIC TOPICS
FIELDS OF APPLICATION
Sustainability
Artificial
Intelligence
Digital
Life
Security/
Certification
Digital
Governance
Digital
Networking
(e.g. 5G/6G)
Quantum
Computing
2 ENISA recommendations
➢ European Union Agency for Cybersecurity
❖ achieving a high common level of cybersecurity
across Europe
➢ ENISA’s Stakeholder Cybersecurity Certification
Group (SCCG)
❖ development of a cybersecurity certification scheme for
IoT products
❖ EUCC, a candidate cybersecurity certification scheme to
serve as a successor to the existing SOG-IS
❖ Indication of selected international standards to be
considered for IoT certification
Who is ENISA?
7
Agenda
1 Background
2 ENISA recommendations
3 Certification schemes
4 IoTAC project approach
5 Conclusion
8
3 Certification schemes
IEC 62443 Industrial communication networks –
IT security for networks and systems
10
➢ security requirements definition, secure design, secure
implementation, including coding guidelines, verification and
validation, defect management, patch management and
product end-of-life
➢ focus on the design aspects for the target industrial security
product
➢ provides development guidance to ensure an advanced
development process
➢ content is on a general level and can be described as a best
practice guide without much detail on functionality and
evaluation aspects
➢ do not contain concrete test scenarios
Part 4-1: Secure product
development lifecycle requirements
11
➢ technical security requirements for the product itself
➢ requirements address
− identification and authentication control,
− use control,
− system integrity,
− data confidentiality,
− restricted data flow,
− timely response to events, and
− resource availability
➢ considers all Security functional requirement (SFR) classes
from the CommonCriteria
➢ product requirements have been related to security levels 0
to 4
Part 4-2: Technical security
requirements for IACS components
12
ISO/IEC
Joint Technical Committee (JTC1)
13
➢ device that enables trust in computing platforms in general
➢ TPMs require hardware protections to provide three roots of
trust: storage, measurement, and reporting
➢ root of trust for storage consists primarily of creating, managing
and protecting cryptographic keys and other data values
➢ Artefacts protected by or associated with encryption keys, like
passwords, certificates or other credentials, can be used for
authentication and many other security scenarios
ISO/IEC 11889 consists of the following four parts:
• Part 1: Architecture
• Part 2: Structures
• Part 3: Commands
• Part 4: Supporting routines
➢ standard provide many design recommendations
➢ no scenarios for quality testing
ISO/IEC 11889 Trusted Platform Module
14
➢ standard is intended to specify a security baseline or platform
for ‘IoT devices’ [things] supporting information security and
privacy controls.
➢ Examples of baseline [information security] requirements cover
the following topics:
• Unique device identifier that should be immutable and
verifiable
• Factory reset functionality
• Delete all user data information’ functionality
• Protection of data
• Patching/updating capability for firmware and software)
➢ provides concrete requirements for the security product itself
➢ In comparison with CC: small selection towards ten SFRs (FIA,
FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA)
ISO/IEC 27402 (committee draft)
15
Global Platform (GP)
Security Evaluation Standard for IoT Platforms (SESIP)
16
➢ designed specifically for the IoT platforms and platform parts
on which IoT products are based
➢ SESIP provides a common and optimized approach for
evaluating the security of connected products that meets the
specific compliance, security, privacy and scalability
challenges of the evolving IoT ecosystem
➢ follows all mandatory aspects of ISO 15408 Common
Criteria standard
➢ addresses both SFRs and SARs
➢ does not provide concrete design decisions or test
objectives
GP Security Evaluation Standard for
IoT Platforms (SESIP)
17
ETSI
TC CYBER series
18
➢ specifies high-level security and data protection provisions
for consumer IoT devices
➢ connected to network infrastructure (such as the Internet or
home network) and their interactions with associated
services
➢ basic guidance through examples and explanatory text on
how to implement these requirements
➢ addresses requirements for the security product itself
➢ also assurance requirements (software update process)
➢ possible to find relationships both to SFRs and to SARs
ETSI EN 303 645
Cyber Security for Consumer IoT:
Baseline Requirements
19
➢ specifies test scenarios for assessing consumer IoT products
against the provisions of EN 303 645
➢ mandatory and recommended assessments, guidance and
examples to support implementations
➢ targeting testing labs and certification bodies that provide
assurance on the security of relevant products
➢ targeting manufacturers that wish to carry out a self-
assessment
➢ document does not set out detailed testing protocols
➢ intended as input to a future EU common cybersecurity
certification scheme as proposed in the Cybersecurity Act
➢ addresses the definition of concrete tests using an informal
description of test purposes, test actions and conditions for the
assignment of verdicts
ETSI TS 103 701 (draft)
20
4 IoTAC project approach
➢ Security By Design IoT Development and Certificate
Framework with Front-end Access Control
➢ aims to deliver a novel, secure and privacy-friendly
IoT architecture
➢ EU-funded H2020 research and innovation project
➢ Start date: 01 September 2020
IoTAC project
22
Industry
Consumer
System
Device
Product
Assess
Process
Design
Quality
Test
Level #req
IEC 62443-4-1 I S (X) (X) (X) - 48
IEC 62443-4-2 I S X (X) SL 88
ISO/IEC 11889 S X X - N/A
ISO/IEC 27402 D (X) (X) - 13
GP SESIP S X (X) X EAL 53
ETSI EN 303645 C D X X o 67
ETSI TS 103701 C D (X) X X 109
Content classification of selected standards
23
Proposed Certification Process
5 Conclusions
➢ Multiple different aspects of Certification are under
discussion
❖ Various working groups of standardization bodies and
industrial associations
❖ Technical viewpoints differ due to the various
stakeholders
➢ ENISA documents already support the interested experts
and public community
❖ Missing QA, Testing and Certification
➢ A need for harmonization and common strategies
❖ More emphasise on quality and testing
➢ European research project IoTAC work
❖ https://iotac.eu/
Summary
26
Fraunhofer FOKUS
Institute for Open Communication Systems
Kaiserin-Augusta-Allee 31
10589 Berlin, Germany
https://www.fokus.fraunhofer.de/en/sqc
ramon.barakat@fokus.fraunhofer.de
faruk.catal@fokus.fraunhofer.de
sascha.hackel@fokus.fraunhofer.de
axel.rennoch@fokus.fraunhofer.de
martin.schneider@fokus.fraunhofer.de
Thank you for your attention!
Acknowledgement: The contribution have been partly supported by the European commission
H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.

More Related Content

What's hot

IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialSamsung Open Source Group
 
Tech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemTech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemRISC-V International
 
OCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableOCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableJonathan Jeon
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsChantalWauters
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under ThreatPriyanka Aash
 

What's hot (7)

IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 
Tech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemTech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystem
 
OCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableOCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/Wearable
 
C12 Profinet diagnostics during the entire life cycle of production lines a...
C12   Profinet diagnostics during the entire life cycle of production lines a...C12   Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
 
Vahid nazaritalooki cv
Vahid nazaritalooki cvVahid nazaritalooki cv
Vahid nazaritalooki cv
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under Threat
 

Similar to Towards a certification scheme for IoT security evaluation

Testing Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingTesting Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingAxel Rennoch
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesDavid Shepherd
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
 
Key Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksKey Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksDesign World
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián GallegoRedit
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
 
德國TSI公司簡報-2
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2俠客科技
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
Edge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesEdge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesAxel Rennoch
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentIntland Software GmbH
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalSyam Madanapalli
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practiceteam-WIBU
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Jonathan Jeon
 
KATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaKATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaGabriela Ehrlich
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkDeutsche Telekom AG
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyICS
 

Similar to Towards a certification scheme for IoT security evaluation (20)

Testing Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingTesting Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge Computing
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
Key Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksKey Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety Networks
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
德國TSI公司簡報-2
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
Edge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesEdge Computing Standardisation and Initiatives
Edge Computing Standardisation and Initiatives
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
 
KATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaKATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , Korea
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case Study
 

Recently uploaded

WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Patrick Viafore
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfUK Journal
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 

Recently uploaded (20)

WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 

Towards a certification scheme for IoT security evaluation

  • 1. Fraunhofer FOKUS Institute for Open Communication Systems Towards a certification scheme for IoT security evaluation R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21
  • 2. Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 2
  • 4. Fraunhofer is Europe’s largest application oriented research organization: Fraunhofer Society © Michael Zalewski/ Fraunhofer FOKUS © Fraunhofer-Gesellschaft > 29.000 Employees 75 Institutes and research units > 2.8 billion € Budget (1/3 government, 1/3 public, 1/3 industry) 4 Fraunhofer Institute for Open Communication Systems (FOKUS) We connect everything secure, reliable, sustainable Fraunhofer Institute FOKUS The largest Fraunhofer ICT institute (~450 employees). Located in Berlin.
  • 5. Fields of application and strategic topics of Fraunhofer FOKUS 5 STRATEGIC TOPICS FIELDS OF APPLICATION Sustainability Artificial Intelligence Digital Life Security/ Certification Digital Governance Digital Networking (e.g. 5G/6G) Quantum Computing
  • 7. ➢ European Union Agency for Cybersecurity ❖ achieving a high common level of cybersecurity across Europe ➢ ENISA’s Stakeholder Cybersecurity Certification Group (SCCG) ❖ development of a cybersecurity certification scheme for IoT products ❖ EUCC, a candidate cybersecurity certification scheme to serve as a successor to the existing SOG-IS ❖ Indication of selected international standards to be considered for IoT certification Who is ENISA? 7
  • 8. Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 8
  • 10. IEC 62443 Industrial communication networks – IT security for networks and systems 10
  • 11. ➢ security requirements definition, secure design, secure implementation, including coding guidelines, verification and validation, defect management, patch management and product end-of-life ➢ focus on the design aspects for the target industrial security product ➢ provides development guidance to ensure an advanced development process ➢ content is on a general level and can be described as a best practice guide without much detail on functionality and evaluation aspects ➢ do not contain concrete test scenarios Part 4-1: Secure product development lifecycle requirements 11
  • 12. ➢ technical security requirements for the product itself ➢ requirements address − identification and authentication control, − use control, − system integrity, − data confidentiality, − restricted data flow, − timely response to events, and − resource availability ➢ considers all Security functional requirement (SFR) classes from the CommonCriteria ➢ product requirements have been related to security levels 0 to 4 Part 4-2: Technical security requirements for IACS components 12
  • 14. ➢ device that enables trust in computing platforms in general ➢ TPMs require hardware protections to provide three roots of trust: storage, measurement, and reporting ➢ root of trust for storage consists primarily of creating, managing and protecting cryptographic keys and other data values ➢ Artefacts protected by or associated with encryption keys, like passwords, certificates or other credentials, can be used for authentication and many other security scenarios ISO/IEC 11889 consists of the following four parts: • Part 1: Architecture • Part 2: Structures • Part 3: Commands • Part 4: Supporting routines ➢ standard provide many design recommendations ➢ no scenarios for quality testing ISO/IEC 11889 Trusted Platform Module 14
  • 15. ➢ standard is intended to specify a security baseline or platform for ‘IoT devices’ [things] supporting information security and privacy controls. ➢ Examples of baseline [information security] requirements cover the following topics: • Unique device identifier that should be immutable and verifiable • Factory reset functionality • Delete all user data information’ functionality • Protection of data • Patching/updating capability for firmware and software) ➢ provides concrete requirements for the security product itself ➢ In comparison with CC: small selection towards ten SFRs (FIA, FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA) ISO/IEC 27402 (committee draft) 15
  • 16. Global Platform (GP) Security Evaluation Standard for IoT Platforms (SESIP) 16
  • 17. ➢ designed specifically for the IoT platforms and platform parts on which IoT products are based ➢ SESIP provides a common and optimized approach for evaluating the security of connected products that meets the specific compliance, security, privacy and scalability challenges of the evolving IoT ecosystem ➢ follows all mandatory aspects of ISO 15408 Common Criteria standard ➢ addresses both SFRs and SARs ➢ does not provide concrete design decisions or test objectives GP Security Evaluation Standard for IoT Platforms (SESIP) 17
  • 19. ➢ specifies high-level security and data protection provisions for consumer IoT devices ➢ connected to network infrastructure (such as the Internet or home network) and their interactions with associated services ➢ basic guidance through examples and explanatory text on how to implement these requirements ➢ addresses requirements for the security product itself ➢ also assurance requirements (software update process) ➢ possible to find relationships both to SFRs and to SARs ETSI EN 303 645 Cyber Security for Consumer IoT: Baseline Requirements 19
  • 20. ➢ specifies test scenarios for assessing consumer IoT products against the provisions of EN 303 645 ➢ mandatory and recommended assessments, guidance and examples to support implementations ➢ targeting testing labs and certification bodies that provide assurance on the security of relevant products ➢ targeting manufacturers that wish to carry out a self- assessment ➢ document does not set out detailed testing protocols ➢ intended as input to a future EU common cybersecurity certification scheme as proposed in the Cybersecurity Act ➢ addresses the definition of concrete tests using an informal description of test purposes, test actions and conditions for the assignment of verdicts ETSI TS 103 701 (draft) 20
  • 21. 4 IoTAC project approach
  • 22. ➢ Security By Design IoT Development and Certificate Framework with Front-end Access Control ➢ aims to deliver a novel, secure and privacy-friendly IoT architecture ➢ EU-funded H2020 research and innovation project ➢ Start date: 01 September 2020 IoTAC project 22
  • 23. Industry Consumer System Device Product Assess Process Design Quality Test Level #req IEC 62443-4-1 I S (X) (X) (X) - 48 IEC 62443-4-2 I S X (X) SL 88 ISO/IEC 11889 S X X - N/A ISO/IEC 27402 D (X) (X) - 13 GP SESIP S X (X) X EAL 53 ETSI EN 303645 C D X X o 67 ETSI TS 103701 C D (X) X X 109 Content classification of selected standards 23
  • 26. ➢ Multiple different aspects of Certification are under discussion ❖ Various working groups of standardization bodies and industrial associations ❖ Technical viewpoints differ due to the various stakeholders ➢ ENISA documents already support the interested experts and public community ❖ Missing QA, Testing and Certification ➢ A need for harmonization and common strategies ❖ More emphasise on quality and testing ➢ European research project IoTAC work ❖ https://iotac.eu/ Summary 26
  • 27. Fraunhofer FOKUS Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin, Germany https://www.fokus.fraunhofer.de/en/sqc ramon.barakat@fokus.fraunhofer.de faruk.catal@fokus.fraunhofer.de sascha.hackel@fokus.fraunhofer.de axel.rennoch@fokus.fraunhofer.de martin.schneider@fokus.fraunhofer.de Thank you for your attention! Acknowledgement: The contribution have been partly supported by the European commission H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.