SlideShare a Scribd company logo

Towards a certification scheme for IoT security evaluation

Axel Rennoch
Axel Rennoch

Many European and international standardization bodies and industrial organizations do provide more or less detailed specification catalogues addressing IoT product security requirements, test cases and evaluation methods. In this contribution, a dedicated set of relevant standards, guides and recommendations which recently have been recognized by the European Union Agency for Cybersecurity (ENISA) will be introduced. Special attention is given to their contribution for the security evaluation process and the product quality itself, including the level of details regarding their suitability for test definition and execution.

Technology
1 of 27
Download to read offline
Fraunhofer FOKUS Institute for Open Communication Systems Towards a certification scheme for IoT security evaluation R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21
Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 2
1 Background
Fraunhofer is Europe’s largest application oriented research organization: Fraunhofer Society © Michael Zalewski/ Fraunhofer FOKUS © Fraunhofer-Gesellschaft > 29.000 Employees 75 Institutes and research units > 2.8 billion € Budget (1/3 government, 1/3 public, 1/3 industry) 4 Fraunhofer Institute for Open Communication Systems (FOKUS) We connect everything secure, reliable, sustainable Fraunhofer Institute FOKUS The largest Fraunhofer ICT institute (~450 employees). Located in Berlin.
Fields of application and strategic topics of Fraunhofer FOKUS 5 STRATEGIC TOPICS FIELDS OF APPLICATION Sustainability Artificial Intelligence Digital Life Security/ Certification Digital Governance Digital Networking (e.g. 5G/6G) Quantum Computing
2 ENISA recommendations
➢ European Union Agency for Cybersecurity ❖ achieving a high common level of cybersecurity across Europe ➢ ENISA’s Stakeholder Cybersecurity Certification Group (SCCG) ❖ development of a cybersecurity certification scheme for IoT products ❖ EUCC, a candidate cybersecurity certification scheme to serve as a successor to the existing SOG-IS ❖ Indication of selected international standards to be considered for IoT certification Who is ENISA? 7
Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 8
3 Certification schemes
IEC 62443 Industrial communication networks – IT security for networks and systems 10
➢ security requirements definition, secure design, secure implementation, including coding guidelines, verification and validation, defect management, patch management and product end-of-life ➢ focus on the design aspects for the target industrial security product ➢ provides development guidance to ensure an advanced development process ➢ content is on a general level and can be described as a best practice guide without much detail on functionality and evaluation aspects ➢ do not contain concrete test scenarios Part 4-1: Secure product development lifecycle requirements 11
➢ technical security requirements for the product itself ➢ requirements address − identification and authentication control, − use control, − system integrity, − data confidentiality, − restricted data flow, − timely response to events, and − resource availability ➢ considers all Security functional requirement (SFR) classes from the CommonCriteria ➢ product requirements have been related to security levels 0 to 4 Part 4-2: Technical security requirements for IACS components 12
ISO/IEC Joint Technical Committee (JTC1) 13
➢ device that enables trust in computing platforms in general ➢ TPMs require hardware protections to provide three roots of trust: storage, measurement, and reporting ➢ root of trust for storage consists primarily of creating, managing and protecting cryptographic keys and other data values ➢ Artefacts protected by or associated with encryption keys, like passwords, certificates or other credentials, can be used for authentication and many other security scenarios ISO/IEC 11889 consists of the following four parts: • Part 1: Architecture • Part 2: Structures • Part 3: Commands • Part 4: Supporting routines ➢ standard provide many design recommendations ➢ no scenarios for quality testing ISO/IEC 11889 Trusted Platform Module 14
➢ standard is intended to specify a security baseline or platform for ‘IoT devices’ [things] supporting information security and privacy controls. ➢ Examples of baseline [information security] requirements cover the following topics: • Unique device identifier that should be immutable and verifiable • Factory reset functionality • Delete all user data information’ functionality • Protection of data • Patching/updating capability for firmware and software) ➢ provides concrete requirements for the security product itself ➢ In comparison with CC: small selection towards ten SFRs (FIA, FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA) ISO/IEC 27402 (committee draft) 15
Global Platform (GP) Security Evaluation Standard for IoT Platforms (SESIP) 16
➢ designed specifically for the IoT platforms and platform parts on which IoT products are based ➢ SESIP provides a common and optimized approach for evaluating the security of connected products that meets the specific compliance, security, privacy and scalability challenges of the evolving IoT ecosystem ➢ follows all mandatory aspects of ISO 15408 Common Criteria standard ➢ addresses both SFRs and SARs ➢ does not provide concrete design decisions or test objectives GP Security Evaluation Standard for IoT Platforms (SESIP) 17
ETSI TC CYBER series 18
➢ specifies high-level security and data protection provisions for consumer IoT devices ➢ connected to network infrastructure (such as the Internet or home network) and their interactions with associated services ➢ basic guidance through examples and explanatory text on how to implement these requirements ➢ addresses requirements for the security product itself ➢ also assurance requirements (software update process) ➢ possible to find relationships both to SFRs and to SARs ETSI EN 303 645 Cyber Security for Consumer IoT: Baseline Requirements 19
➢ specifies test scenarios for assessing consumer IoT products against the provisions of EN 303 645 ➢ mandatory and recommended assessments, guidance and examples to support implementations ➢ targeting testing labs and certification bodies that provide assurance on the security of relevant products ➢ targeting manufacturers that wish to carry out a self- assessment ➢ document does not set out detailed testing protocols ➢ intended as input to a future EU common cybersecurity certification scheme as proposed in the Cybersecurity Act ➢ addresses the definition of concrete tests using an informal description of test purposes, test actions and conditions for the assignment of verdicts ETSI TS 103 701 (draft) 20
4 IoTAC project approach
➢ Security By Design IoT Development and Certificate Framework with Front-end Access Control ➢ aims to deliver a novel, secure and privacy-friendly IoT architecture ➢ EU-funded H2020 research and innovation project ➢ Start date: 01 September 2020 IoTAC project 22
Industry Consumer System Device Product Assess Process Design Quality Test Level #req IEC 62443-4-1 I S (X) (X) (X) - 48 IEC 62443-4-2 I S X (X) SL 88 ISO/IEC 11889 S X X - N/A ISO/IEC 27402 D (X) (X) - 13 GP SESIP S X (X) X EAL 53 ETSI EN 303645 C D X X o 67 ETSI TS 103701 C D (X) X X 109 Content classification of selected standards 23
Proposed Certification Process
5 Conclusions
➢ Multiple different aspects of Certification are under discussion ❖ Various working groups of standardization bodies and industrial associations ❖ Technical viewpoints differ due to the various stakeholders ➢ ENISA documents already support the interested experts and public community ❖ Missing QA, Testing and Certification ➢ A need for harmonization and common strategies ❖ More emphasise on quality and testing ➢ European research project IoTAC work ❖ https://iotac.eu/ Summary 26
Fraunhofer FOKUS Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin, Germany https://www.fokus.fraunhofer.de/en/sqc ramon.barakat@fokus.fraunhofer.de faruk.catal@fokus.fraunhofer.de sascha.hackel@fokus.fraunhofer.de axel.rennoch@fokus.fraunhofer.de martin.schneider@fokus.fraunhofer.de Thank you for your attention! Acknowledgement: The contribution have been partly supported by the European commission H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.

Recommended

ETSI TC MTS Contribution to Testing in IoT and Edge Computing
ETSI TC MTS Contribution to Testing in IoT and Edge ComputingETSI TC MTS Contribution to Testing in IoT and Edge Computing
ETSI TC MTS Contribution to Testing in IoT and Edge Computing
Axel Rennoch
 
USING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONS
USING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONSUSING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONS
USING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONS
Axel Rennoch
 
Functional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareFunctional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-Testware
Axel Rennoch
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
Axel Rennoch
 
2010 11 18 Substation Automation Systems By Gin Quesada
2010 11 18 Substation Automation Systems By Gin Quesada2010 11 18 Substation Automation Systems By Gin Quesada
2010 11 18 Substation Automation Systems By Gin Quesada
ginquesada
 
Data trustworthiness at the edge
Data trustworthiness at the edgeData trustworthiness at the edge
Data trustworthiness at the edge
RISC-V International
 
Porting tock to open titan
Porting tock to open titanPorting tock to open titan
Porting tock to open titan
RISC-V International
 
Verigraph
VerigraphVerigraph
Verigraph
Iben Rodriguez
 

Recommended

ETSI TC MTS Contribution to Testing in IoT and Edge Computing
ETSI TC MTS Contribution to Testing in IoT and Edge ComputingETSI TC MTS Contribution to Testing in IoT and Edge Computing
ETSI TC MTS Contribution to Testing in IoT and Edge Computing
Axel Rennoch
 
USING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONS
USING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONSUSING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONS
USING TDL FOR STANDARDISED TEST PURPOSE DEFINITIONS
Axel Rennoch
 
Functional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareFunctional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-Testware
Axel Rennoch
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
Axel Rennoch
 
2010 11 18 Substation Automation Systems By Gin Quesada
2010 11 18 Substation Automation Systems By Gin Quesada2010 11 18 Substation Automation Systems By Gin Quesada
2010 11 18 Substation Automation Systems By Gin Quesada
ginquesada
 
Data trustworthiness at the edge
Data trustworthiness at the edgeData trustworthiness at the edge
Data trustworthiness at the edge
RISC-V International
 
Porting tock to open titan
Porting tock to open titanPorting tock to open titan
Porting tock to open titan
RISC-V International
 
Verigraph
VerigraphVerigraph
Verigraph
Iben Rodriguez
 
IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
Samsung Open Source Group
 
Tech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemTech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystem
RISC-V International
 
OCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableOCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/Wearable
Jonathan Jeon
 
C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...
PROFIBUS and PROFINET InternationaI - PI UK
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
ChantalWauters
 
Vahid nazaritalooki cv
Vahid nazaritalooki cvVahid nazaritalooki cv
Vahid nazaritalooki cv
Vahid Nazaritalooki
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under Threat
Priyanka Aash
 
Testing Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingTesting Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge Computing
Axel Rennoch
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
David Shepherd
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón
 
Key Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksKey Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety Networks
Design World
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
Elena Cortés Ventura
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
Redit
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
Industrial Internet Consortium
 
德國TSI公司簡報-2
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2
俠客科技
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
Conferencias FIST
 
Edge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesEdge Computing Standardisation and Initiatives
Edge Computing Standardisation and Initiatives
Axel Rennoch
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
Intland Software GmbH
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
Syam Madanapalli
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
team-WIBU
 

More Related Content

What's hot

C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...
PROFIBUS and PROFINET InternationaI - PI UK
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
ChantalWauters
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under Threat
Priyanka Aash
 

What's hot (7)

IoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorialIoTivity for Automotive: meta-ocf-automotive tutorial
IoTivity for Automotive: meta-ocf-automotive tutorial
 
Tech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystemTech talk with Antmicro - Building an open source system verilog ecosystem
Tech talk with Antmicro - Building an open source system verilog ecosystem
 
OCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/WearableOCF/IoTivity for Healthcare/Fitness/Wearable
OCF/IoTivity for Healthcare/Fitness/Wearable
 
C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...C12 Profinet diagnostics during the entire life cycle of production lines a...
C12 Profinet diagnostics during the entire life cycle of production lines a...
 
Navigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding StandardsNavigating the jungle of Secure Coding Standards
Navigating the jungle of Secure Coding Standards
 
Vahid nazaritalooki cv
Vahid nazaritalooki cvVahid nazaritalooki cv
Vahid nazaritalooki cv
 
LTE Network Automation Under Threat
LTE Network Automation Under ThreatLTE Network Automation Under Threat
LTE Network Automation Under Threat
 

Similar to Towards a certification scheme for IoT security evaluation

Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
Ashley Zupkus
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
Conferencias FIST
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
Intland Software GmbH
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
team-WIBU
 

Similar to Towards a certification scheme for IoT security evaluation (20)

Testing Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge ComputingTesting Challenges and Approaches in Edge Computing
Testing Challenges and Approaches in Edge Computing
 
Endpoint Security for Mobile Devices
Endpoint Security for Mobile DevicesEndpoint Security for Mobile Devices
Endpoint Security for Mobile Devices
 
TAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
 
Key Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety NetworksKey Tips for Using and Operating Safety Networks
Key Tips for Using and Operating Safety Networks
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego05_Alter Technology_Julián Gallego
05_Alter Technology_Julián Gallego
 
Experiences evaluating cloud services and products
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
 
IIoT Endpoint Security
IIoT Endpoint Security IIoT Endpoint Security
IIoT Endpoint Security
 
德國TSI公司簡報-2
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
Edge Computing Standardisation and Initiatives
Edge Computing Standardisation and InitiativesEdge Computing Standardisation and Initiatives
Edge Computing Standardisation and Initiatives
 
Managing Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development EnvironmentManaging Traceability in an Agile, Safety-critical Development Environment
Managing Traceability in an Agile, Safety-critical Development Environment
 
IoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR ProposalIoT Security Assessment - IEEE PAR Proposal
IoT Security Assessment - IEEE PAR Proposal
 
IIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in PracticeIIoT Endpoint Security – The Model in Practice
IIoT Endpoint Security – The Model in Practice
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
Trends on standardization for smart wearable devices & services (ITU-T, OCF, ...
 
KATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , KoreaKATS 4th Industrial Revolution Forum Seoul , Korea
KATS 4th Industrial Revolution Forum Seoul , Korea
 
ECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification FrameworkECIL: EU Cybersecurity Package and EU Certification Framework
ECIL: EU Cybersecurity Package and EU Certification Framework
 
Overcome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case StudyOvercome Hardware And Software Challenges - Medical Device Case Study
Overcome Hardware And Software Challenges - Medical Device Case Study
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Towards a certification scheme for IoT security evaluation

  • 1. Fraunhofer FOKUS Institute for Open Communication Systems Towards a certification scheme for IoT security evaluation R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21
  • 2. Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 2
  • 4. Fraunhofer is Europe’s largest application oriented research organization: Fraunhofer Society © Michael Zalewski/ Fraunhofer FOKUS © Fraunhofer-Gesellschaft > 29.000 Employees 75 Institutes and research units > 2.8 billion € Budget (1/3 government, 1/3 public, 1/3 industry) 4 Fraunhofer Institute for Open Communication Systems (FOKUS) We connect everything secure, reliable, sustainable Fraunhofer Institute FOKUS The largest Fraunhofer ICT institute (~450 employees). Located in Berlin.
  • 5. Fields of application and strategic topics of Fraunhofer FOKUS 5 STRATEGIC TOPICS FIELDS OF APPLICATION Sustainability Artificial Intelligence Digital Life Security/ Certification Digital Governance Digital Networking (e.g. 5G/6G) Quantum Computing
  • 7. ➢ European Union Agency for Cybersecurity ❖ achieving a high common level of cybersecurity across Europe ➢ ENISA’s Stakeholder Cybersecurity Certification Group (SCCG) ❖ development of a cybersecurity certification scheme for IoT products ❖ EUCC, a candidate cybersecurity certification scheme to serve as a successor to the existing SOG-IS ❖ Indication of selected international standards to be considered for IoT certification Who is ENISA? 7
  • 8. Agenda 1 Background 2 ENISA recommendations 3 Certification schemes 4 IoTAC project approach 5 Conclusion 8
  • 10. IEC 62443 Industrial communication networks – IT security for networks and systems 10
  • 11. ➢ security requirements definition, secure design, secure implementation, including coding guidelines, verification and validation, defect management, patch management and product end-of-life ➢ focus on the design aspects for the target industrial security product ➢ provides development guidance to ensure an advanced development process ➢ content is on a general level and can be described as a best practice guide without much detail on functionality and evaluation aspects ➢ do not contain concrete test scenarios Part 4-1: Secure product development lifecycle requirements 11
  • 12. ➢ technical security requirements for the product itself ➢ requirements address − identification and authentication control, − use control, − system integrity, − data confidentiality, − restricted data flow, − timely response to events, and − resource availability ➢ considers all Security functional requirement (SFR) classes from the CommonCriteria ➢ product requirements have been related to security levels 0 to 4 Part 4-2: Technical security requirements for IACS components 12
  • 14. ➢ device that enables trust in computing platforms in general ➢ TPMs require hardware protections to provide three roots of trust: storage, measurement, and reporting ➢ root of trust for storage consists primarily of creating, managing and protecting cryptographic keys and other data values ➢ Artefacts protected by or associated with encryption keys, like passwords, certificates or other credentials, can be used for authentication and many other security scenarios ISO/IEC 11889 consists of the following four parts: • Part 1: Architecture • Part 2: Structures • Part 3: Commands • Part 4: Supporting routines ➢ standard provide many design recommendations ➢ no scenarios for quality testing ISO/IEC 11889 Trusted Platform Module 14
  • 15. ➢ standard is intended to specify a security baseline or platform for ‘IoT devices’ [things] supporting information security and privacy controls. ➢ Examples of baseline [information security] requirements cover the following topics: • Unique device identifier that should be immutable and verifiable • Factory reset functionality • Delete all user data information’ functionality • Protection of data • Patching/updating capability for firmware and software) ➢ provides concrete requirements for the security product itself ➢ In comparison with CC: small selection towards ten SFRs (FIA, FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA) ISO/IEC 27402 (committee draft) 15
  • 16. Global Platform (GP) Security Evaluation Standard for IoT Platforms (SESIP) 16
  • 17. ➢ designed specifically for the IoT platforms and platform parts on which IoT products are based ➢ SESIP provides a common and optimized approach for evaluating the security of connected products that meets the specific compliance, security, privacy and scalability challenges of the evolving IoT ecosystem ➢ follows all mandatory aspects of ISO 15408 Common Criteria standard ➢ addresses both SFRs and SARs ➢ does not provide concrete design decisions or test objectives GP Security Evaluation Standard for IoT Platforms (SESIP) 17
  • 19. ➢ specifies high-level security and data protection provisions for consumer IoT devices ➢ connected to network infrastructure (such as the Internet or home network) and their interactions with associated services ➢ basic guidance through examples and explanatory text on how to implement these requirements ➢ addresses requirements for the security product itself ➢ also assurance requirements (software update process) ➢ possible to find relationships both to SFRs and to SARs ETSI EN 303 645 Cyber Security for Consumer IoT: Baseline Requirements 19
  • 20. ➢ specifies test scenarios for assessing consumer IoT products against the provisions of EN 303 645 ➢ mandatory and recommended assessments, guidance and examples to support implementations ➢ targeting testing labs and certification bodies that provide assurance on the security of relevant products ➢ targeting manufacturers that wish to carry out a self- assessment ➢ document does not set out detailed testing protocols ➢ intended as input to a future EU common cybersecurity certification scheme as proposed in the Cybersecurity Act ➢ addresses the definition of concrete tests using an informal description of test purposes, test actions and conditions for the assignment of verdicts ETSI TS 103 701 (draft) 20
  • 21. 4 IoTAC project approach
  • 22. ➢ Security By Design IoT Development and Certificate Framework with Front-end Access Control ➢ aims to deliver a novel, secure and privacy-friendly IoT architecture ➢ EU-funded H2020 research and innovation project ➢ Start date: 01 September 2020 IoTAC project 22
  • 23. Industry Consumer System Device Product Assess Process Design Quality Test Level #req IEC 62443-4-1 I S (X) (X) (X) - 48 IEC 62443-4-2 I S X (X) SL 88 ISO/IEC 11889 S X X - N/A ISO/IEC 27402 D (X) (X) - 13 GP SESIP S X (X) X EAL 53 ETSI EN 303645 C D X X o 67 ETSI TS 103701 C D (X) X X 109 Content classification of selected standards 23
  • 26. ➢ Multiple different aspects of Certification are under discussion ❖ Various working groups of standardization bodies and industrial associations ❖ Technical viewpoints differ due to the various stakeholders ➢ ENISA documents already support the interested experts and public community ❖ Missing QA, Testing and Certification ➢ A need for harmonization and common strategies ❖ More emphasise on quality and testing ➢ European research project IoTAC work ❖ https://iotac.eu/ Summary 26
  • 27. Fraunhofer FOKUS Institute for Open Communication Systems Kaiserin-Augusta-Allee 31 10589 Berlin, Germany https://www.fokus.fraunhofer.de/en/sqc ramon.barakat@fokus.fraunhofer.de faruk.catal@fokus.fraunhofer.de sascha.hackel@fokus.fraunhofer.de axel.rennoch@fokus.fraunhofer.de martin.schneider@fokus.fraunhofer.de Thank you for your attention! Acknowledgement: The contribution have been partly supported by the European commission H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.