1.
Fraunhofer FOKUS
Institute for Open Communication Systems
Towards a certification scheme for
IoT security evaluation
R. Barakat, F. Catal, S. Hackel, A. Rennoch, M. Schneider | GI/IACS Berlin | 28.09.21

2.
Agenda
1 Background
2 ENISA recommendations
3 Certification schemes
4 IoTAC project approach
5 Conclusion
2

3.
1 Background

4.
Fraunhofer is Europe’s largest application oriented research
organization:
Fraunhofer Society
©
Michael
Zalewski/
Fraunhofer
FOKUS
©
Fraunhofer-Gesellschaft
> 29.000
Employees
75
Institutes and research units
> 2.8 billion €
Budget (1/3 government, 1/3 public, 1/3 industry)
4
Fraunhofer Institute
for Open Communication Systems (FOKUS)
We connect everything
secure, reliable, sustainable
Fraunhofer Institute FOKUS
The largest Fraunhofer ICT institute (~450 employees).
Located in Berlin.

5.
Fields of application and strategic topics of Fraunhofer FOKUS
5
STRATEGIC TOPICS
FIELDS OF APPLICATION
Sustainability
Artificial
Intelligence
Digital
Life
Security/
Certification
Digital
Governance
Digital
Networking
(e.g. 5G/6G)
Quantum
Computing

6.
2 ENISA recommendations

7.
➢ European Union Agency for Cybersecurity
❖ achieving a high common level of cybersecurity
across Europe
➢ ENISA’s Stakeholder Cybersecurity Certification
Group (SCCG)
❖ development of a cybersecurity certification scheme for
IoT products
❖ EUCC, a candidate cybersecurity certification scheme to
serve as a successor to the existing SOG-IS
❖ Indication of selected international standards to be
considered for IoT certification
Who is ENISA?
7

8.
Agenda
1 Background
2 ENISA recommendations
3 Certification schemes
4 IoTAC project approach
5 Conclusion
8

9.
3 Certification schemes

10.
IEC 62443 Industrial communication networks –
IT security for networks and systems
10

11.
➢ security requirements definition, secure design, secure
implementation, including coding guidelines, verification and
validation, defect management, patch management and
product end-of-life
➢ focus on the design aspects for the target industrial security
product
➢ provides development guidance to ensure an advanced
development process
➢ content is on a general level and can be described as a best
practice guide without much detail on functionality and
evaluation aspects
➢ do not contain concrete test scenarios
Part 4-1: Secure product
development lifecycle requirements
11

12.
➢ technical security requirements for the product itself
➢ requirements address
− identification and authentication control,
− use control,
− system integrity,
− data confidentiality,
− restricted data flow,
− timely response to events, and
− resource availability
➢ considers all Security functional requirement (SFR) classes
from the CommonCriteria
➢ product requirements have been related to security levels 0
to 4
Part 4-2: Technical security
requirements for IACS components
12

13.
ISO/IEC
Joint Technical Committee (JTC1)
13

14.
➢ device that enables trust in computing platforms in general
➢ TPMs require hardware protections to provide three roots of
trust: storage, measurement, and reporting
➢ root of trust for storage consists primarily of creating, managing
and protecting cryptographic keys and other data values
➢ Artefacts protected by or associated with encryption keys, like
passwords, certificates or other credentials, can be used for
authentication and many other security scenarios
ISO/IEC 11889 consists of the following four parts:
• Part 1: Architecture
• Part 2: Structures
• Part 3: Commands
• Part 4: Supporting routines
➢ standard provide many design recommendations
➢ no scenarios for quality testing
ISO/IEC 11889 Trusted Platform Module
14

15.
➢ standard is intended to specify a security baseline or platform
for ‘IoT devices’ [things] supporting information security and
privacy controls.
➢ Examples of baseline [information security] requirements cover
the following topics:
• Unique device identifier that should be immutable and
verifiable
• Factory reset functionality
• Delete all user data information’ functionality
• Protection of data
• Patching/updating capability for firmware and software)
➢ provides concrete requirements for the security product itself
➢ In comparison with CC: small selection towards ten SFRs (FIA,
FMT, FDP, FPR, FTA, FAU) and three SARs (ADV, ASE/AVA)
ISO/IEC 27402 (committee draft)
15

16.
Global Platform (GP)
Security Evaluation Standard for IoT Platforms (SESIP)
16

17.
➢ designed specifically for the IoT platforms and platform parts
on which IoT products are based
➢ SESIP provides a common and optimized approach for
evaluating the security of connected products that meets the
specific compliance, security, privacy and scalability
challenges of the evolving IoT ecosystem
➢ follows all mandatory aspects of ISO 15408 Common
Criteria standard
➢ addresses both SFRs and SARs
➢ does not provide concrete design decisions or test
objectives
GP Security Evaluation Standard for
IoT Platforms (SESIP)
17

18.
ETSI
TC CYBER series
18

19.
➢ specifies high-level security and data protection provisions
for consumer IoT devices
➢ connected to network infrastructure (such as the Internet or
home network) and their interactions with associated
services
➢ basic guidance through examples and explanatory text on
how to implement these requirements
➢ addresses requirements for the security product itself
➢ also assurance requirements (software update process)
➢ possible to find relationships both to SFRs and to SARs
ETSI EN 303 645
Cyber Security for Consumer IoT:
Baseline Requirements
19

20.
➢ specifies test scenarios for assessing consumer IoT products
against the provisions of EN 303 645
➢ mandatory and recommended assessments, guidance and
examples to support implementations
➢ targeting testing labs and certification bodies that provide
assurance on the security of relevant products
➢ targeting manufacturers that wish to carry out a self-
assessment
➢ document does not set out detailed testing protocols
➢ intended as input to a future EU common cybersecurity
certification scheme as proposed in the Cybersecurity Act
➢ addresses the definition of concrete tests using an informal
description of test purposes, test actions and conditions for the
assignment of verdicts
ETSI TS 103 701 (draft)
20

21.
4 IoTAC project approach

22.
➢ Security By Design IoT Development and Certificate
Framework with Front-end Access Control
➢ aims to deliver a novel, secure and privacy-friendly
IoT architecture
➢ EU-funded H2020 research and innovation project
➢ Start date: 01 September 2020
IoTAC project
22

23.
Industry
Consumer
System
Device
Product
Assess
Process
Design
Quality
Test
Level #req
IEC 62443-4-1 I S (X) (X) (X) - 48
IEC 62443-4-2 I S X (X) SL 88
ISO/IEC 11889 S X X - N/A
ISO/IEC 27402 D (X) (X) - 13
GP SESIP S X (X) X EAL 53
ETSI EN 303645 C D X X o 67
ETSI TS 103701 C D (X) X X 109
Content classification of selected standards
23

24.
Proposed Certification Process

25.
5 Conclusions

26.
➢ Multiple different aspects of Certification are under
discussion
❖ Various working groups of standardization bodies and
industrial associations
❖ Technical viewpoints differ due to the various
stakeholders
➢ ENISA documents already support the interested experts
and public community
❖ Missing QA, Testing and Certification
➢ A need for harmonization and common strategies
❖ More emphasise on quality and testing
➢ European research project IoTAC work
❖ https://iotac.eu/
Summary
26

27.
Fraunhofer FOKUS
Institute for Open Communication Systems
Kaiserin-Augusta-Allee 31
10589 Berlin, Germany
https://www.fokus.fraunhofer.de/en/sqc
ramon.barakat@fokus.fraunhofer.de
faruk.catal@fokus.fraunhofer.de
sascha.hackel@fokus.fraunhofer.de
axel.rennoch@fokus.fraunhofer.de
martin.schneider@fokus.fraunhofer.de
Thank you for your attention!
Acknowledgement: The contribution have been partly supported by the European commission
H2020-EU.2.1.1, Grant agreement ID: 952684: https://cordis.europa.eu/project/id/952684.