IOT CYBERSECURITY CERTIFICATION - CARLO CASATI IOTHINGS WEEK, 19 MAGGIO 2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
IoT Cybersecurity
Certification
Carlo Casati
IOTHINGS WEEK, 19 maggio 2021
1
Nemko Group
Pre-compliance
Management system Product
certification testing
Field Product
evaluation certification
Cybersecurity International approval
2
Certification of IoT as Radio Equipment
Geography Radio product category Industry segment
(International Approval) (Testing) (Certification)
Specific
National
Standards
3
Certification of IoT as Cyber Equipment
Geography Cyber product category Industry segment
(International Approval) (Evaluation) (Certification)
Specific
National
Standards
4
1973 2021 2022 ? ??
5
Is cyber security really voluntary ?
This is probably the most common question we
get – is it mandatory ?
And putting the question as open as that, the
simple answer is “yes, it is mandatory!”
But, like everything else, there are details, and
these details are rapidly changing.
Many interpret the absence of a mandatory
certification scheme as absence of mandatory
requirements.
6
European Union Regulations concerning Cybersecurity
GDPR – General Data Protection Regulation – mandatory
Not thought of a as typically “cyber security”, but information security is an integral part of cyber security. For the
protection of e.g. personal information cyber security is a prerequisite, and cyber security standards like the
European norm for Consumer IoTs specifies a set of requirements concerning handling of various personal
information. Using a product not complying to these requirements would jeopardize your GDPR compliance.
RED - Radio Equipment Directive – mandatory, but ..
Again, not what many think as cyber security, but the RED includes provisions on protecting network and personal
information. At current date, these provisions are however not put into effect yet, but this work is actively ongoing.
EU Cyber Security Act – mandatory, but ..
This act is describing certification schemes for products, services and processes. A draft scheme for product
certification was published July 2020 and a final version is expected by Q2 2021. This certification will initially be
voluntary, but the requirements will not.
7
Automotive Industry WP.29 Proposal for a new UN Regulation on uniform provisions concerning the approval of vehicles with regards to cyber security and cyber security management system Submitted by the Working Party on Automated/autonomous and Connected Vehicle
Existing Standards and Regulations
• Common Criteria ISO/IEC 15048-x:2008 Information
technology — Security techniques — Evaluation
criteria for IT security
• ISO/IEC 18045:2008 Information technology —
Security techniques — Methodology for IT security
evaluation
• ISO/IEC 27001:2013 Information technology —
Security techniques — Information security
management systems — Requirements
• Cyber Security Act Regulation 2019/881
• ETSI EN 303 645 V2.1.1 (2020-06) Cyber Security for
Consumer Internet of Things: Baseline Requirements
9
Nemko services for Cybersecurity
Cybersecurity
Pre-
compliance
Common
IoT
Criteria
Attestation
Certification
10Common Criteria: Evaluation Assurance Level (EAL)
EAL 7
EAL 3 EAL 5 • Formally
EAL1 • Methodically • Semiformally Verified
• Functionally Tested and Designed and Design and
Tested Checked Tested Tested
EAL 2 EAL 4 EAL 6
• Structurally • Methodically • Semiformally
Tested Designed, Verified
Tested and Design and
Reviewed Tested
11IoT: Scope of ETSI EN 303 645
The present document specifies high-level security and data protection provisions for
consumer IoT devices that are connected to network infrastructure (such as the Internet
or home network) and their interactions with associated services. The associated services
are out of scope. A non-exhaustive list of examples of consumer IoT devices includes:
• connected children's toys and baby monitors;
• connected smoke detectors, door locks and window sensors;
• IoT gateways, base stations and hubs to which multiple devices connect;
• smart cameras, TVs and speakers;
• wearable health trackers;
• connected home automation and alarm systems, especially their gateways and hubs;
• connected appliances, such as washing machines and fridges; and
• smart home assistants.
Moreover, the present document addresses security considerations specific to constrained
devices.
12IoT: Attestation vs Certification
Cyber security product attestation Cyber security product certification
Nemko will evaluate the product and associated services according to the European cyber security IoT
standard.
The attestation will cover the evaluated version of In addition, an audit is done of the manufacturer’s
the product only and does not include a system for quality system and particularly the procedures in
follow-up. place ensuring the quality of change management.
If changes are made to the product, a new With a cyber security certification, the
evaluation must be done by Nemko in order for the manufacturer can make certain changes to the
approval to include the altered version. products and the certification will remain valid.
This solution is suitable for a manufacturer This solution is suitable for manufacturers having
producing a one-off batch of products, e.g. continuous improvements done to their products or
tailormade for one purpose or one buyer. for manufacturers making adjustments in their
products.
13Why ETSI EN 303 645 ?
• European Specific Standard
• Covers the requirements of the new UK law on IoT (to be
mandatory)
• Used by Finnish Cybersecurity Label scheme (with some
additions)
• Covers the requirements of the mandatory California LowPre-compliance Service
• Verifica del grado di riservatezza e di complessità della/e password (per esempio modifica della password rispetto
a quella di default e regole per la sua composizione: presenza di caratteri speciali, numeri, lettere key-sensitive).
• Gestione delle vulnerabilità (come l’utente viene informato della vulnerabilità note e come può eventualmente a sua
volta informare il fabbricante di possibili nuove sospette vulnerabilità).
• Mantenimento del/i sw aggiornati (come l’utente è informato della possibilità di scaricare e mantenere aggiornato il
sw/fw e se esiste un meccanismo di aggiornamento automatico).
• Verifica di eventuali supporti di memoria interni o esterni al dispositivo, dove sono allocati i dati e le informazioni
trattate (come l’utente possa interagire con tali supporti).
• Sicurezza delle comunicazioni (sicurezza dei protocolli di comunicazione, SSL/https, criptografia, …).
• Minimizzare le sorgenti di esposizione agli attacchi (tutte le interfacce/porte di comunicazione inutilizzate devono
essere disabilitate fin dall’avvio).
• Cancellazione dei dati personali (come l’utente può eliminare i propri dati dal dispositivo).
• Gestione dei dati personali dell’utente da parte del fabbricante (quali dati sono trattati dal fabbricante? Come li
gestisce? Chi li gestisce? Come il fabbricante informa l’utente della modifica/cancellazione/gestione dei suoi dati?
Discorso legato alla privacy – regolamento GDPR).
15Grazie per la vostra attenzione
www.nemko.com
16You can also read
