31 Aug 2019 Eurosmart IoT SCS – pilots
Eurosmart IoT Certification Scheme
This framework as defined by the European Cybersecurity Act, enables their users to ascertain the level of security assurance (basic, substantial and high), and ensures that these security features are independently verified.
Eurosmart has been developing a proposal for a certification scheme for IoT devices with a focus on the Substantial security assurance level, based on this regulation. (view the documents)
Executive summary
The European Cybersecurity Certification Framework helps in creating a single cybersecurity market for the EU. A harmonized approach at EU level defines mechanisms that establish EU-wide cybersecurity certification schemes which assess the ICT (Internet and Communications Technology) products, ICT services and ICT processes and make sure they comply with specified security requirements.
The scope of the Eurosmart IoT Security Certification Scheme (e-IoT-SCS) is the Internet of Things (IoT) Device with a focus on the Substantial security assurance level as defined by the Cybersecurity Act. At this level of assurance, the certification is intended to minimize the risks of successful attacks commonly taking advantage of poor design in IoT devices bringing severe consequences to consumers and vendors, due to non-presence or ineffective security controls. It is indeed vital that IoT devices have security designed-in and verified-in from the outset.
Since these IoT Devices at the low end of the range may have security features constrained by cost, available processing power and performance, size, type of power source, this Certification Scheme considers the trade-off between such constraints, the risks and the cost of certification.
This Certification Scheme introduces 3 new important properties:
1. Security Profile (the “What”)
A Security Profile (SP) defines the security functional requirements and security assurance activities specific security problem definition of a type of an IoT Product/Solution (thermostat, smart cam, etc.) while considering the sensitivity of assets, the context of the operational environment and the risk factor. Its definition is a step towards an economic way of dealing with security risk analysis and security targets. It helps to scale security controls and security-related process activities in accordance to the identified risks, i.e. to spend most effort where the highest risks are. This Certification Scheme defines a methodology allowing a harmonized and quick creation of Security Profile covering the full attack surface threat model from Chip to Cloud including the Applications (Business and Mobile), Gateways, the Connectivity and the Cloud.
2. Risk-Based Evaluation (the “How”)
The evaluation activities to be undertaken within this Certification Scheme are based on a risk[1] approach and includes a review to demonstrate the absence of publicly known vulnerabilities and testing to demonstrate that IoT Devices implements the necessary security functionalities. Risk-based security evaluation is useful when an ICT product is intended to work in a complex system such as the IoT which requires numerous evaluation activities for adequate coverage in limited time.
[1] Risk itself is considered a metric that indicates the combination of the consequences of an unwanted incident with respect to an asset and the associated likelihood or estimated frequency of occurrence
3. Certification Validity (the “What if”)
Millions of IoT devices are expected to be granted certifications. These certifications must be maintained in a proper and cost-efficient way to guarantee the level of assurance and the certificate in the operational phase. This Certification Scheme defines efficient policies, processes and tools allowing IoT Service Providers, Business Lines, Risk-Owners a Decision Makers to increase their trust in certified IoT Devices.
For a higher level of assurance (level “High” as per the Cybersecurity Act), Eurosmart recommends relying on other relevant Certification Schemes addressing state of the art of attacks.
Finally, within this Certification Scheme, the Cybersecurity Act definitions supersedes over any other definition.