On 30th of May the Council issued its general approach on the Cybersecurity act which is currently examined by the ITRE Committee of the European Parliament.
Eurosmart, the voice of the European Digital Security industry, welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attack of a product or a service.
Penetration testing or ethical hacking is the only rigorous way to evaluate the robustness of an ICT product and to check that the necessary security functionalities referring to the state-of-the-art are correctly implemented.
“Our digital world is more and more interconnected, it processes a huge quantity of sensitive personal data. The Cybersecurity act must consciously tackle these evolving risks.” – explained Stefane Mouille, President of Eurosmart. “Products and services are continuously exposed to the threat of high skilled malicious attackers who can exploit unchecked vulnerabilities. The European Cybersecurity model cannot suffer from a lack of seriousness when evaluating products, with no strategic ethical hacking process the detection of ICT product vulnerabilities remains impossible. Such vulnerabilities undermine the European cybersecurity which would run the risk of massive Cyberattacks.”
The Digital Security Industry has a long track record in performing ethical hacking while evaluating their products. Eurosmart is one of the founding father of SOG-IS, coordinating the development of high level certificates. Therefore, Ethical hacking is a proof of excellence of the Digital Security Industry in Europe as well as a unique asset for European players in a global market.
Eurosmart urges the European Parliament and the members of ITRE Committee to take penetration testing and ethical hacking into consideration and to extend it to level “substantial”. This is a fundamental element to make the European Digital single market the safest possible environment both for citizens and for the Industry.
Ethical Hacking (pen-testing – penetration testing) is the act of locating weaknesses and vulnerabilities of devices and information systems by anticipating the intent, actions and skills of malicious hackers. Ethical Hacking is done on a defensive purpose with the objective to improve the security of devices and information systems, and to give assurance that they will resist to attacks with similar intent, actions and skills once released and operated.
Eurosmart has noted the publication from Gildas Avoine (Rennes University, INSA Rennes) and Loïc Ferreira (Orange Labs) on the potential Vulnerability on the SCP02 protocol that has been published yesterday on the TCES Website.
This new publication reports a known attack but applied in a new context.
For a long time, Eurosmart has been recommending that additional security measures be added to SCP02, such as, e.g., pre-encrypting sensitive data, or restricting the usage to trusted environments, or other means that are appropriate to enhance the security of SCP02.
Please find here below a Q&A developing more in detail the questions that you may have as Eurosmart technology end-user.
Eurosmart is committed in developing, promoting and maintaining the appropriate security level for its products, solutions and protocols.
What is retrieved is the said plaintext (not the key) and from only one card.
A pre-encrypted data cannot be retrieved in clear.
The conditions for performing the attack on SCP02 are as follows:
· Attacker must be able to intercept and modify messages between server and card in open environment;
· Attacker must be able to perform precise timing measurement (wrong padding or good padding) with access either to the device or ability to load spy malware;
· The same plain text must be sent enciphered several (around 128 times to disclose one single byte of information) times (either to different cards with different keys or to the same card with different session keys).
Attack is not applicable to the electrical personalization of banking applets (all sensitive data are over encrypted).
Attack is not applicable if personalization is done in a secure place (personalization place is usually certified by schemes or performed in trusted environments).
Attack is not applicable if personalization done by OTA through SCP80/SCP81 secure channel.
Attack is not applicable over data that are encrypted using the Data Encryption Key (DEK).
For ongoing programs using SCP02, the GlobalPlatform Security Task Force recommends the following simple rules:
· Use ICV encryption recommendation from GPC_FAQ_021;
· Encrypt all sensitive data transmitted in SCP02 using the Data Encryption Key (DEK) or any applet key;
· Disable SCP02 if there is no need to update the card in the field;
· Add SCP03 in the card platform to be able to smoothly switch to AES crypto.
Restricting the use of SCP02 to trusted environment can also be considered as a valid alternative.
GlobalPlatform has issued in March 2018 a security informative note about the evolution of the trends related to the Secure Channel Protocol 02 (a.k.a. SCP02) specified in the Card Specification document.
GlobalPlatform organization set as deprecated this protocol in the current version of GlobalPlatform specification (Card Specification v2.3.1).
Refer to the GlobalPlatform recommendations as described in the informative note: https://www.globalplatform.org/documents/Security_Informative_Note1_FINAL.pdf
On the 13th of September, Eurosmart - the voice of the Digital Security Industry - welcomed the European Commission proposal for a regulation establishing the European Cybersecurity Competence Centre (ECCC) and its related Community.
Eurosmart is fully committed to the achievement of the European Digital Single Market and supports all the efforts made by the European Commission to boost the European cyber-resilience and to create a competitive European cybersecurity industry.
The establishment of strong links between the European research in the field of cybersecurity, Public Authorities, cybersecurity product manufacturers and solution providers is one of the paramount objectives that Eurosmart shares with the European Commission.
With the aim of encouraging the Cybersecurity ecosystem in Europe and competing on a global cybersecurity market, Eurosmart expects from the future ECCC:
The Cybersecurity public-private partnership and the creation of the European Cybersecurity Organisation (ECSO) laid the groundwork to mutualise knowledge and enhance the collaboration amongst stakeholders involved in Cybersecurity. Eurosmart supports the European Commission proposal to capitalize on lesson learned from the cPPP and argues for enhanced cybersecurity actions through working groups of the Cybersecurity Community.
The ongoing proposal for a Cybersecurity Act would establish a European Cybersecurity certification framework. This proposal will give impetus to the whole Cybersecurity Industry which would take advantage of a robust, trusted and scalable Cybersecurity Certificate. This proposal will contribute to the European cyber-resilience for both companies and citizens.
Eurosmart sees a unique opportunity to consolidate this approach and its community through the ECCC by sharing know-how amongst the stakeholders. The Digital Security Industry advocates for the State-of-the-Art (SOTA) within the upcoming EU certification framework and is ready to contribute to the debate. Namely, those involved could take benefit from the development of proposal regarding candidate certification scheme.
ECCC could be a relevant tool to invite all the actors (SMEs included) to gain access or to shape proposals on candidate certification scheme. This activity would require full involvement of ENISA and competent authorities in the Community as well as high degree of representation of the diversity of the European cybersecurity ecosystem.
Regarding standardisation in the field of Cybersecurity, a further collaboration with the European Standardisation Organisations (ESOs) should be agreed and more specifically with the eventual working groups related to the EU Cybersecurity Certification Framework.
Eurosmart supports the idea of specific investments for Cybersecurity and advocates for the identification of clear budget lines of Digital Europe and Horizon Europe programmes which would be dedicated to the ECCC and its actions. The Digital Security Industry is convinced that a more consistent and specific approach will enable the involvement of actors in the Competence Centre.
Once the ECCC is established, the Member States should be encouraged to leverage innovations and solutions from both the research in the field of Cybersecurity and the European Industry. To achieve this goal, a political impetus from the European Union could be triggered with the support of the Community.Read more
The digital world is now hyperconnected and it is gradually changing daily life of the European Citizens and consumers.
This transformation of our society imposes to revise also our legal framework to make sure that the European Values are included into this “new digital ocean”.
This digital world is not virtual! It is composed of hardware, software, applications, connectivity and human capital/know-how.
This expertise derives from technology experts which play a part in modernizing the traditional institutional scheme and finally innovating the world.
Eurosmart is proud to count the most renowned technologies experts from the cryptography community, digital identity technologies, biometric technologies and digital security.
These critical technologies are deployed in the hands of several billions of users to secure their digital identities, transactions, business and personal data… Sometimes simply their privacy.
Eurosmart is the ‘spokesperson’ of this European excellence in the world and our experts are actively contributing to the European and International standardization process.
We are proud of our European roots but we can boast an open-mindedness at the same time, thanks to our global presence.
In view of this, we would like to share biannually the “Opinion of experts” from our community.
The first edition is dedicated to the cryptography technology with a strong focus on the blockchain in the digital identity and the personal data protection, the future of the post quantum crypto.
Stefane Mouille - president of Eurosmart
We hope you will enjoy reading the first article.Read more
Eurosmart, The Voice of the Smart Security Industry, welcomes results achieved by the Parliament and the Council during the first legislative phase of the Cyber Security Act.
It especially appreciated the work done by Angelika Niebler as Rapporteur of the proposals in ITRE Committee. The efforts made to involve stakeholders in the debate were decisive to consider important issues and to better define the needs of industries. Eurosmart welcomed the full involvement of stakeholders throughout the evaluation of a candidate scheme whether by attending the Group, by expressing their views thanks to ad-hoc platforms or sub-groups.
Eurosmart wants also to point out its satisfaction with the views of the Council: its General Approach on a proposed Cybersecurity Act confirms the European Digital industries’ priorities, by giving more consistency to the quality level of certification in the Member States and thus, thanks to the accreditation and evaluation of the CABs. Eurosmart welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attacks of a product or a service.
Eurosmart continues to advocate for “High” and “Substantial” levels of certification for which evaluation must be carried out by Conformity Assessment Bodies (CABs), performing penetration tests by “ethical hacking”.
When the vote is taken at the European Parliament, Eurosmart enjoins the MEPs not to watered down the initial ambitions of the text while protecting the European Digital Industry assets.
The Conformity assessment method should be carefully designed by the regulator to avoid any misunderstanding and to get a risk based approach according the three levels.
The regulator shall define the way CABs are accredited and audited to ensure the quality of the evaluation method which cannot be a purely market driven approach when it comes to protect strategic assets and citizens’ life.
A mix-up of safety and security aspects is to be avoided. Self-certification could be useful to attest the products and services “safety” level, but concrete steps are needed to define a high-quality approach for the EU cybersecurity market. The sole self-declaration of conformity is not enough to prevent from potential attacks, the increase number of connected devices that could be used in hostile environments.
A European cybersecurity certification framework targeting scalable security requirements (high, substantial, basic) could become the asset of the European industry and a protection for the consumer and the citizens. Certification is the sole way to face potential cyberattacks and the indispensable mean to reach an upwards harmonised European Framework.
Without a strengthened EU cybersecurity certification schemes, a potential EU trust label for IoT would be worthless. Eurosmart considers the Cybersecurity Act and its certification scheme as a building block of a trusted Digital Single Market.
When it comes to the respect of personal data and with regards to the GDPR, Eurosmart urges the legislator to avoid double certification. GRPD certification should also be covered by the EU Cybersecurity Certification Framework, especially when it comes to IoT devices which process personal identifiable information.
Certification is also the condition to review the “Product Liability Directive” on the basis of new technologies and ICT devices. Without any clear definition of certification objectives (i.e. what is tested according to the different security levels), the identification of the responsibility chain would become even more complex.
The European Digital Security Industry has developed a unique and a globally recognized know-how. The EU cybersecurity certification Framework will contribute to a highly secure Digital Single Market and will benefit the whole European Digital industry.