Trustech | Cannes, 27th November 2019
Eurosmart, the Voice of the Digital Security Industry, announced the 2018 figures for worldwide secure element shipments and the 2019 forecasts. The overall growth trend is confirmed in 2018 (+2,2 %) while the 2019 forecasts exceed 10 billion units (10, 360).
In this sector, the overall growth of payment cards is estimated to touch + 3,2 % in 2019, which means 100 million new cards compared with those in 2018.
This will be driven by regional mandates for chip-based payment cards and firstly by the demand for contactless cards. This segment is seeing a strong momentum. 2018 is the first year where contactless shipments cards surpassed the contact part with a total share of + 51,4%.
Supported by additional countrywide mandates, the growth of contactless segment is expected to nearly reach double-digit in 2019.
In an overall stable telecom market reaching 5,6 billion units in 2018, we see a continuing growth for the M2M market, driven by a push for connectivity in the automotive sector and other industrial segments.
In the consumer side, we also forecast an accelerated adoption of embedded SIM technology following the launch made on top selling products by some leading OEM manufacturers. This adoption opens new opportunities for additional services.
Despite the stability, the telecom market has seen a significant migration to the 4G/LTE technology thus ensuring the smooth transition to the upcoming 5G network technology.
The embedded secure element is foreseen to register a double-digit growth in 2018 due to an increased demand for wearables and new generation smartphones. This is expected to continue in 2019 (+10%).
Lastly, we are expecting the share of the NFC and SE to reach 8% of the total secure element forecast in 2019.
It is also noteworthy that in the current year, emerging regions such as Africa, Middle-East and Asia are stimulating the demand as well.
The sector pursues a steady buildout driven by new identity projects around the globe, as well as product renewals. The contactless interface continues to be the dominant choice from governments reaching 60% of share in 2018.
“There has been a steady growth, except for telecom, in each segment of the sector. In 2018, this earned an increase of +2% with a total amount exceeding the 10 billion thresholds and has proved to be mainly driven by the EMV adoption and the secure elements for device manufacturers.”- said Stéfane Mouille, President of Eurosmart.
On 30th of May the Council issued its general approach on the Cybersecurity act which is currently examined by the ITRE Committee of the European Parliament.
Eurosmart, the voice of the European Digital Security industry, welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attack of a product or a service.
Penetration testing or ethical hacking is the only rigorous way to evaluate the robustness of an ICT product and to check that the necessary security functionalities referring to the state-of-the-art are correctly implemented.
“Our digital world is more and more interconnected, it processes a huge quantity of sensitive personal data. The Cybersecurity act must consciously tackle these evolving risks.” – explained Stefane Mouille, President of Eurosmart. “Products and services are continuously exposed to the threat of high skilled malicious attackers who can exploit unchecked vulnerabilities. The European Cybersecurity model cannot suffer from a lack of seriousness when evaluating products, with no strategic ethical hacking process the detection of ICT product vulnerabilities remains impossible. Such vulnerabilities undermine the European cybersecurity which would run the risk of massive Cyberattacks.”
The Digital Security Industry has a long track record in performing ethical hacking while evaluating their products. Eurosmart is one of the founding father of SOG-IS, coordinating the development of high level certificates. Therefore, Ethical hacking is a proof of excellence of the Digital Security Industry in Europe as well as a unique asset for European players in a global market.
Eurosmart urges the European Parliament and the members of ITRE Committee to take penetration testing and ethical hacking into consideration and to extend it to level “substantial”. This is a fundamental element to make the European Digital single market the safest possible environment both for citizens and for the Industry.
Ethical Hacking (pen-testing – penetration testing) is the act of locating weaknesses and vulnerabilities of devices and information systems by anticipating the intent, actions and skills of malicious hackers. Ethical Hacking is done on a defensive purpose with the objective to improve the security of devices and information systems, and to give assurance that they will resist to attacks with similar intent, actions and skills once released and operated.
Eurosmart welcomes the European Commission proposal on creating a European Cybersecurity Competence center (ECCC) which would be backed by a dedicated network and a Community of accredited stakeholders. This initiative will enable the creation of a Community of expertise in Cybersecurity which will encompass the European industry, public authorities and research organisations. This initiative is more than necessary to consolidate the European Cybersecurity Digital Single Market and to develop the already well recognized European expertise and know-how in this area.
Even if the European Cybersecurity is globally recognized for its excellence, its attached ecosystem remains extremely weak compared to the 600 billion EUR global cybersecurity market. This situation put the European Digital Sovereignty at risks and for this reason, Eurosmart and its members expect from this initiative to help to increase the weight of this ecosystem both in qualitative and in quantitative terms. The European Union must be able to take advantage of its own digital assets and to make it (cyber)secure.
Eurosmart proposes the European Commission and the policy makers to take into consideration the following points as primary missions to be undertaken within the ECCC Community:
1. On certification: Promote the benefits and encourage adoption of European Cybersecurity certifications amongst the Community members.
2. Disseminate the cybersecurity knowledge through dedicated formations to help the traditional European industry to take advantage of Cybersecurity innovations.
3. Nurture the SMEs’ expertise in the European Cybersecurity landscape.
4. Support the European standardisation strategy through the involvement of the Community and give a true consistency to the European Cybersecurity industrial policy.
The European cybersecurity certification group contributes to the robustness of European cybersecurity products, services and processes. This certification framework coupled with the European Competence Center initiative constitute a real asset for the Union to make its cybersecurity products, services and processes at the forefront of the global market. This combined strategy will reverse the current tendency where, despite of its cybersecurity industrial capabilities, Europe largely depends on non-European providers.
Eurosmart expects from the policy maker to enhance the consistency between its qualitative certification approach as laid down in the Cybersecurity act and the expected increasing number of European actors who need to gain access to the cybersecurity certification process. Some initiatives are necessary to make the European Cybersecurity certification framework a real asset for the Cybersecurity industrial policy, Eurosmart recommend as follows:
It is expected from the upcoming Cybersecurity Act and its related initiatives, to ensure a smooth transition of the current certification frameworks and more precisely of the SOG-IS to the new European one. The European Cybersecurity Competence Center and its Community could facilitate this transition and make the new SOG-IS 2.0 available to new actors. The ECCC could more specifically contribute to the definition of protection profiles for critical infrastructures which tackles domains as defined by the NIS Directive:energy, transport, banking, financial, health, water and digital infrastructures. These domains are the ones to be primarily concerned by the high-level certifications. The ECCC is the right place to host and support the definition of PPs by involving concerned stakeholders, expert from the industry, research and national security agencies.
The level “high” deserves a specific approach due to its sensitive nature. The ECCC could initiate a close and continuous cooperation amongst the Community Members involved in certification processes at level “high” (i.e. the EUCCG, PSG group, ENISA, EDPS, CERT-EU at EU level, the CERTs, the national authorities, industry and RTOs). The work undertaken by the Community shall pay attention to the way the CABs are accredited in order to ensure a homogeneous functioning of the certification process at this critical level.
To address the substantial level of cybersecurity certification, the ECCC community could design innovative certification approaches as a common ground for sectorial legislations such as electronic appliances, toys, cars and the current verticals currently which are usually covered by the Safety compliance, but which will be concerned by Cybersecurity issues. This strategy supported by the ECCC through relevant grants (Digital Europe, Horizon Europe programs) could bring together RTOs, Industry, experts. This community of various actors could take benefit from the innovative outcomes of the research in matter of certification, and thus, before the placing of new products and services on the European market. The supported and granted tasks could include:
- The definition of innovative candidate schemes according to the needs expressed by the Community with a sectorial approach;
- The definition of new evaluation methodologies by involving European CABs, industry and national agencies. This approach could help the Community members to take advantage of the know-how on pentesting to increase the quality of the developed candidate schemes while tackling substantial level methodologies. The security level “substantial” should manly concern B2B context in Europe, which can address in the meantime critical infrastructures.
The European Competence Center could be the right place to commonly define the basic requirement for the security level “basis”. This level will be an entry point for many market players which are not familiar with security requirements.
Some basic principles must be disseminated through the community to ensure that even the level “basic” provides a minimum of robustness for products, services and process.
In this field, Eurosmart advocates for including minimal cybersecurity features to prevent any unauthorised access, modification, or information disclosure. This basic assurance level should be usable as minimum requirements for all connected electronic devices, consumer electronics, or applications.
Cybersecurity is everywhere and profoundly impact the way new products and services are designed. Currently, when developing a new product, traditional manufacturers are to deal with functional specifications, standards and conformity to demonstrate that products, services, or process comply with relevant EU safety legislations. With the increasing development of the IoT and IoTT (Internet of Thinking Things) market, cybersecurity is sometimes considered as an additional layer to the current question of safety and conformity.
The ECCC and the Cybersecurity funding programs could help the EU actors and especially the SMEs that lack of resources, to take the path of cybersecurity. The ECCC Community could create synergies through dedicated working groups and programs to better understanding cybersecurity issues when it comes to the development of new product and services. Eurosmart identified several missions that should be conferred to the ECCC:
Concreate actions should be undertaken to train and inform all the EU market players about cybersecurity certifications when developing products and services. The goal is to span the gap between the safety and cybersecurity “mindsets”.
Within the companies, quality departments manage traditional safety issues (conformity against functional specifications) but they are not able to deal with cybersecurity certification approach. Europe is about to face an alike GDPR issue which required to create new DPO-positions and to train people within the organisations. Similarly, the deployment of cybersecurity certification schemes will require the training of departments and employees to understand and to manage security certification needs. The ECCC and the Community could help to develop such training sessions, identify good practices and develop guidelines and recommendations according to the specific sectorial needs.
TheECCC shall aim at facilitating the quick adoption of the European Cybersecurity Certification Framework, to succeed in this task it shallcapture experts with IoT vertical knowledge and IT-security expertise. Several initiatives are expected to attract these profiles within the Community and to increase their number and disseminate their knowledge.
For instance, when it comes to hardware attacks penetration testing and certification approach, the whole European industry relies on a very small ecosystem which encompass about 600 peoples. These people are extremely rare resources and are necessary to enable high-quality cybersecurity certification processes. More specifically it is the role played by community of expects such as the JHAS group under the JIL and operated by Eurosmart and the ISCI WG-1. Certification in cybersecurity cannot overlook the pentesting approach and its community, cybersecurity is a matter of human intelligence when the safety approach is restricted to automated process.
The ECCC could support both the training of the next generations of pentesters and the dissemination of their work to support the increase in quality and efficiency of the European cybersecurity resilience.
Similarly, mechanisms must be added to ensure a sufficient representativeness of SMEs, their involvement in the ecosystem is obviously needed as they are concentrated a significant part of the EU know-how in matter of cybersecurity. The whole European industry relies on this expertise as most of the current SOG-IS CABs being able to perform pentests are SMEs. The know-how developed in this companies must benefit to all the value-chain. Eurosmart recommend dedicate at least €100bn to European cascading funding to the benefit of the cybersecurity SMEs. This European cascading funding can be managed by the evolution of the current cPPP infrastructure.
The European standardisation harmonisation is supported by a well-defined regulatory approach where CEN and CENELEC are playing a key role. The newly created CEN JTC13 shall be the converging point between safety and cybersecurity works on standardisation. It is nevertheless necessary to renew the current work of pre-standardisation that is undertaken by stakeholders. Eurosmart is convinced that Europe must take example on the good practices from the non-EU and US fora and consortia in terms of governance.
The accreditation of genuine “European” organisations within the ECCC Community is key. Incentives should be put forward to gather and/or transform European group of actors into identified fora and consortia. These European Fora and Consortia would reach the critical mass to be able to initiate new standardisation works items according their sectorial needs. This work could be backed by the ECCC in close collaboration with CEN/CENELEC, ENISA and the MSP for standardisation. Eurosmart put in this perspective the JRC mapping of more than 660 organisations from across the EU as cybersecurity centres of expertise. However, a clear legal definition is a much needed first step toward the consolidation and the identification of relevant EU stakeholders.Read more
This white paper deals with current practices used in high level security evaluation methodology concerning vulnerability assessment, penetration testing and attack rating. It is compared to the trend in Common Criteria to use push-button testing usually applied in low level security evaluation methodology.
It does not argue against automated testing but clarifies what both approaches can provide as assurance and what are the limitations.
On the 17th of April, The European Commission tabled a proposal for a regulation to improve the security features of EU citizens’ identity cards and residence cards with the aim at curbing document fraud.
Eurosmart and its members are fully committed in achieving the highest level of trust and security in particular in the fields of physical and digital ID documents. The Following document presents the view of the Digital Security Industry on the future of electronic documents issued by national authorities in Europe. As part of the European Commission proposal on “Strengthening the security of identity cards of Union citizens”, Eurosmart is pleased to address some technical points and to contribute to the debate.Read more