On 30th of May the Council issued its general approach on the Cybersecurity act which is currently examined by the ITRE Committee of the European Parliament.
Eurosmart, the voice of the European Digital Security industry, welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attack of a product or a service.
Penetration testing or ethical hacking is the only rigorous way to evaluate the robustness of an ICT product and to check that the necessary security functionalities referring to the state-of-the-art are correctly implemented.
“Our digital world is more and more interconnected, it processes a huge quantity of sensitive personal data. The Cybersecurity act must consciously tackle these evolving risks.” – explained Stefane Mouille, President of Eurosmart. “Products and services are continuously exposed to the threat of high skilled malicious attackers who can exploit unchecked vulnerabilities. The European Cybersecurity model cannot suffer from a lack of seriousness when evaluating products, with no strategic ethical hacking process the detection of ICT product vulnerabilities remains impossible. Such vulnerabilities undermine the European cybersecurity which would run the risk of massive Cyberattacks.”
The Digital Security Industry has a long track record in performing ethical hacking while evaluating their products. Eurosmart is one of the founding father of SOG-IS, coordinating the development of high level certificates. Therefore, Ethical hacking is a proof of excellence of the Digital Security Industry in Europe as well as a unique asset for European players in a global market.
Eurosmart urges the European Parliament and the members of ITRE Committee to take penetration testing and ethical hacking into consideration and to extend it to level “substantial”. This is a fundamental element to make the European Digital single market the safest possible environment both for citizens and for the Industry.
Ethical Hacking (pen-testing – penetration testing) is the act of locating weaknesses and vulnerabilities of devices and information systems by anticipating the intent, actions and skills of malicious hackers. Ethical Hacking is done on a defensive purpose with the objective to improve the security of devices and information systems, and to give assurance that they will resist to attacks with similar intent, actions and skills once released and operated.
Eurosmart has noted the publication from Gildas Avoine (Rennes University, INSA Rennes) and Loïc Ferreira (Orange Labs) on the potential Vulnerability on the SCP02 protocol that has been published yesterday on the TCES Website.
This new publication reports a known attack but applied in a new context.
For a long time, Eurosmart has been recommending that additional security measures be added to SCP02, such as, e.g., pre-encrypting sensitive data, or restricting the usage to trusted environments, or other means that are appropriate to enhance the security of SCP02.
Please find here below a Q&A developing more in detail the questions that you may have as Eurosmart technology end-user.
Eurosmart is committed in developing, promoting and maintaining the appropriate security level for its products, solutions and protocols.
What is retrieved is the said plaintext (not the key) and from only one card.
A pre-encrypted data cannot be retrieved in clear.
The conditions for performing the attack on SCP02 are as follows:
· Attacker must be able to intercept and modify messages between server and card in open environment;
· Attacker must be able to perform precise timing measurement (wrong padding or good padding) with access either to the device or ability to load spy malware;
· The same plain text must be sent enciphered several (around 128 times to disclose one single byte of information) times (either to different cards with different keys or to the same card with different session keys).
Attack is not applicable to the electrical personalization of banking applets (all sensitive data are over encrypted).
Attack is not applicable if personalization is done in a secure place (personalization place is usually certified by schemes or performed in trusted environments).
Attack is not applicable if personalization done by OTA through SCP80/SCP81 secure channel.
Attack is not applicable over data that are encrypted using the Data Encryption Key (DEK).
For ongoing programs using SCP02, the GlobalPlatform Security Task Force recommends the following simple rules:
· Use ICV encryption recommendation from GPC_FAQ_021;
· Encrypt all sensitive data transmitted in SCP02 using the Data Encryption Key (DEK) or any applet key;
· Disable SCP02 if there is no need to update the card in the field;
· Add SCP03 in the card platform to be able to smoothly switch to AES crypto.
Restricting the use of SCP02 to trusted environment can also be considered as a valid alternative.
GlobalPlatform has issued in March 2018 a security informative note about the evolution of the trends related to the Secure Channel Protocol 02 (a.k.a. SCP02) specified in the Card Specification document.
GlobalPlatform organization set as deprecated this protocol in the current version of GlobalPlatform specification (Card Specification v2.3.1).
Refer to the GlobalPlatform recommendations as described in the informative note: https://www.globalplatform.org/documents/Security_Informative_Note1_FINAL.pdf
Eurosmart, ‘The Voice of the Digital Industry’ among the European and National Institutions and the Brussels eco-system, is proud to welcome three new members as part of our association.
The Association, through these three memberships, gains critical and technical competence in three different areas: firstly, in the biometry technology sector with Bactech; secondly in the Common Criteria & IT & Security certification scheme with Internet of Trust; finally, in functional Conformity testing in ePass, Edl, eID, NFC and EMV payment means as well as the Mobile ePassport & Mobile eDL with KEOLABS.
"Eurosmart has actively supported the SOGIS MRA for over 20 years and offers a unique position to address the challenges of todays’ digital market security certification. Internet of Trust is already involved in the definition and operation of several global certification schemes and this membership is the opportunity to contribute to the convergence between proven practices and the ENISA new mandate in the near future” Claire Loiseaux -CEO of Internet of Trust- said.
“Being part of Eurosmart is a strategic evolution for KEOLABS: given that we represent a 40 employees’ SME, following the decision makers activity has become harder, particularly regarding the dematerialization of the physical documents on the Mobile phone,” Michael Leplatois -Predisent of KEOLABS- said.
“Apple transformed the biometric technologies from a ‘police & justice’ topic into a ‘cool technology’ for the end users, making their life simpler. Eurosmart working group on Biometry technologies is a key moment to bring the security knowledge from forensic labs towards the commercial devices makers. Bactech is proud to bring its 20 years expertise on biometrics and biometric systems performance & security evaluation lab capabilities to this lasting and renowned industry association” Claude Barral- CEO of Bactech- said.
“As Eurosmart President, I am extremely honored and proud to count three new SMEs experts in Cyber Security, Digital Identities, Security Certification scheme, Biometry technologies and Conformity testing of critical infrastructures.
This shows that EU big companies and EU SME are extremely complementary: we have to keep in mind that the 95% of the Cyber Security, Digital Identities and Biometry technologies providers are SME’s in Europe” Stefane Mouille, President of Eurosmart, added
Eurosmart, the Voice of the Digital Security Industry, is an international non-profit association located in Brussels, representing the Digital Security Industry for multisector applications. Founded in 1995, the association is committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.
Members are manufacturers of secure element, semiconductors, smart cards, secure software, High Security Hardware and terminals, biometric technology providers, system integrators, application developers and issuers.
Eurosmart members are companies (Fingerprint Cards, Gemalto, Giesecke+Devrient, GS TAG, IDEMIA, IN GROUPE, Infineon Technologies, Inside Secure, Internet of Trust, Linxens, Nedcard, NXP Semiconductors, +ID, Real Casa de la Moneda, Samsung, Sanoïa, STMicroelectronics, Toshiba, Trusted Objects, WISekey, Winbond), laboratories (CEA-LETI, KEOLABS), research organisations (Fraunhofer AISEC), associations (SCS Innovation cluster, Smart Payment Association, Mobismart, Danish Biometrics).
Director of operations
Mobile: +32 471 34 59 64Read more
Eurosmart, The Voice of the Smart Security Industry, welcomes results achieved by the Parliament and the Council during the first legislative phase of the Cyber Security Act.
It especially appreciated the work done by Angelika Niebler as Rapporteur of the proposals in ITRE Committee. The efforts made to involve stakeholders in the debate were decisive to consider important issues and to better define the needs of industries. Eurosmart welcomed the full involvement of stakeholders throughout the evaluation of a candidate scheme whether by attending the Group, by expressing their views thanks to ad-hoc platforms or sub-groups.
Eurosmart wants also to point out its satisfaction with the views of the Council: its General Approach on a proposed Cybersecurity Act confirms the European Digital industries’ priorities, by giving more consistency to the quality level of certification in the Member States and thus, thanks to the accreditation and evaluation of the CABs. Eurosmart welcomes the Council proposal to carry out mandatory penetration testing (also known as Ethical Hacking) for assurance level “high” while evaluating the resistance level to potential attacks of a product or a service.
Eurosmart continues to advocate for “High” and “Substantial” levels of certification for which evaluation must be carried out by Conformity Assessment Bodies (CABs), performing penetration tests by “ethical hacking”.
When the vote is taken at the European Parliament, Eurosmart enjoins the MEPs not to watered down the initial ambitions of the text while protecting the European Digital Industry assets.
The Conformity assessment method should be carefully designed by the regulator to avoid any misunderstanding and to get a risk based approach according the three levels.
The regulator shall define the way CABs are accredited and audited to ensure the quality of the evaluation method which cannot be a purely market driven approach when it comes to protect strategic assets and citizens’ life.
A mix-up of safety and security aspects is to be avoided. Self-certification could be useful to attest the products and services “safety” level, but concrete steps are needed to define a high-quality approach for the EU cybersecurity market. The sole self-declaration of conformity is not enough to prevent from potential attacks, the increase number of connected devices that could be used in hostile environments.
A European cybersecurity certification framework targeting scalable security requirements (high, substantial, basic) could become the asset of the European industry and a protection for the consumer and the citizens. Certification is the sole way to face potential cyberattacks and the indispensable mean to reach an upwards harmonised European Framework.
Without a strengthened EU cybersecurity certification schemes, a potential EU trust label for IoT would be worthless. Eurosmart considers the Cybersecurity Act and its certification scheme as a building block of a trusted Digital Single Market.
When it comes to the respect of personal data and with regards to the GDPR, Eurosmart urges the legislator to avoid double certification. GRPD certification should also be covered by the EU Cybersecurity Certification Framework, especially when it comes to IoT devices which process personal identifiable information.
Certification is also the condition to review the “Product Liability Directive” on the basis of new technologies and ICT devices. Without any clear definition of certification objectives (i.e. what is tested according to the different security levels), the identification of the responsibility chain would become even more complex.
The European Digital Security Industry has developed a unique and a globally recognized know-how. The EU cybersecurity certification Framework will contribute to a highly secure Digital Single Market and will benefit the whole European Digital industry.
Eurosmart, the voice of the Digital Security Industry, strongly believes that Europe deserves a strong comprehensive approach to strengthen its cyber resilience. EU should concretely boost European Digital Industry to reach global competitiveness and bring more trust to citizens and enterprises.
The European Digital Security Industry has developed a unique and globally recognised know-how, but It suffers from poor public investments and small public initiatives that would protect this common asset. For this reasons Eurosmart does strongly support the achievement of the Digital Single Market, the digital transformation and the cybersecurity related initiatives.
Eurosmart is convinced that trust is the cornerstone of the achievement of the Digital Single Market. The legislator takes leverage upon public investment to drive competition and to address social challenges of the digital age.
Therefore, Eurosmart welcomes the European Commission proposal on “Digital Europe programme” and specifically acknowledges two of its objectives: “the efforts to reinforce and to harmonise upwards the cyber capability throughout Europe” and “the wide development of the cybersecurity solutions across the economy”.
Europe world-wide leadership in cybersecurity is a prerequisite of the achievement of the Digital Single Market. Synergies and consistency are necessary for an efficient public action, on account of multiplication and fast-growing trend of cyberthreats. Even if public programs such as HORIZON2020, FP9, ECSEL, CEF and Digital Europe are big step forwards, the increase of cyber resilience capabilities in Europe remains scattered amongst several initiatives.
Eurosmart hence regrets the lack of a comprehensive master plan to support Cybersecurity in Europe.
Eurosmart expects a strong economic race between China, US and the EEA on both these issues in the next years. High Performance Computing (HPC) and Artificial Intelligence (AI) are essential for digital sovereignty in the digital world as well as in the cyber security domain. For these reasons, EEA should be able to import those technologies from third countries, this includes the know-how on technologies, on capabilities and on new limits.
This approach could be based on already existing experiences like GPS in the US, GLONASS in Russia and GALILEO in Europe.
HPC would incorporate new technologies such as Quantum Computer and others; AI can be used both as “white hat” tool and “black hat” tool. This could lead to a better quality of the cyberattack counter-measures.
The Conclusions of the European Council of 19 October 2017 specify that Europe must urgently address new emerging trends about cybersecurity such as digital secure identities, digital secure communication, digital secure infrastructure and their related applications.
The basis of the digital world is a combination of “Application and Software”, “Hardware and Device”, Net-, Web- Cloud-services and “Data Networks”. The mastery of these elements is necessary to ensure our digital sovereignty.
The current proposal made by the Commission (art. 6) could lead to a sectorial approach and segment the effect of the public action. Eurosmart does advocate for a transversal approach which is not based on the sole applications.
Advanced digital skills should be considered since pre-school for the new “digital natives” generations. “Generation y” and “Generation z” should be addressed as well through specific programmes, considering that the development of digital skills must be part of all the academic programmes.
Even job descriptions show disruptive changes. For example, in the Industry 4.0 the requested knowledge on Cyber Physical Production Systems is linked to the hyper-connected-IT world likewise in production-OT world. More broadly, studies on machine construction does not address any elements on IT and even less with regards to IT-security.
This topic should act as a bridge between the Cybersecurity Act and the related security level and certification schemes for Internet of Thinking Things (IoTT), the next generation after IoT.
Reinforcing links between PPP, EU Network of competence centers and Digital Innovation Hubs
Eurosmart welcomes the proposal to implement the program through European Partnerships which may include new public-private partnerships (PPP). The Digital security industry advocates for enhanced PPP. From a governance point of view, this option is the only way to involve all the stakeholders, national and regional bodies into a fair and transparent process without any additional administrative burden. The PPPs are the only way to bring together the relevant high-level experts from both public and private sides. It facilitates links between the demand (both public and private from various sectors e.g. health, telecom, energy, space, defence, finance, transport) and supply side of the cybersecurity. This way stimulates a leverage effect both on the European cybersecurity excellence and know-how.
Eurosmart welcomes the proposal to create Digital Innovation Hubs but enjoins the legislator to avoid any fragmentation or dissipation of resources. Strong links must be created within the EU Network of competence centers.
The new framework will go beyond the R&I activities; therefore, we expect involvements and links with the Cybersecurity Public-Private Partnership (aka ECSO) to be specified in the current proposals.
Consistency with the Cybersecurity Act and its European Certification framework
The proposal for a Cybersecurity will establish a European Cybersecurity certification framework and both the industry and the public sector would take advantage of this opportunity, thus by enabling a trusted environment.
Even if the cybersecurity certification is likely to be based on a voluntary basis, some specific and regulated sectors or public procurement will make the approach mandatory. To achieve a high security level, the development of a candidate cybersecurity certification scheme could be necessary. However, the conception of such a scheme could not be affordable for some part of the industries, especially for SMEs.
With the aim of helping the capability level of the European industry and the increase in security level, the current Digital Europe Program should include in its objective the support and financing for the development of activities related to the definition of candidate certification schemes.
Eurosmart, SPA and SIMalliance joint statement pointing out that used smart cards are not to be considered Electrical and Electronic Waste.
In recent months, customers of the smart card industry have raised the question, whether smart cards and smart card based products (e.g. SIM cards, payment cards, electronic passports, electronic ID cards, health insurance cards) would fall under the scope of the WEEE Directives. The industry is aware of the fact, that at least some Member State authorities, i.e. national WEEE registers, have published opinions indicating that smart cards are in scope of the WEEE Directive, although different interpretations still apply in other Member States. This is raising severe objections within industry and subject matter experts, caused by strong concerns about clearly identifiable security and privacy risks.
In this paper, we discuss this subject from a legal perspective (first chapter), while also considering security and privacy (second chapter) and political aspects (third chapter).
Investigating the legal situation after the first WEEE Directive 2002/96/EC, industry states that smart cards do not fall within the scope of this directive – in line with a former FAQ of European commission. Many arguments are outlined below:
If electrical or electronic parts of smart cards or similar products are mere components of the cards or similar products and not EEE in terms of the WEEE Directive, such cards or products are not within the scope of Category 3 of Annex IA to the WEEE Directive.
· The scope of the WEEE Directive is limited to the categories set out in Annex IA to the WEEE Directive. Whereas Annex IB to the WEEE Directive contains a not exhaustive list of examples, a product is within the scope of the regulation only if it can be assigned to one of the categories according to Annex IA to the WEEE Directive.
· Thus, the scope of the categories cannot be widened by an extensive interpretation of the binding categories according to Annex IA to the WEEE Directive. (cf. German Federal Administrative Court, Ruling of 21 February 2008, Case 7 C 43.07 and Ruling of 23 September 2010, Case 7 C 20.09).
· Against this background smart cards and similar products like electronic passports or health insurance cards are not “IT and telecommunications equipment” as such products are not used for the collection, storage, processing, presentation or communication of information but for other purposes like payment or identification. Moreover, the user of these products has no direct access to the data incorporated and cannot use the card for the purposes mentioned in Annexes IA and IB to the WEEE Directive.
If electrical or electronic parts of smart cards are considered EEE themselves (e.g. chip or RFID tag), the complete smart card product would be exempted from the scope of the WEEE Directive: The card or passport provides additional functionality, which is not dependent on electric currents or electromagnetic fields (e.g. regarding information shown on the card or passport for identification or security purposes like photo, signature, name, address, validity, passport or credit card number). The card or passport therefore is not mere packaging but another product that, in general, does not fall within the scope of the WEEE Directive. EEE being part of such product is exempted from the scope according to Article 2 (1) of the WEEE Directive.
Additionally, the required current demand cannot be assigned to the card, which often acts as a passive device in a respond-functionality only, but to the reading device (ATM, handset, contactless terminal...) exclusively. Note that smart cards do not include batteries, but receive their energy from an external electromagnetic field. Also from this angle, the card is not an electronic device in the definition of EEE.
Industry is convinced that all the above legally holds at until the recast of the current directive. This is based on the assumption that the new Directive 2012/19/EU only applies to EEE that has been within the scope of former Directive 2002/96/EC, i.e. not to smart cards. Looking forward, there are—apart from pure legislation—strong arguments, why smart cards should not fall under the scope of WEEE. This should as well fit in the same manner to (contactless) chips. Following this argument, according to the WEEE Directive from 2012, if the Chip does not fall under the directive, then the smart cards as such does not fall under the Directive either, see the table below:
Smart Cards are in this sense:
|EEE||2002 WEE Directive||2012 WEEE Directive|
|Equipment which is part of another type of equipment that is excluded from or does not fall within the scope of this Directive||Excluded: “the equipment concerned is part of another type of equipment that does not fall within the scope of the Directive”.||Excluded: “Equipment which is specifically designed and installed as part of another type of equipment that is excluded from or does not fall within the scope of this Directive, which can fulfil its function only of it is part of that equipment”.|
Industry develops, produces and markets the products involved in accordance with highest standards to ensure best possible data protection and security features and prevent misuse. Industry is concerned about the idea of consumers disposing of highly sensitive products like credit cards or health cards at WEEE collection facilities.
Industry acknowledges that manufacturers and distributors could implement take-back schemes to ensure both, return of used or waste products and adequate recycling. However, take-back schemes on a one-to-one basis would not eliminate the severe risk of unlawful usage of waste cards. This especially holds true, when considering that – according to the WEEE Directive – distributors will be obliged to take-back waste products originally placed on the market by another manufacturer as long as the latter equipment is of equivalent type and has fulfilled the same functions as the cards supplied by the distributor. Even in this case, the risk of unlawful usage of waste cards cannot be excluded as sensitive waste products will be accessible for an uncontrollable number of persons.
Do we really want staff canteens (in their role as “distributor” of food payment cards) to take back credit cards (seen as an “equipment of equivalent type”)? Do we really want to see piles of health cards at public waste collection points? Data privacy is rightfully deemed as a high value, not only since recent events. The smart card industry is striving to protecting these data in the best possible manner. These efforts should not be made obsolete by opening new security and privacy gaps.
It is also worth mentioning that the inclusion of smart cards would not bring forward the initial environmental goals of WEEE. Smart cards account for a negligible amount of electronic waste only. Yet, in a realistic scenario, even this amount would not be reached by far: Following privacy considerations as mentioned in the previous paragraph, it is presumable that consumers will not return the smart cards even if obliged to protect their private data. Hence, the realistic benefit from an inclusion of smart cards in WEEE would hardly be observable. This needs to be put in comparison to—due to high security requirements—highly cumbersome (and still error-prone) take-back efforts, whose environmental harm would even offset the benefits. For these cases, the legislator might foresee the definition of a certain threshold, below which goods would not need to be registered.
With the advent of multi-application cards, it is worth mentioning that previously clearly separated product classes meanwhile dilute. For example, SIM cards more and more carry credit card functionalities, transit cards include payment functionalities, etc. Hence, a clear and consistent legislation for all smart cards should be targeted. Taking all this into consideration, industry has sought clarification on this topic from the European Commission. The smart card industry is convinced that the task to define EU-wide prerequisites for the disposal of highly sensitive products like smart cards will be carefully assessed by the European Commission taking into consideration full data protection and benefit for the environment, although an official and final feedback is still awaited. The smart card industry will continue to avoid security and privacy risks in the interest of the user—within and beyond the WEEE Directive.
Eurosmart, the Voice of the Digital Security Industry, is an international non-profit association located in Brussels, representing the Digital Security Industry for multisector applications. Founded in 1995, the association is committed to expanding the world’s Digital secure devices market, developing smart security standards and continuously improving the quality of security applications.Members are manufacturers of secure elements, semiconductors, smart cards, secure software, High Security Hardware and terminals, biometric technology providers, system integrators, application developers and issuers.Eurosmart members are companies (Fingerprint Cards, Gemalto, Giesecke & Devrient, GS TAG, Idema, Imprimerie Nationale, Infineon Technologies, Inside Secure, Internet of Trust, Linxens, Nedcard, NXP Semiconductors, +ID, Real Casa de la Moneda, Samsung, Sanoïa, STMicroelectronics, Toshiba, Trusted Objects, WISekey, Winbond), laboratories (CEA-LETI, Keolabs), research organisations (Fraunhofer AISEC), associations (SCS Innovation cluster, Smart Payment Association, Mobismart, Danish Biometrics).
For more information, please visit http://www.simalliance.org Contacts: 29/30 Fitzroy Square- London W1T 6LQ, United Kingdom.
SIMalliance is a non-profit industry association founded in 2000 aiming to simplify secure element (SE) implementation to drive the creation, deployment and management of secure mobile services. SIMalliancepromotes the essential role of the SE in delivering secure mobile applications and services across all devices that can access wireless networks. By identifying and addressing SE-related technical issues, and both clarifying and recommending existing technical standards relevant to SE implementation, the SIMalliance aims to promote an open SE ecosystem to facilitate and accelerate delivery of secure mobile applications globally.SIMalliance members are Eastcompeace, Fundamenture, Gemalto, Giesecke & Devrient, Incard, KONA I, IDEMIA, Valid, Watchdata and Wuhan Tianyu.
For more information, please visit www.smartpaymentassociation.com Contact: Smart Payment Association e.V. - PO Box 800729- D-81607 Munich, Germany email@example.com
The Smart Payment Association (SPA) is the trade body of the smart payment industry. A non-profit organization founded in 2004, the association now counts six members including the three founding members Giesecke & Devrient, Gemalto, IDEMIA, Austria Card, and Incard. The SPA works in partnership with global standards bodies, its own vendor community, and an expanding ecosystem of established and emerging brands offering an ever-growing portfolio of advisory and support services.