ETSI Security week – Presentation of the Eurosmart IoT certification scheme

ETSI Security week – Presentation of the Eurosmart IoT certification scheme

At the 2020 ETSI security week, Eurosmart represented by Roland Atoui, senior board member, presented the recent achievement of their proposal for an IoT Device Security Certification Scheme. In response to the creation of the EU Cybersecurity Act, Eurosmart created a dedicated task force to define a candidate certification scheme covering the IoT device scope and the corresponding market security requirements.

Risk-based IoT Market verticals

The scope of this certification scheme is the Internet of Things (IoT) device separating the device in layers from the Hardware to Firmware up to the Application layer with a focus on the Substantial and Basic security assurance level as defined by the EU Cybersecurity Act.

The purpose is to ensure that IoT devices certified under this scheme comply with specified requirements supported by the industry in a risk-based approach taking into account the intended usage of the device in the respective operational environment from the Consumer to the Industrial environments.

For instance, a connected camera that is intended to be used at home will not have to comply with the same requirements as a connected camera that is placed outdoor observing an ATM for instance. Even though they may have the same functionality.

The Target of evolution allows a composition evaluation for an application for instance based on an underlying certified component to minimize the effort required.

Security profiles

Security Profiles are created, taking into account both vendors and buyers’ pain in processing and maintaining ICT/IoT product certifications.

Therefore, a simple and clear process is defined providing for each stakeholder involved documentation and metrics that are tailored to its level of understanding of the security problem definition.

Business Lines are included in the list of stakeholders to help in defining the set of security requirements to be used as the basis of certification. These security requirements are defined in what we call a Security Profile which is a summarized representation of the results of a risk analysis conducted on a type of product such as connected camera or a smart TV or a LORA module, etc.. The creation of the security profile process is defined in 3 steps using the available generic catalogue of security requirements. It is included in the scheme to allow a harmonized creation of security profiles. This is very important to guarantee the most objective and comparable results.

Finally, the vendor will have to complete a Vendor Questionnaire with the info satisfying the requirements before sharing these with the CABs who will generate an evaluation report and issue a certificate.

Link to ETSI: how EN 303 465 and TS 103 701 are used?

At the basic level, this scheme provides a generic Security Profile mapping to the EN 303 465 security provisions, the added value is that the risk-based requirements depending on the intended usage and the type of IoT consumer device are identified automatically.

It is expected when the Assessment document TS 103 701 is ready for use that this scheme will integrate the test procedures to the existing evaluation methodology allowing both vendors and CABs to run such evaluation in the most cost-efficient way.

Key Takeaways of the E-IoT-SCS

The content of this scheme is fully open and available on the Eurosmart Website, it has been referenced as a potential candidate scheme by ENISA itself in their latest publication. (ENISA – Standards Supporting Certification 4.02.2020). The documentation of the scheme includes a built-in risk analysis adapted to IoT and the TTM constraints, very important for objective and harmonized results.

The scheme is fully compliant with the EU Cybersecurity Act and includes already a mapping to the relevant articles of the regulation..

The BASIC assurance relies completely on the ETSI EN 303 465 baseline and partially when addressing the Substantial level.

The scheme has been designed, based on the experience of labs, vendors and users of certification and provides the best processes and tools allowing to have a cost-efficient, objective and harmonized results.