What You Need to Know From ETSI Cyber Week – IoT Security
At the recent ETSI annual conference, several cybersecurity domains were discussed. In this article, we’ll look at the latest development in IoT.
With the increasing adoption of 5G technology, the European Commission had requested ENISA to develop a candidate European Cybersecurity Certification scheme for 5G network. The EU 5G will be an extension of the EU toolbox for 5G security as it seeks to address certain risks, as part of a broader risk mitigation strategy. While ENISA is still processing both ECUU and ECUS schemes, we can expect the finalized version of ECUS in Q4 2021.
As the European Commission and Cybersecurity Group under the CSA start the discussion on a candidate for a cybersecurity certification scheme for connected devices, we can expect such scheme will be aligned to EU legislative frameworks and other European Cybersecurity Certification Schemes. In the EU, it’d be consistent with EU Cybersecurity Certification Schemes such as the European Common Criteria Scheme and the European Cloud Services Cybersecurity Certification Scheme. We believe combining multiple schemes may provide a holistic approach to certification. For example, using the IoT scheme for products and the EUCS scheme for supporting services may complement the standalone IoT scheme approach. As of now, we are expecting the URWP for European Cybersecurity Certification to be published in Q3 2021 where we can then understand how the European Commission would issue the request to the EU Cybersecurity Agency. Right now, we know the scope for such scheme will capture IoT devices in residential, industrial, and any other settings. The assurance levels will be the same three levels provided under the CSA. As the European Commission emphasizes the need for standardization, standards development in EU member states and internationally will need to be integrated into the EU Cybersecurity Certification Scheme for IoT.
We are also seeing exciting updates to EN303 645. EN provides a common baseline across the European and global markets for all consumer IoT. Currently, the focus for Q2 2021 is on developing assessment specifications (TS 103 701) to test against provisions of EN303 645. As this standard matures, we can expect alignment to standards and legislation under development for IoT.
General cybersecurity assessment frameworks often serve as a horizontal solution; however, to cover the general assurance requirements (such as assurance levels defined by the CSA) and to the specific field of application such as IoT, some guidance is provided on how to integrate EN17640 into a certification scheme. EN 17640 as a general evaluation methodology that when integrated into a certification scheme to fit the scheme assurance requirements, it raises some interesting questions. One is the extent of assessments required for each level. Currently, dEN 17640 editors and CEN/CLC JTC 13/WG 3 are working to publish this standard in September of 2021. Interesting to note is the future outlook of possible application in the Radio Equipment Directive Certification scheme.
The GCF also had some interesting updates on its Consumer IoT Security Accreditation programme based on EN303 645. Currently, its phase 1 provides self-accreditation for non-constrained devices. This involves the manufactures submitting a security compliance declaration covering the first 3 IoT Security Provisions defined by ETSI Cyber (EN 303 645). We are expecting development work for phase 2 to focus on extending assessment coverage to include constrained IoT and using TS 103 701 Test Specification as a baseline for conformity assessment to EN 303 645. For now, product manufactures should make sure no universal default passwords are used, implement a way to manage reports of vulnerabilities, and keep software updated for phase 1.
Another aspect of EN303 645 adoption is from the Cybersecurity Labelling Scheme from CSA Singapore. This scheme consists of 4 tiers. Although participation is voluntary, security-critical devices such as Wi-Fi routers will obtain at least tier 1 in Singapore. As more nations launch their schemes, we have to more mindful of fragmentations. For this particular scheme, it is done by leveraging EN303 645 and TS103701 for tier 4 testing.
Our observation was the importance of the collaborative effort in developing mutually recognized standards. For product manufactures in the global market, this provides value in that manufacturers do not have to choose which standard to be compliant for to operate in many jurisdictions.