SlideShare a Scribd company logo

国际物联网安全标准与认证大解析

Onward Security
Onward Security

This document discusses Internet of Things (IoT) cybersecurity compliance solutions and international security standards and certifications. It provides an overview of regulations and standards in the US and EU, including the EU Cybersecurity Act, ETSI EN 303 645, and FDA guidance on medical device cybersecurity. International security certifications like Common Criteria, FIPS 140-3, and IEC 62443 are summarized. Customer requirements from companies like Amazon and industry alliance like CTIA are covered. The document concludes with how manufacturers can respond by using Onward Security's security standards library and key factors for product security.

Related slideshows

Le pilotage des risques avec Méhari-Standard (2017) : Indicateurs et tableau ...
Le pilotage des risques avec Méhari-Standard (2017) : Indicateurs et tableau ...Le pilotage des risques avec Méhari-Standard (2017) : Indicateurs et tableau ...
Le pilotage des risques avec Méhari-Standard (2017) : Indicateurs et tableau ...
 
P fsense
P fsenseP fsense
P fsense
 
Presentation iso27002
Presentation iso27002Presentation iso27002
Presentation iso27002
 
1 of 24
Download to read offline
Realize Ultimate Security every step starts with the labs www.onwardsecurity.com 2021最佳物聯網資安公司 国际物联网 安全标准与认证大解析 仲至信息科技 CTO 刘作仁 2021/10/13
© 2021 Onward Security Corp. All rights reserved. 1 物联网资安合规解决方案 200+ Customers Served 10+ Awards 资安实务 经验丰富 国际认可 实验室 国际奖项 • 2014成立 • 超过80位员工 400+ Products Validated Best IT Company of the Year Best Cybersecurity Company – ASIA Gold Winner Hot Company in Cybersecurity Internet of Things
2 © 2021 Onward Security Corp. All rights reserved. 57% of IoT devices are currently vulnerable to medium or high-severity attacks $500,000 IoT Vulnerabilities Cost More Than per month
© 2021 Onward Security Corp. All rights reserved. 3 Device Vulnerabilities in mid of 2021 • https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ • https://www.securityweek.com/vulnerability-affecting-routers-many-vendors-exploited-days-after-disclosure
© 2021 Onward Security Corp. All rights reserved. 4 • SB-327 • IoT Cybersecurity Improvement Act • IoT Consumer TIPS Act • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, FDA • EU Cybersecurity Act • FIPS 140-3 • NISTIR 8228 • NIST 8259 Series • Amazon, Google, Apple • CTIA • ioXt • Major telecom company (AT&T, Sprint, Verizon, T-Mobile) • ISO 15408 (Common Criteria) • IEC 62443 • ISO/SAE 21434 • ETSI EN 303 645 • Major telecom company (Orange, BT, DT, Vodafone, EE, Telefonica) • Nokia Regulration Standard Guideline Industrial Certificate 欧美连网产品安全法规/标准/指引
© 2021 Onward Security Corp. All rights reserved. 5 法规与国际标准 01
© 2021 Onward Security Corp. All rights reserved. 6 EU Cybersecurity Act • Activated on June 2019 • EU Cybersecurity Certification Framework ü Covering ICT products, services and processes. ü Each scheme will specify one or more level(s) of assurance (basic, substantial or high) High (CABs) Substantial (CABs) Basic (CABs, No CABs) • ETSI EN 303 645 • CC EAL2 • IEC 62443-4-2 • CC EAL3+ • CC EAL 4+ https://www.enisa.europa.eu/events/towards_security_framework/Presentation%20-%20Meister/
© 2021 Onward Security Corp. All rights reserved. 7 ETSI EN 303 645 (EU) • Become operative on January 1, 2020. • A manufacturer of a connected device shall equip the device with a reasonable security feature or features • If a connected device is equipped with a means for authentication outside a local area network Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. The preprogrammed password is unique to each device manufactured. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time SB-327 Information privacy : connected devices (US) https://www.etsi.org/newsroom/press-releases/1789-2020-06- etsi-releases-world-leading-consumer-iot-security-standard IoT Security In United States and Europe
© 2021 Onward Security Corp. All rights reserved. 8 FDA Premarket Submission for Management of Cybersecurity in Medial Devices (2018) Establish cybersecurity risk management plan and submit the related documentations Product Design Risk Management • Cybersecurity design control • System diagrams • Summary of design features • System level threat model • List of cybersecurity controls • Testing report • Traceability matrix • CBOM • device performance • security effectiveness of third-party OTS software • testing for credential • vulnerability scanning • robustness testing • boundary analysis • penetration testing • 3rd party test reports
© 2021 Onward Security Corp. All rights reserved. 9 国际资安认证 02
© 2021 Onward Security Corp. All rights reserved. 10 終止 Termination Common Criteria 资安产品生命周期之安全保证 操作 Operation 交付 安装启动 Delivery 生产 Production 产品原型 测试 Testing 低阶设计 实作 Low-level Design 架构设计 高阶设计 High-level Design 功能规格 Functional Requirements 安全需求 Security Requirements 安全需求 Security Requirements 设计发展 Development 测试 Testing 生产行销 Production 操作使用 Operation 符合性(≥ EAL1) 符合性(≥ EAL2) 符合性(≥ EAL3) 一致性 一致性 一致性 模組測試 (≥ EAL4) 子系統測試 (≥ EAL3) 產品黑箱測試 (≥ EAL2) 產品整合性測試 (≥ EAL1) 共同准则安全评估 Common Criteria for IT Security Evaluation Module Testing (≥ EAL3) Subsystem Testing (≥ EAL3) Black-box Testing (≥ EAL2) Conformance Testing (≥ EAL1)
© 2021 Onward Security Corp. All rights reserved. 11 FIPS 140-3 密码模组 Cryptographic Module 软件 固件 硬件/固件/软件组合 1. Cryptographic Module Specification 2. Cryptographic module interfaces 3. Roles, Services, and Authentication 4. Software/Firmware security 5. Operational Environment 6. Physical Security 7. Non-invasive security 8. Sensitive security parameter management 9. Self Tests 10. Life-cycle assurance 11. Mitigation of Other Attacks
© 2021 Onward Security Corp. All rights reserved. 12 IEC 62443-4-2 Technical security requirements for IACS components IAC Identification and Authentication Control UC User Control SI System Integrity DC Data Confidentiality RDF Restricted Data Flow TRE Timely Response to Event RA Resource Availability detailed technical control system component requirements
© 2021 Onward Security Corp. All rights reserved. 13 IEC 62443-4-1 / 62443-4-2 CBTL
© 2021 Onward Security Corp. All rights reserved. 14 Automotive Security - ISO 21434 • Define a well-defined process to ensure that the cybersecurity is taken care to reduce the intensity of the cyber-attack • The final standard has been published on Aug 31, 2021. https://www.pathpartnertech.com/an-overview-of-iso-sae-21434-road-vehicles-cybersecurity-engineering/
© 2021 Onward Security Corp. All rights reserved. 15 客户要求与产业资安认证 03
© 2021 Onward Security Corp. All rights reserved. 16 Amazon Alexa Service (AVS)
© 2021 Onward Security Corp. All rights reserved. 17 ioXt Alliance The mission of the ioXt Alliance is to build confidence in Internet of Things products through multi-stakeholder, international, harmonized, and standardized security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.
© 2021 Onward Security Corp. All rights reserved. 18 CTIA IoT Cybersecurity Certification Program Cybersecurity for Devices on Wireless Networks This program was developed with the support of wireless operators with the goal of voluntarily establishing device cybersecurity best practices in the wireless industry. This is the first mobile device cybersecurity program of its kind to have the backing of wireless operators in collaboration with technology companies and certification test labs. The Cybersecurity Certification Program: • Certifies security elements of LTE and 5G devices, including those with Wi-Fi connections • Creates an industry best practice for IoT security on wireless networks • Helps protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth, and other IoT applications
© 2021 Onward Security Corp. All rights reserved. 19 Cybersecurity Certification for Products 300+ Clients get product certification in 10+ Countries Smart Home IoT Products Smartphone and built-in apps Smart Bus Video Surveillance Cloud System Smart Lighting Mobile App IACS 5G Products Finance EN 303 645
© 2021 Onward Security Corp. All rights reserved. 20 制造商与开发商的因应之道 04
© 2021 Onward Security Corp. All rights reserved. 21 仲至信息科技资安标准库 IEC 62443 EN 303 645 IEC 62351 ioXt CTIA IoT SB-327 Authentication Physical Firmware Authorization Audit Encrytion Questionnaire Standards Product Type • Phase 1 - SR • 安全功能清单 • PM / SA / RD • Phase 4 - SVV • 测试项目清单 • RD / QA
© 2021 Onward Security Corp. All rights reserved. 22 • Unique Password • Vulnerability Reporting (PSIRT) • Authentication • Secure Interface • Cryptography Critical Factor for Product Security • Risk Management • Software Update IoT (Consumer) ICS/SCADA Medical Automotive SBOM (Software Bill of Material) Privacy Protection SSDLC Fuzz Testing Integrity Session Management Audit Activity Input Validation Availability Debug Interface Input Validation Privacy Protection SSDLC
Realize Ultimate Security every step starts with the labs © 2021 Onward Security Corp. All rights reserved. contact@onwardsecurity.com THANK Y U Onward Security 联络我们 contact@onwardsecurity.com

More Related Content

国际物联网安全标准与认证大解析

  • 1. Realize Ultimate Security every step starts with the labs www.onwardsecurity.com 2021最佳物聯網資安公司 国际物联网 安全标准与认证大解析 仲至信息科技 CTO 刘作仁 2021/10/13
  • 2. © 2021 Onward Security Corp. All rights reserved. 1 物联网资安合规解决方案 200+ Customers Served 10+ Awards 资安实务 经验丰富 国际认可 实验室 国际奖项 • 2014成立 • 超过80位员工 400+ Products Validated Best IT Company of the Year Best Cybersecurity Company – ASIA Gold Winner Hot Company in Cybersecurity Internet of Things
  • 3. 2 © 2021 Onward Security Corp. All rights reserved. 57% of IoT devices are currently vulnerable to medium or high-severity attacks $500,000 IoT Vulnerabilities Cost More Than per month
  • 4. © 2021 Onward Security Corp. All rights reserved. 3 Device Vulnerabilities in mid of 2021 • https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/ • https://www.securityweek.com/vulnerability-affecting-routers-many-vendors-exploited-days-after-disclosure
  • 5. © 2021 Onward Security Corp. All rights reserved. 4 • SB-327 • IoT Cybersecurity Improvement Act • IoT Consumer TIPS Act • Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, FDA • EU Cybersecurity Act • FIPS 140-3 • NISTIR 8228 • NIST 8259 Series • Amazon, Google, Apple • CTIA • ioXt • Major telecom company (AT&T, Sprint, Verizon, T-Mobile) • ISO 15408 (Common Criteria) • IEC 62443 • ISO/SAE 21434 • ETSI EN 303 645 • Major telecom company (Orange, BT, DT, Vodafone, EE, Telefonica) • Nokia Regulration Standard Guideline Industrial Certificate 欧美连网产品安全法规/标准/指引
  • 6. © 2021 Onward Security Corp. All rights reserved. 5 法规与国际标准 01
  • 7. © 2021 Onward Security Corp. All rights reserved. 6 EU Cybersecurity Act • Activated on June 2019 • EU Cybersecurity Certification Framework ü Covering ICT products, services and processes. ü Each scheme will specify one or more level(s) of assurance (basic, substantial or high) High (CABs) Substantial (CABs) Basic (CABs, No CABs) • ETSI EN 303 645 • CC EAL2 • IEC 62443-4-2 • CC EAL3+ • CC EAL 4+ https://www.enisa.europa.eu/events/towards_security_framework/Presentation%20-%20Meister/
  • 8. © 2021 Onward Security Corp. All rights reserved. 7 ETSI EN 303 645 (EU) • Become operative on January 1, 2020. • A manufacturer of a connected device shall equip the device with a reasonable security feature or features • If a connected device is equipped with a means for authentication outside a local area network Require vendors of Internet-connected devices purchased by the federal government ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. The preprogrammed password is unique to each device manufactured. The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time SB-327 Information privacy : connected devices (US) https://www.etsi.org/newsroom/press-releases/1789-2020-06- etsi-releases-world-leading-consumer-iot-security-standard IoT Security In United States and Europe
  • 9. © 2021 Onward Security Corp. All rights reserved. 8 FDA Premarket Submission for Management of Cybersecurity in Medial Devices (2018) Establish cybersecurity risk management plan and submit the related documentations Product Design Risk Management • Cybersecurity design control • System diagrams • Summary of design features • System level threat model • List of cybersecurity controls • Testing report • Traceability matrix • CBOM • device performance • security effectiveness of third-party OTS software • testing for credential • vulnerability scanning • robustness testing • boundary analysis • penetration testing • 3rd party test reports
  • 10. © 2021 Onward Security Corp. All rights reserved. 9 国际资安认证 02
  • 11. © 2021 Onward Security Corp. All rights reserved. 10 終止 Termination Common Criteria 资安产品生命周期之安全保证 操作 Operation 交付 安装启动 Delivery 生产 Production 产品原型 测试 Testing 低阶设计 实作 Low-level Design 架构设计 高阶设计 High-level Design 功能规格 Functional Requirements 安全需求 Security Requirements 安全需求 Security Requirements 设计发展 Development 测试 Testing 生产行销 Production 操作使用 Operation 符合性(≥ EAL1) 符合性(≥ EAL2) 符合性(≥ EAL3) 一致性 一致性 一致性 模組測試 (≥ EAL4) 子系統測試 (≥ EAL3) 產品黑箱測試 (≥ EAL2) 產品整合性測試 (≥ EAL1) 共同准则安全评估 Common Criteria for IT Security Evaluation Module Testing (≥ EAL3) Subsystem Testing (≥ EAL3) Black-box Testing (≥ EAL2) Conformance Testing (≥ EAL1)
  • 12. © 2021 Onward Security Corp. All rights reserved. 11 FIPS 140-3 密码模组 Cryptographic Module 软件 固件 硬件/固件/软件组合 1. Cryptographic Module Specification 2. Cryptographic module interfaces 3. Roles, Services, and Authentication 4. Software/Firmware security 5. Operational Environment 6. Physical Security 7. Non-invasive security 8. Sensitive security parameter management 9. Self Tests 10. Life-cycle assurance 11. Mitigation of Other Attacks
  • 13. © 2021 Onward Security Corp. All rights reserved. 12 IEC 62443-4-2 Technical security requirements for IACS components IAC Identification and Authentication Control UC User Control SI System Integrity DC Data Confidentiality RDF Restricted Data Flow TRE Timely Response to Event RA Resource Availability detailed technical control system component requirements
  • 14. © 2021 Onward Security Corp. All rights reserved. 13 IEC 62443-4-1 / 62443-4-2 CBTL
  • 15. © 2021 Onward Security Corp. All rights reserved. 14 Automotive Security - ISO 21434 • Define a well-defined process to ensure that the cybersecurity is taken care to reduce the intensity of the cyber-attack • The final standard has been published on Aug 31, 2021. https://www.pathpartnertech.com/an-overview-of-iso-sae-21434-road-vehicles-cybersecurity-engineering/
  • 16. © 2021 Onward Security Corp. All rights reserved. 15 客户要求与产业资安认证 03
  • 17. © 2021 Onward Security Corp. All rights reserved. 16 Amazon Alexa Service (AVS)
  • 18. © 2021 Onward Security Corp. All rights reserved. 17 ioXt Alliance The mission of the ioXt Alliance is to build confidence in Internet of Things products through multi-stakeholder, international, harmonized, and standardized security and privacy requirements, product compliance programs, and public transparency of those requirements and programs.
  • 19. © 2021 Onward Security Corp. All rights reserved. 18 CTIA IoT Cybersecurity Certification Program Cybersecurity for Devices on Wireless Networks This program was developed with the support of wireless operators with the goal of voluntarily establishing device cybersecurity best practices in the wireless industry. This is the first mobile device cybersecurity program of its kind to have the backing of wireless operators in collaboration with technology companies and certification test labs. The Cybersecurity Certification Program: • Certifies security elements of LTE and 5G devices, including those with Wi-Fi connections • Creates an industry best practice for IoT security on wireless networks • Helps protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth, and other IoT applications
  • 20. © 2021 Onward Security Corp. All rights reserved. 19 Cybersecurity Certification for Products 300+ Clients get product certification in 10+ Countries Smart Home IoT Products Smartphone and built-in apps Smart Bus Video Surveillance Cloud System Smart Lighting Mobile App IACS 5G Products Finance EN 303 645
  • 21. © 2021 Onward Security Corp. All rights reserved. 20 制造商与开发商的因应之道 04
  • 22. © 2021 Onward Security Corp. All rights reserved. 21 仲至信息科技资安标准库 IEC 62443 EN 303 645 IEC 62351 ioXt CTIA IoT SB-327 Authentication Physical Firmware Authorization Audit Encrytion Questionnaire Standards Product Type • Phase 1 - SR • 安全功能清单 • PM / SA / RD • Phase 4 - SVV • 测试项目清单 • RD / QA
  • 23. © 2021 Onward Security Corp. All rights reserved. 22 • Unique Password • Vulnerability Reporting (PSIRT) • Authentication • Secure Interface • Cryptography Critical Factor for Product Security • Risk Management • Software Update IoT (Consumer) ICS/SCADA Medical Automotive SBOM (Software Bill of Material) Privacy Protection SSDLC Fuzz Testing Integrity Session Management Audit Activity Input Validation Availability Debug Interface Input Validation Privacy Protection SSDLC
  • 24. Realize Ultimate Security every step starts with the labs © 2021 Onward Security Corp. All rights reserved. contact@onwardsecurity.com THANK Y U Onward Security 联络我们 contact@onwardsecurity.com