Cybersecurity in Europe
ETSI EN 303 645
Network Information Security of New Era Technology
Today, with the rise of 5G, Industry 4.0, the Internet of Things (IoT), and the rising usage and penetration of smart devices,Network security has become the next worrying issue in the technological age, and many devices are also beginning to show information security vulnerabilities or the problem of insufficient information security protection.
Therefore, information security (Security), information communication security, to the latest Cybersecurity (Cybersecurity) protection has become an issue that everyone is increasingly paying attention to. How should information security be compliant?
Cybersecurity for Consumer Internet of Things
With the increasing usage and penetration rate of smart devices, more and more consumer IoT products have been connected to the Internet or home network. In order to implement the management and review of network information security, European Telecommunications Standards Institute(ETSI) released the cybersecurity/privacy protection standard ETSI EN 303 645 for Internet of Things (IoT) products in June 2020. The standard is mainly aimed at cybersecurity regulations and data privacy protection clauses for products. . And focus on technical control measures and organizational measures to combat network security deficiencies, solve primary network attacks such as network security weaknesses and loopholes, and achieve a standard network security basic level.
What is ETSI EN 303 645?
It is a network security/privacy protection standard for consumer Internet of Things (IoT) products released by the European Telecommunications Standardization Institute (ETSI) Network Security Technical Committee in June 2020. This standard covers product life cycle, software and hardware Security, privacy protection and other security requirements to ensure the security of IoT devices to protect the privacy and personal information of consumers and users.
The EU's follow-up mandatory information security regulations plan:
The EU is expected to fully implement the additional provisions of the latest version of the RED Directive (2014/53/EU) in 2024. It is mandatory for all IoT products sold in the EU to pass an information security test in compliance with its directives.
ETSI EN 303 645 provides regulations and requirements for the security and privacy of IoT products, covering different areas and being divided into 13 categories:
1. Security of universal default password
2. Management and execution of vulnerability reports
3. Software update
4. Storage of sensitive security parameters
5. Communication security
6. Reduce the exposed attack surface
7. Protection of personal data
8. Software integrity
9. System’s anti-interruption ability
10. Check system telemetry data
11. Convenient for users to delete user data
12. Simplify installation and maintenance of equipment
13. Verify input data
IoT Security / Personal Information Protection Compliance Counseling
ETSI EN 303 645 standard requirements will have a huge impact on manufacturers
and accredited laboratories around the world.
-What is the content of the new directive?
-What are the differences from the previous regulations?
-Which products are applicable to the new standard requirements?
-How to meet the information security requirements?
-What is the relationship between ETSI EN 303 645/ETSI TS 103 701 and RED?
-How can manufacturers and laboratories prepare for and respond to new regulations?
The services that Glodacert can provide to customers are as follows :
1.) Education and training:
One-to-one education and training to quickly understand IoT security information.
2.) Test coaching:
You can enter the laboratory for face-to-face test method teaching and test
operation instructions and introduce this technology into the laboratory.
3.) Product testing:
Provide testing and certification services for IoT information security/personal data
protection compliance and provide credible testing and certification reports.
4.) Laboratory construction guidance:
guide the laboratory to construct the energy of information security testing services,
so that the laboratory can provide services for manufacturers or brands in need.
5. Consulting services:
Provide information security-related technologies, information, and answers to questions
About ISA/IEC 62443
ISA/IEC 62443 is a series of standards, technical specifications and technical reports that meant to address the security needs of industrial automation and control systems that make use of operational technology (OT) .
That came to be from an initiative of the International Society of Automation (ISA) Committee on Security for IACS (ISA99) in 2007, and was later produced by the International Electrotechnical Commission (IEC).
ISA Secure independently certifies industrial automation and control (IAC) products and systems to ensure that they are robust against network attacks and free from known vulnerabilities.
ISCI also offers an ISA Secure organization process certification for product development organizations, that designation is earned by industrial control suppliers for products that demonstrate adherence to industry consensus cyber security specifications for security characteristics and supplier development practices.
The ISA/IEC 62443 series of standards is made up of 14 work products (Standards, Technical Specifications and Technical Reports) that are logically grouped in four parts:
- Part-1: General
- Part-2: Policy and Procedure
- Part-3: System
- Part-4: Component
Cybersecurity in Singapoer
Singapore IMDA TS Security Requirements For Residential Gateways
Singapore’s Cybersecurity Strategy aims to create a resilient and trusted digital environment to facilitate that.
New technology products are constantly coming to market. CSA (Cyber Security Agency of Singapore )offers and supports the use of Certification Schemes to provide assurance to customers that the product has been objectively assessed to be more cyber secure, and has adopted a Security by-Design approach throughout the product life cycle.
The three schemes, catering to different market segments, are:
1. National IT Evaluation Scheme (NITES), for evaluation and certification of IT products that meets high assurance requirement for Singapore government agencies.
2. Singapore Common Criteria Scheme (SCCS), for certification of commercial IT products targeting the international marketplace.
3. Cybersecurity Labelling Scheme (CLS), for labelling of network-connected consumer smart devices, to enable consumers to discern the security levels in the devices and make more informed purchase decisions.
The CLS has four progressive rating levels that allows consumers to discern the level of security offered by the product and imbues security consciousness when making purchases.
Cybersecurity in USA
FDA Cybersecurity in Medical Devices
Pacemakers, insulin pumps and other medical devices are becoming more advanced. Most contain software and connect to the internet, hospital networks, your mobile phone, or other devices to share information. Because of this, it is important to make sure medical devices are cybersecurity.
[The U.S. Food and Drug Administration] regulates medical devices and works aggressively to reduce cybersecurity risks in what is a rapidly changing environment. The FDA shares this responsibility with device manufacturers, hospitals, health care providers, patients, security researchers, and other government agencies, including the U.S. Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Department of Commerce.
The FDA provides guidance to help manufacturers design and maintain products that are cyber secure. And on behalf of patients, the FDA urges manufacturers to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and solutions to address them.
If a vulnerability or weakness in software, hardware or other factor that could pose a risk is identified, the FDA may issue what is called a “safety communication.” These messages contain information about the vulnerability and recommended actions patients, providers and manufacturers can take. The FDA has issued multiple cyber safety communications. The FDA wants to make these messages as helpful as possible without causing unnecessary worry or burden on patients.
This guidance document is applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD).
The guidance is not limited to devices that are network-enabled or contain other connected capabilities. This guidance describes recommendations regarding the cybersecurity information to be submitted for devices under the following premarket submission.
Premarket Notification (510(k)) submissions;
• De Novo requests;
• Premarket Approval Applications (PMAs) and PMA supplements;
• Product Development Protocols (PDPs);
• Investigational Device Exemption (IDE) submissions; and Humanitarian Device Exemption (HDE) submissions.
FDA will assess the adequacy of the device’s security based on the device’s ability to provide and implement the security objectives below throughout the system architecture.
Authenticity, which includes integrity;
• Confidentiality; and Secure and timely updatability and patchability.
Security testing documentation and any associated reports or assessments should be submitted in 822 the pre-market submission. FDA recommends that the following types of testing, among others, be provided in the submission:
a. Manufacturers should provide evidence that each design input requirement was implemented successfully.
b. Manufacturers should provide evidence of their boundary analysis and rationale for their boundary assumptions.
2. Threat mitigation :
a. Manufacturers should provide details and evidence of testing that demonstrates effective risk control measures according to the threat models provided in the system, use case, and call-flow views.
b. Manufacturers should ensure the adequacy of each cybersecurity risk control (e.g., security effectiveness in enforcing the specified security policy, performance for maximum traffic conditions, stability and reliability, as appropriate).
3. Vulnerability Testing (such as section 9.4 of ANSI/ISA 62443-4-1) :
à Manufacturers should provide details and evidence of the following testing pertaining to known vulnerabilities:
a. Abuse case, malformed, and unexpected inputs:
(i) Robustness / (ii). Fuzz testing
b. Attack surface analysis
c.. Vulnerability chaining
d. Closed box testing of known vulnerability scanning
e. Software composition analysis of binary executable files, and Static and dynamic code analysis, including testing for credentials that are“hardcoded,” default, easily-guessed, and easily compromised.
4. Penetration testing:
The testing should identify and characterize security-related issues via tests that focus on discovering and exploiting security vulnerabilities in the product. Penetration test reports should be provided and include the following elements
a. Independence and technical expertise of testers,
b. Scope of testing,
c. Duration of testing
d . Testing methods employed, and Test results, findings, and observations
GSMA IoT Security
GSMA IoT Security Assessment
Promoting best practice for the secure design, development and deployment of IoT services, and providing a mechanism to evaluate security measures, the GSMA IoT Security Guidelines and IoT Security Assessment help create a secure IoT market with trusted, reliable services that can scale as the market grows.
The GSMA IoT Security Guidelines:
-Include 85 detailed recommendations for the secure design, development and deployment of IoT services
-Cover networks as well as service and endpoint ecosystems
-Address security challenges, attack models and risk assessments
-Provide several worked examples
The GSMA IoT Security Assessment:
-Is based on a structured approach and concise security controls
-Covers the whole ecosystem
-Can fit into a supply chain model
-Provides a flexible framework that addresses the diversity of the IoT market