One possible way of organizing a hierarchy of certifications. The bottom illustrates the most basic sets of rules, while the topmost box requires significant effort and resources to achieve.
ポイント
- Semiconductor EngineeringによるIoT Security (特にIoT Certification関連)に関する現状考察。IoT Security関連の様々な動きが完結に記述されている。必読!
- 記事構成 :
- Intro
- Security regulations for Internet-of-Things (IoT) devices are evolving around the world, but there is no consistent set of requirements that can be applied globally — and there may never be.
- Scaling down for IoT security
- Scaling up for IoT security
- Governments set the basics
- National Institute of Standards and Technology (NIST) 8259A, 8259D
- NIST FIPS 140
- US IoT Cybersecurity Act of 2020, Cyber Shield Act
- ETSI EN 303 645
- EU also passed its own European Cybersecurity Act. It strengthens ENISA
- ISO is likely to unify the U.S. and European approaches via ISO 27402. China, meanwhile, has its own OSCCA organization.
- Industry consortia pick up from there
- Common Criteria - But it is a heavyweight system typically used for smart cards and trusted execution environments (TEEs)
- A variety of standards groups
- IoT Security Foundation (IoTSF) - establishes basic guidelines and an approach for self-certification
- Arm and its ecosystem partners - PSA Certified (Platform Security Architecture)
- GlobalPlatform - SESIP (Security Evaluation Standard for IoT Platforms)
- still silicon-focused, but is more extensive than PSA
- a Lightweight version of Common Criteria
- Given certification to the SESIP PSA profile, a device can achieve both SESIP and PSA certification. The reverse is not true, however: PSA certification alone would not qualify for SESIP certification.
- ioXt (Internet of Secure Things) - system level. Focuses on the IoT at scale. It’s a “composite” approach that accepts component and module certifications when certifying the entire device.
- Rigor and metrics — or not
- Setting expectations
- What are developers to do?
- What about IoT consumers?
- Intro