Smart Card Guy

Smart Card / Java Card, Cyber Security, IoT Device Security, Root of Trust, 標準化等

IoT Security関連記事 - IoT Security: Confusing And Fragmented (2021/07)


One possible way of organizing a hierarchy of certifications. The bottom illustrates the most basic sets of rules, while the topmost box requires significant effort and resources to achieve.


  • Semiconductor EngineeringによるIoT Security (特にIoT Certification関連)に関する現状考察。IoT Security関連の様々な動きが完結に記述されている。必読!
  • 記事構成 :
    • Intro
      • Security regulations for Internet-of-Things (IoT) devices are evolving around the world, but there is no consistent set of requirements that can be applied globally — and there may never be.
    • Scaling down for IoT security
    • Scaling up for IoT security
    • Governments set the basics
      • National Institute of Standards and Technology (NIST) 8259A, 8259D
      • NIST FIPS 140
      • US IoT Cybersecurity Act of 2020, Cyber Shield Act
      • ETSI EN 303 645
      • EU also passed its own European Cybersecurity Act. It strengthens ENISA
      • ISO is likely to unify the U.S. and European approaches via ISO 27402. China, meanwhile, has its own OSCCA organization.
    • Industry consortia pick up from there
      • Common Criteria - But it is a heavyweight system typically used for smart cards and trusted execution environments (TEEs)
    • A variety of standards groups
      • IoT Security Foundation (IoTSF) - establishes basic guidelines and an approach for self-certification
      • Arm and its ecosystem partners - PSA Certified (Platform Security Architecture)
      • GlobalPlatform - SESIP (Security Evaluation Standard for IoT Platforms)
        • still silicon-focused, but is more extensive than PSA
        • a Lightweight version of Common Criteria
        • Given certification to the SESIP PSA profile, a device can achieve both SESIP and PSA certification. The reverse is not true, however: PSA certification alone would not qualify for SESIP certification.
      • ioXt (Internet of Secure Things) - system level. Focuses on the IoT at scale. It’s a “composite” approach that accepts component and module certifications when certifying the entire device.
    • Rigor and metrics — or not
    • Setting expectations
    • What are developers to do?
    • What about IoT consumers?