Mapping Edge Computing Standards to SESIP
By Carlos Serratos, SGS Brightsight
The objective of developers of Internet of Things (IoT) devices is to bring to market products that aim to operate a specific use case (home appliance, automotive, industrial, entertainment, etc.). When this use case does not have a security or safety purpose, developers focus more on functionality, usability, and performance than on security, a domain in which they generally have limited competency. However, security increasingly becomes a concern in the IoT space, as devices, users, and service providers are subject to a growing number of attacks. The consumers of those devices and services, in consumer and enterprise markets, are directly affected by these security shortfalls.
As IoT device developers implement protection mechanisms in their products to raise the consumers’ trust, it is important to verify that those mechanisms are adequate through self-assessment or formal evaluation by a third party, a process that can increase costs and delays.
The possibility of adding specific security functionality by integrating existing security components into their devices helps IoT device developers to focus on their core job and to rely on security specialists to bring the necessary protection mechanisms to their devices. However, IoT device developers need to ensure that the security components they integrate have been properly evaluated to prove they offer the necessary level of protection against the threats they are intended to counter.
On the other side, for security component providers, the methodology used to evaluate their security products needs to ensure that the time, effort, and cost invested in such evaluation are acceptable to guarantee the affordability and timeliness of their products.
The GlobalPlatform white paper about SESIP Composition outlined the importance of reusing evaluation results to support the certification IoT products which are more and more built as composite products assembling several lower-level components.
As the number of IoT devices grows rapidly, with predictions ranging from 50 to 70 billion by 2025, up to 1 trillion by 2035, the number of security incidents involving IoT products grows accordingly. This increase of incidents results in consumer distrust, which is a major inhibiting factor to the deployment of billions of IoT devices in the coming years.
Solving IoT device security at scale through standards
In a blog, Microsoft addressed the same problem, where Internet of Things (IoT) solution builders are more likely to deploy IoT solutions with unsecured devices because they cannot verify device security claims from device makers.
Solution builders could create secured devices themselves, however they don’t because they either lack domain expertise or simply prefer to buy devices off-the-shelf. Device makers possess the requisite expertise to secure devices, but lack ability to convey details.
For example, language constructs such as conveying computation, storage, and power profiles of an Industrial PC (IPC), are simply not available for security. Device makers therefore see no motivation to invest in securing devices if they can’t claim the value—hence the current stalemate. Our studies and observations show this stalemate exists for two reasons:
• Lack of standards guiding how to holistically engineer and claim device security.
• Lack of standards guiding how to consume and verify device security claims.
This drove the creation of the ECN PP: In the context of Internet of Things (IoT), an Edge Compute Node (ECN) is a piece of hardware and software located between a network of IoT leaf devices (an IoT network) and an IoT Edge Cloud. It has the capability of performing local processing of data from IoT leaf devices through a runtime environment offered to developers and of acting as a bridge between the IoT Edge Cloud and IoT leaf devices.
Great minds think alike
Both, the ECN PP and SESIP take a very similar path looking to simplify the work of IoT developers, providing guidance for developers on how to holistically engineer and claim device security, as well on how to consume and verify device security claims.
The simplification and convergence of this effort is an example of cooperation, reducing the effort for adoption, facilitating the access to secure solutions, and providing a path for IoT developers to adopt best practices using international standards.
The GlobalPlatform SESIP Sub Task force has undertaken the mapping between ECN PP and SESIP. The drivers and expected benefits of this work item are around two forms of composition:
• Lower composition, provides a path for making use of SESIP certified components and platforms for showing readiness towards this PP, reducing the effort for developers looking to achieve ECN PP certifications under CC
• Upper composition, as the mapping of the ECN PP using SESIP can be linked towards other standards like 62443, while maintaining the CC trust mark.
Keep posted to this channel for updates on this collaboration, as well other activities from the SESIP team like the upcoming whitepaper on SESIP benefits.