For inquiries about GlobalPlatform or website assistance, contact secretariat@globalplatform.org.
Solving IoT device security at scale
IoT security vulnerabilities continue to pose a risk to people, organizations and society. In response, new cybersecurity regulations and requirements are mandating stronger protection for IoT devices.
This is needed but also creates challenges as, to comply, device makers and non-security experts must identify and understand relevant security requirements, implement appropriate technology, and demonstrate the security features of their IoT devices.
The problem
For an OEM, undertaking multiple security evaluations for a single IoT device increases costs, time to market and effort. This approach is unsustainable. In turn, it increases the risk that devices will be deployed without the appropriate levels of security.
The solution
We need to make IoT device security economically viable for the entire value chain. The best way to achieve this is to address risks at the core by building IoT devices with platforms and components that have already been security certified.
The result
By using certified components with in-built security assurances, device makers can integrate, manage and demonstrate security without incurring additional cost, effort, or time-to-market. This drives down the total cost of ownership, and provides assurance that devices are secure by default.
What is SESIP?
The Security Evaluation Standard for IoT Platforms (SESIP) is a methodology that reduces the cost, complexity and effort of security evaluation and certification.
It utilizes the concepts of composition and reuse, so that previously certified components can be used to build a device with in-built security assurances, without having to repeat the same evaluations in every targeted market.
The methodology maps to other standards and requirements from bodies including ETSI, ISO/IEC and NIST, which demonstrates a risk-based design approach and helps lower barriers to entry.
Reduce costs
Save money by not having to pay for the same evaluation multiple times. SESIP certificates can be re-used to provide security evidence and meet multiple requirements.
Minimize time & effort
Implement and demonstrate security that is fit-for-purpose without having to become a security expert. SESIP-certified components provide in-built security assurances.
Grow your business
Seize market opportunities. SESIP lowers barriers to entry by simplifying compliance with regional and market requirements including, RED, CRA, US Trust Mark, Singapore CSA CLS, IEC 62443, ISO 21434.
Manage risk
Demonstrate that a risk-based design approach has been taken when developing your IoT device. SESIP enables the identification, understanding and implementation of certified security requirements.
Demonstrate value
Use security features to differentiate your products and empower your customers to make better, more informed decisions. SESIP provides evidence of security-by-default.
Quantifying the benefits of SESIP
How can we measure the value of SESIP? Read our whitepaper to learn how the benefits of SESIP can be quantified in terms of the cost, effort, and duration of evaluations.
- SESIP has been adopted by CEN and CENELEC as a European Standard (EN 17927)
- Over 28 SESIP-certified products
- 6 licensed laboratories
- 1 Certification Body (and 3 more joining soon)
- Recognized and referenced by bodies including PSA Certified, National Institute of Standards & Technology (NIST) and Car Connectivity Consortium (CCC).
- Device makers – enhance the visibility of device security and ensure readiness to achieve certification in line with any schemes using SESIP.
- Solution vendors – demonstrate alignment with market requirements, use cases and regulations.
- Laboratories – become a SESIP-certified lab to provide your customers with an efficient and swift solution for IoT device certification.
- Certification Bodies – adopt the SESIP methodology and work with other Certification Bodies to ensure consistency of evaluations.
- Governments & Regulators – use the SESIP security evaluation methodology for public and private schemes to build trust in our digital economy.
Already adopting SESIP?
For companies that are not GlobalPlatform members but that would like to be kept informed about the latest GlobalPlatform SESIP developments and technical documents, and showcase their certified products in line with the SESIP trademark license agreement, GlobalPlatform has created a ‘SESIP Adopters’ community. View the agreement and apply here.
This document specifies requirements for the security evaluation of IoT platforms and parts thereof, including in particular a set of Security Functional Requirements, and the definition of Security Assurance Requirements packages that define five assurance levels. These requirements are based on the Common Criteria standard (ISO154080, v3.1), which it refines for the specific purpose of the evaluation of IoT platforms and parts thereof. The set of documents also includes the definition of a scheme based on these requirements, which defines managements rules such as the management of certificates and the accreditation of Certification Bodies and Laboratories.
- SESIP Profile for DTSec Connected Diabetes Device Platforms v1.0
- This document is the SESIP Profile for DTSec Connected Diabetes Device Platforms, designed for the security evaluation of such platforms using SESIP methodology.
- Download here.
- SESIP Profile for Secure External Memories v1.0
- This document is the SESIP Profile for Secure External Memories, designed for the security evaluation of external memory components using the SESIP methodology.
- Download here.
- SESIP Profile for Secure MCUs and MPUs v1.0
- This document is the SESIP Profile for Secure MCUs and MPUs, designed for the security evaluation of MCUs and MPUs using the SESIP methodology.
- Download here.
SESIP Mappings enable the reuse of SESIP evaluation results; helping device makers to demonstrate that a SESIP certificate answers to a specific regional or market scheme, regulation or requirement.
GlobalPlatform is managing the governance of the SESIP methodology, to ensure SESIP evaluations are carried out consistently, that there is alignment between Laboratories and Certification Bodies, and to facilitate the harmonization of SESIP standards and procedures.
The SESIP Governance document describes the governance process for the methodology. The document specifies the competencies and accreditations required for the Certification Bodies and for the Laboratories performing evaluation activities, and the process that a Certification Body (CB) shall follow to issue a certificate of compliance.
Education
Access a library of free educational videos and whitepapers, to learn how SESIP can be used and the benefits it delivers.
Training
Learn about the SESIP methodology, its market applicability, composition, and Governance with our training for product vendors, regulators, scheme owners and labs.
The SESIP Committee
The SESIP Committee sets the strategy and delivers initiatives to support the adoption and recognition of SESIP as a worldwide, multi-vertical scheme for security evaluation.
SESIP Governance
GlobalPlatform members can join the governance working group, which is responsible for harmonizing the applicability of SESIP and driving mutual recognition across public and private schemes.
Technical Documents
GlobalPlatform members can join the technical working group, to contribute to the creation of SESIP security profiles and mappings to other schemes, requirements and regulations.
Ecosystem Adoption
GlobalPlatform members can join the ecosystem adoption working group to drive awareness of, and engagement with, SESIP and its benefits through marketing and communications activity.
Participation Forms
The legal and technical forms applicable to each type of certification are provided below. For information on the procedures to be completed by a Certification Body or Laboratory to join the SESIP licensing program, read GlobalPlatform's SESIP Governance.
| Participation Forms | Product Vendor | Laboratory | Certification Body |
|---|---|---|---|
| GlobalPlatform SESIP Security Lab Agreement | |||
| Trademark License Agreement | |||
| GlobalPlatform SESIP Certification Body Relationship Agreement | |||
| GlobalPlatform SESIP Certification Body Request Form | |||
| GlobalPlatform SESIP Adopter Agreement |
Want to learn more about SESIP?
