SESIP Seminar: addressing fragmentation in device security certification
Our SESIP Seminar in Barcelona brought together security experts from CEN / CENELEC, ECSO, ENISA, ETSI, Eurosmart and NIST as well as industry leading companies including Microsoft, Amazon Web Services, Winbond, STMicroelectronics, SGS Brightsight and more for a day of thought-provoking talks, case study presentations and panel discussions. This blog explores some of the key takeaways from the day.
Stakeholders from throughout the IoT and device security ecosystems gathered in north-eastern Spain and joined us virtually on October 19, 2022, for the second edition of our Security Evaluation Standard for IoT Platforms (SESIP) Seminar Series. Delegates discussed how the SESIP methodology is reducing complexity in security evaluation processes and delved further into how it aligns and maps with other important industry standards.
Session One – the IoT landscape and addressing fragmentation
Opening the seminar, GlobalPlatform Chair, Stéphanie El Rhomri outlined the current state of the IoT landscape. She spoke about bringing stakeholders under the common goal of enhancing security and certification, stressing the importance of representation and collaboration throughout the ecosystem.
The first presentation of the day was delivered by Eve Atallah, Security Evaluation Engineer at NXP. She began by giving an overview of the challenges facing the IoT ecosystem as the number of connected devices continues to proliferate. By harmonizing standards, enabling the reuse of certification through composition, and mapping to the functional security requirements of other schemes, Eve explained how the SESIP methodology is reducing fragmentation in IoT security certification, as well as evaluation costs and time to market for IoT developers.
Eve was followed by Miguel Bañón from CEN / CENELEC. His keynote offered insight into how CEN / CENELEC was supporting EU cybersecurity through its SESIP-based EN 17640 specification. He invited the audience to look out for the specification becoming a European standard in summer 2023.
The second keynote speaker of the day was Sławomir Górniak, speaking on behalf of ENISA as its Senior Cybersecurity Expert. Sławomir gave the audience an overview of current European cybersecurity legislation before offering his outlook for the future and outlining ENISA’s current work on legislation including the Cyber Resilience Act and the European digital identity wallet.
Session Two – the challenges of achieving security and maintaining multiple certifications
Nir Tasher, Chief Technical Officer of Winbond, then spoke about the challenges of achieving security levels that meet the needs of the product and market, and present value for money. He stressed the need to ensure security is more accessible without incurring more costs, and revealed that, by following SESIP guidelines, Winbond customers had enhanced capabilities when tailoring secure data storage solutions to their own unique requirements.
Roberto Cascella, Head of Sector at the European Cyber Security Organisation (ECSO), spoke next to discuss the challenges of maintaining compliance and multiple certification requirements that vendors face. He explained how through maintaining a supply chain of trust based on composite component certification, enhanced efficiencies in device certification could be achieved.
The first panel of the day explored the opportunities for SESIP within European Cybersecurity. Moderating the session was GlobalPlatform Technical Director, Gil Bernabeu. He was joined by Miguel, Roberto and Sławomir as well as Samim Ahmadi (Vice Chairman, ETSI TC Cyber), John Boggie (Head of Cybersecurity Certification, Eurosmart), and Paul Watrobski (IT Specialist, National Institute of Standards and Technology). The group discussed how as the IoT device ecosystem expands, composition will play a leading role in building products that can meet nuanced security requirements, and the SESIP methodology in unifying security schemes and creating a standard that can work for everyone.
In the final session before lunch, Bruno Mussard, Senior Marketing Manager at STMicroelectronics, provided insight from our first case study of the day. He discussed PSA Certified using SESIP, following the microcontroller journey from basic security to AEM PSA l3 & SESIP3 security certification. He noted the value of SESIP in facilitating compliance with multiple certification schemes thanks to its clear mapping.
Following this case study, delegates broke for lunch, giving them an opportunity to network as well as speak with our platinum sponsor Winbond, gold sponsor STMicroelectonics and supporting sponsor SGS Brightsight.
Session Three – mapping to security standards and empowering stakeholders
After the lunch break, Olivier Van Nieuwenhuyze, Security Lobbying and Standardization Senior Manager at STMicroelectronics, delivered his keynote presentation on mapping SESIP to security standards. He noted the pragmatic approach to security and privacy provided by EN 303 645, and how SESIP provided mapping to such standards to facilitate provisioning identification at a decreased cost.
Rob Coombs, Director of IT Security at Arm and Vice Chair of PSA Certified spoke next, giving his case study on PSA Certified’s use of SESIP. He addressed some of the challenges the ecosystem had faced with previous protection profiles that used common criteria, before explaining how SESIP now provides the standardisation needed to make certification more efficient. He concluded that SESIP device-level profiles encouraged OEMs to create their own threat models, allowing them to better understand their own device security issues.
The next case study was given by Daniel Gross, Senior Developer Advocate, from Amazon Web Services (AWS). He offered insight into AWS’s FreeRTOS open-source project, explaining that SESIP helped expediate the certification process by allowing users to certify each level of the technology stack individually – rather than as a whole – which greatly reduced the overall product delivery risk.
Session Four – SESIP for all stakeholders
Following a short break, Eustace Asanghanwa, Principal Program Manager at Microsoft, explained the steps being taken to address the security of both critical infrastructures, and increasingly of consumer electronics. His case study looked at how device manufacturers were most exposed to compliance fragmentation and increasingly on the hook for compliance by solution builders. He discussed how SESIP helped to address this and offered benefits of scale across different verticals which helped stakeholders take control of certification.
The day ended with one final panel discussion on the value of SESIP to different stakeholders. Moderated by Xavier Vilarrubla (SGS Brightsight), the panel was composed of Bruno, Eustace and Rob, as well as Bernie Rietkerken (Senior Sales and Business Development Manager, Riscure) and Wouter Slegers (CEO, TrustCB). They considered how SESIP is delivering a scalable approach to IoT security, and how SESIP certifications can be used to demonstrate the required levels of robustness against various types of attack enabling stakeholders with a platform that offers end-to-end security.
Finally, I closed the seminar by stressing the need for collaboration throughout the IoT ecosystem to simplify and streamline certification without compromising on security. I’d like to once again thank all our speakers and sponsors for their support in making this seminar such a success, and I hope you all will be able to join us for our next SESIP Seminar on November 30 in Taiwan.