SESIP – the building blocks to certified IoT products for Certification Bodies, regulators, laboratories, and device makers.
By Gil Bernabeu, Technical Director of GlobalPlatform
‘Complexity is the enemy of security’.
This maxim applies to almost every aspect of technology, but it is particularly relevant in IoT and may explain why, according to some claims, only 4% of devices are deployed with sufficient security. The volume and complexity of connected devices, combined with varying regulations and certification frameworks, is creating challenges for IoT stakeholders to validate the security of their products. And this problem is only getting worse as devices get more complex.
As the IoT ecosystem evolves and secure components are used to power more use cases - healthcare, smart homes, and connected cars - there will be a growing number of risks and regulations to answer to. Certification will be critical to ensuring trustworthy solutions are deployed, however, evaluation needs to happen in a uniform way to ensure consistency and avoid even more complexity. The ecosystem must remember that device makers may not be security experts, and more schemes could make it challenging for them to identify the right requirements, security measures and evaluation approaches for their products. The good news is that today’s connected products are made up of secure bricks developed by only a few providers. The issue to solve, however, is how to help device manufacturer to use these platform parts correctly and answer to the security needs of different IoT verticals. While there is an opportunity to achieve good results quickly, it requires a consistent methodology and collaboration across the IoT ecosystem to implement it.
SESIP - A simple approach for complex solutions
The Security Evaluation Standard for IoT Platforms (SESIP) is addressing the scale and complexity of security certification for the IoT ecosystem. It offers an optimized approach to security evaluation designed specifically for IoT platforms and their parts. What’s more, it enables composite evaluation of IoT products, meaning components that have been certified for one particular use case can be reused to answer the requirements of another market. This optimizes the process, and reduces the cost and time, of security evaluation for device makers. Additionally, by mapping to other security requirements like NIST, ISA/IEC 62443 and ETSI/EN 303 645, SESIP defines assurance levels that are mutually recognizable and can be reused across multiple market-specific schemes, therefore achieving scale.
However, while SESIP is responding to the needs of the evolving IoT ecosystem, it can only be used efficiently if it is understandable and accessible to all stakeholders. Device makers must be able to validate their solutions meet required levels of assurance. Certification Bodies and large technology providers need support in establishing certification schemes and onboarding authorized labs. And end-users must be able to clearly understand what has been certified so that they can trust the products they are using.
SESIP - A ready-made methodology to build IoT security evaluation schemes
Having published its methodology earlier this year, GlobalPlatform is now working to provide device makers and Certification Bodies with the guidelines they need to adopt SESIP. Our goal is to create a network of SESIP laboratories, SESIP Certification Bodies and device makers, and facilitate collaboration between them, to ensure the methodology is accessible, maintained and consistently applied. In bringing Certification Bodies together, we are also putting the architecture in place to enable cross recognition of their respective certificates to simplify ‘certification by parts’.
I want to use SESIP to certify my IoT device…
The SESIP methodology focuses on the main features and functionalities of IoT devices, making it easier to certify by combining certifications for constituent parts to achieve an overall device certification. The methodology has been created to answer many of the existing global, regional, and vertical requirements. This means device makers can use the methodology to identify the certification level that best aligns with their use cases, and understand the security requirements of achieving a higher security certification.
To achieve all this, we have established a SESIP Working Group that is connecting with key industry bodies and regulators to define their requirements and develop SESIP Protection Profiles to answer specific market requirements. This approach will help component and device manufacturers within GlobalPlatform to identify the requirements of different markets and develop products that meet them in a secure way.
The next step is to build a network of laboratories to carry out SESIP assessments consistently. GlobalPlatform is therefore creating training documents and frameworks to help improve the methodology and provide an efficient and swift solution for security labs to offer evaluation. While this isn’t an easy task, it is one that we are well positioned to take on to support both labs and scheme providers. GlobalPlatform has many years of experience establishing and managing certification programs and training independent laboratories. As such, our member laboratories will soon be ready to support the SESIP methodology, and those that engage in GlobalPlatform can work with them to define their requirements and establish their own schemes.
I need to build a SESIP certification scheme…
GlobalPlatform is here and ready to help Certification Bodies, and device makers seeking to manage the evaluation of their device ecosystems, in adopting SESIP and establishing certification schemes using the methodology.
The organization can offer existing documents, sample Protection Profiles and approaches on establishing schemes that support the SESIP methodology. Certification Bodies can also either onboard an existing GlobalPlatform laboratory or the organization can assist in training and certifying new labs.
In summary, SESIP provides an ideal foundation to deliver trust to the IoT sector. By building on the SESIP methodology and creating new documents and frameworks that align with it, we are well on our way to creating a ready-made ecosystem and the building blocks to deliver an industry-wide consistent approach. GlobalPlatform is now calling on industry bodies, Certification Schemes and security laboratories to engage with us to drive this work forward. To learn more, download the methodology from our website and contact email@example.com to get involved.