VIEW ON THE IOT ENVIRONMENT The Internet of Things (IoT) IoT is truly a holistic concept, resulted by the
fact that the world becomes more and more connected. The combination
of “smart” devices, mobile or web applications used to interact with
them and cloud services allowing them connect with each other lead
to the development of overlapped IoT ecosystems. Therefore, even if
differences in products and solutions can occur across various verticals, by
making use of these building blocks, the security of IoT solutions can be
addressed in an efficient way.
The IoT domain is increasing at an accelerating speed across existing verticals, while at the same time expanding and interconnecting with new domains. In this dynamic environment, security threats need to be addressed structurally and simultaneously from an early design stage. Secura's IoT Security Lab expands across all the relevant verticals of the IoT ecosystem, allowing the manufacturers and developers to stay in control of their security.
Secura has worked in information
security and privacy for nearly
two decades. This is why
we uniquely understand the
challenges that you face like no
one else and would be delighted
to help you address your
information security matters
efficiently and thoroughly. We
work in the areas of people,
processes and technology. For
our customers we offer a range of
security testing services varying
in depth and scope.
IN CONTROL WITH SECURA
SECURA IOT SECURITY LAB
Web/Mobile Applications
Cloud Service
APPROACHING IOT SECURITYIn line with the drawing above, the IoT Security Lab of
Secura is addressing each particular type of element in
the IoT environment, supporting therefore the whole IoT
supply chain of an IoT solution. We believe that designing
specific services for specific target groups is essential
in addressing specific security needs across the supply
chain. Moreover, by directing the services to specific
targets, it is ensured that the resulted level of assurance
is as high as possible, by tailoring the assessment scope
towards domain specific objectives. Finally, we strongly
believe that security can be addressed better by relying
on internationally recognized publications addressing
requirements and metrics. Because of that, our services
include for all the addressed elements the option of
standardized assessments and certification.
The services provided by the lab are focusing on the IoT
building blocks: devices, web/mobile applications and
cloud connectivity. For each of these building blocks,
Secura is providing a complete and flexible service
offering, including:
• Design Reviews and Threat modelling: Tailored
reviews of the specific solution, with highlighting
of specific risks and design vulnerabilities. This
includes services such as documentation review,
source code review, security by design trainings or
security audits.
• Training courses: Courses given by our experts
concerning topics such as Automotive Security, ICS
SCADA Security or Embedded Devices Security
• Advisory and Audit: Services carried by
experienced and certified auditors (REs), aimed
at assessing and validating the security related
processes implemented within your organization
• (Standardized) testing: Assessing the presence and
sufficiency of implemented security features, in line
with relevant international publications. The testing
is performed in a tailored way, by selecting relevant
requirements from considered publications.
• Compliance and certification: Ensuring the
security by testing in line with the applicable
requirements of relevant international publications
(ex. IEC 62443, IoT Security Foundation Framework,
OWASP Testing Guide, etc.), while also offering
support for security certifications or regulations.
In particular, this factsheet will mostly focus on services
related with security testing, compliance and certification
of IoT products from various verticals in scope. These
verticals are summarized in the table below.
Testing, Compliance and/or Certification (Industry specific)
Testing, Compliance and/or Certification (Industry agnostic)
SECURA IOT SECURITY LAB SERVICES
VERTICALS (INDUSTRIES)
Devices & Systems
Consumer IoT
Medical Devices
Industrial Control Systems
Smart Vehicles
Financial and
Payments Telecom
Web/Mobile Apps
Cloud
CONSUMER IOT
The market of consumer products is expanding
continuously at a very fast pace. Smart gadgets which can
be used either inside homes (ex. Smart cameras, smart
doorbells, etc.) or personal devices (ex. wearables) are
providing functionalities that are designed to improve
the user experience and make everyday tasks easier.
However, together with these advantages, cybersecurity
risks associated with these devices are increasing as well.
Moreover, as the end-products interact with web/mobile
applications and upload/retrieve data from the cloud, the
attacks possibilities are considerably increasing.
Secura can support with security assessments covering
many dimensions of the consumer IoT ecosystem. The
security of these products can be assessed in line with
internationally recognized publications, ensuring an
assessment which takes into account all the various
security relevant aspects (ex. hardware, operating system,
applications, interfaces, authentication/authorization,
etc.). For such assessments, Secura makes use of an
IoT security assessment framework, resulted after
overlapping the security requirements of state-of-the-
art publications such as the IoT Security Foundation
Framework, IEC 62443, OWASP IoT Testing Guide and
the GSMA IoT checklist. This framework provides a
holistic approach on security assessment, by including
requirements addressing hardware (physical) security,
operating system and application, interfaces, cloud and
mobile connectivity, or process specific requirements such
as life cycle or privacy.
From a compliance perspective, demonstrating that your
product’s security follows the internationally recognized
requirements of publications such as the IoT Security
Foundation Framework, UK Consumer IoT Code of
Practice or IEC 62443 can represent a strong market
advantage. Secura can also support you in obtaining
official recognition of your product’s security through the
IoT Security Foundation Best Practices certification.
More details concerning the types of services and
specific security testing can be obtained by accessing the
dedicated factsheet on IoT products security.
INDUSTRY SPECIFIC IOT SECURITY
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura IoT testing framework (IOT SF, IEC 62443, GSMA, OWASP IOT)
Compliance: IoT Security Foundation, IEC 62443, UK Code of Practice
Certification: IoT Security Foundation certification
MEDICAL DEVICES
INDUSTRIAL CONTROL SYSTEMS
The healthcare domain is becoming increasingly connected
with the introduction of either personal or hospital smart
medical devices and systems. These systems have the
advantages of providing smart features, allowing the
patients to be more in control of their personal health.
At the same time, the possibility of interconnecting these
systems or devices introduce exciting new possibilities. For
example, a connected glucose monitor can generate data
which can be accessed by the patient using the mobile
app, in order to better control the amount of glucose in
the body, as well as the general nutrition. Of course, all of
these features are also coming with cybersecurity risks.
Considering also the high impact of medical devices (life
threatening), it is crucial to be able to control these risks.
Secura can support you with standardized security testing,
in line with internationally recognized publications (e.g.
IEC 62443, UL2900). This ensures that the testing activities
carried on the medical device or system are covering
the security of the device in a state-of-the-art way. The
standardized testing services cover the security of medical
devices from multiple perspectives, by addressing issues
such as authentication, user authorization, interfaces
security and session control, protection of data at rest and
in transit or secure software updates.
As the same time, Secura can support you with preparing
for the FDA or EU medical device approval, by executing
security testing in line with the requirements of these
regulations, and helping with the development of the
required documentation.
More details concerning the types of services and specific
security testing can be obtained by accessing the
dedicated factsheet on medical devices security.
Smart Industrial Control Systems (ICS) are increasingly
being used in both manufacturing environments or critical
infrastructures. These systems rely on products such as
PLSc, DCSs, HMIs, etc., which are used to monitor and
control a specific system or process. Especially since
these types of products are designed for long lifespans,
it is important that the security features which they are
providing are sufficient in order to protect against high risks.
For assessing ICS components and systems, it is important
to ensure a security by design approach towards including
sufficient security features. The security features can be
tested in line with internationally recognized standards
such as IEC 62443. This standard can be used to assess the
security of either individual components, as well as systems
made out of components (e.g. a system composed of a DCS
and a HMI). During such an assessment, various elements
of security are assessed, such as user authentication and
authorization, protection of transferred and stored data,
security of software updates or security of communication
interfaces.
Demonstrating compliance with this standard can represent
a valuable way to ensure that the products are protected
against state of the art practical attacks.
More details concerning the types of services and specific
security testing can be obtained by accessing the
dedicated factsheet on ICS SCADA security.
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura Medical devices testing framework (IEC 62443, UL 2900, FDA guidelines)
Compliance: IEC 62443, FDA, EU regulations
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura ICS SCADA product testing framework (IEC 62443, UL 2900)
Compliance: IEC 62443
SMART VEHICLES
Modern vehicles contain extensive amounts of smart features which enable
them to connect (to the Internet, to other vehicles - V2V, or to various
infrastructure elements - V2X) and to offer the users a more pleasant
experience. Similar with other domains involved in the IoT ecosystem, the
connectivity capabilities of smart vehicles also open doors to cybersecurity
risks. Regulations addressing the safety and performance of cars are already
in place for decades. Regulations concerning cybersecurity aspects have been
however absent, and are currently only in the drafting phase. This means
that the responsibility of maintaining a secure development, production and
post-production process lies with the car manufacturers. Recent examples
of practical hacks in the field (ex. the Jeep attack), demonstrate that
cybersecurity is something which manufacturers cannot afford to ignore.
Secura has designed services addressed at the whole smart vehicles
ecosystem. The security of the cars or their high risk systems can be assessed
by making use of relevant international publications, such as ISO 21434, IEC
62443, US Department of Transportation framework or the ENISA Smart
Cars best practices. By following such standardized assessments, Secura
can ensure manufacturers that their vehicles or subsystems are compliant
with the relevant state of the art security measures, reducing the risk of a
security incident. Examples of security measures in scope of an assessment
include authorization, authentication, vehicle interfaces security, separation
of internal sensitive networks (e.g. by isolating various CAN communication),
or secure software updates.
At the same time, Secura is at the forefront of international cybersecurity
regulations related to the automotive domain. Secura can support you in
preparing for the upcoming regulations (such as the UN/ECE regulations on
Cybersecurity or Software Updates), including the preparation of required
documentation and the performing of required testing and documentation
review. This will allow manufacturers to stay in control of their security
processes, and ensure that they can satisfy the requirements of the
regulations, the moment when they will be enforced.
More details concerning the types of services and specific security testing
can be obtained by accessing the dedicated factsheet on automotive security.
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura Automotive testing framework (IEC 62443, ISO21434, US Department of Transportation, ENISA smart cars best practices)
Compliance: IEC 62443, ISO 21434
Certification: UN/ECE regulations on Cybersecurity and Software Updates
FINANCIAL AND PAYMENTS
SMART COMMUNICATIONS
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Tailored testing services Certification: Support on certification preparation (building documents, pre-evaluation) – e.g. PCI DSS and PTS
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura Network devices testing framework (IEC 62443, Common Criteria Network Devices Protection Profile)
Compliance: IEC 62443
Certification: BSPA, Common Criteria (support)
Financial services are one of the critical infrastructures
of a nation. The whole ecosystem contains a complex
combination of banking services, payment devices and the
infrastructures used to communicate between all involved
elements. With the purpose of offering an enhanced
user experience, most of the banks make use nowadays
of mobile and web applications, allowing the users to
remotely access their accounts and perform transactions.
At the same time, payment devices (such as payment
terminals or ATMs) offer many modern payment methods
(such as mobile payment with NFC technology), designed
to reduce the effort and increase the user experience.
In this complex ecosystem, Secura designed services
aimed at supporting most of the involved actors. For
payment devices manufacturers, initial threat models and
architecture reviews (for both hardware and software
security) can ensure that the products are including
sufficient security elements. Penetration testing activities
can ensure that the devices include sufficient security
features. At the same time, support in building certification
specific documentation (ex. PCI PTS) can be offered.
Communication products and infrastructures are the
backbone of that we call IoT. Network elements such as
routers, switches, VNP gateways or data diodes allow other
devices to connect to each other and to the Internet.
Because of this, the cybersecurity risks associated with
these network elements and the infrastructures which
connect them (leading to the creation of WANs) can have
high impacts and affect a large number of people.
Secura provides assessment services designed to
highlight possible issues with these types of products and
infrastructures. Standardized testing activities can be
performed on products and networks, addressing security
features such as encryption mechanisms, secure storage,
physical security, authentication, authorization, etc.
Finally, in the case of network products, the highest level
of assurance can be obtained by means of certification.
Secura can support you in delivering the Baseline Security
Product Assessment (under NLNCSA) or support the
process to obtain a Common Criteria certification,
enabling you to highlight the security of your products.
INDUSTRY AGNOSTIC IOT SECURITY
SECURE WEB AND MOBILE APPLICATIONS
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura Web and mobile applications testing framework (in line with the OWASP Testing Guide)
Certification: OWASP ASVS, OWASP MSVS
Besides domain specific products, there are many solutions designed to be sector agnostic. For example, a chip
manufacturer would preferably wish that its products are embedded into many different IoT applications, for consumer
products, to higher risk payment devices. At the same time, solutions such as web/mobile applications or cloud platforms
are at the core providing similar functionalities from the perspective of the users, independent of the particular domain
in which they are used.
Web and mobile applications allow users to interact and
control the smart “things”, therefore coming at the heart
of IoT. While different risks apply for different use cases
(e.g. for a payment application the risks are different
than for a smart doorbell application), the assessment
methodology can be made horizontal, by validating the
security against internationally recognized standards and
best practices.
Secura makes use of the OWASP Application/Mobile
Testing Guide in order to assess the security of these
applications. As a result, tailored services can be provided,
in the form of black/grey/crystal box investigations,
approaching the security of the app from a real life
hacker’s point of view. Examples of tests in scope of these
services include security topics such as authentication,
authorization, client side testing, configuration and deploy
management, cryptography, identity management, data
validation or session management.
At the same time, assessing the security compliance of
these applications in line with recognized standards such
as the OWASP Application/Mobile Security Verification
Standard will go deeper, addressing technical security
testing, as well as elements of development lifecycle (such
as threat modelling, secure coding, etc.). The diversity
of these offered solutions allows customers to have the
flexibility of choosing the best approach for assessing their
software, in line with their needs and testing appetite.
SECURE CLOUD PLATFORMS
(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION
Secura Cloud testing framework Certification: CSA STAR, Eurocloud StarAudit support
Cloud platforms allow the smart “things” to connect to
each other, share and store data. Therefore, they represent
one of the backbones of IoT. At the same time, due to the
sensitive data that is transferred, stored or processed by
these platforms, their cybersecurity becomes one of the
most important aspects.
Secura can support both IoT developers and cloud service
providers by performing tailored penetration testing on
specific cloud platforms, addressing security topics such
as cloud authentication, authorization, event logging or
security of the implemented APIs.
Moreover, Secura can support with the preparation
for cloud certification schemes (such as the CSA STAR
or Eurocloud StarAudit) by performing cloud security
compliance audits in line with the requirements of the CSA
Cloud Control Matrix.
INTERESTED?Would you like to learn more about our services?Please do not hesitate to contact us.
Vestdijk 595611 CA EindhovenNetherlands
Karspeldreef 81101 CJ AmsterdamNetherlands
T +31 (0)40 23 77 990E [email protected] www.secura.com
Follow us on
About SecuraSecura has worked in information security and privacy for nearly two decades. This
is why we uniquely understand the challenges that you face like no one else and
would be delighted to help you address your information security matters efficiently
and thoroughly. We work in the areas of people, processes and technology. For our
customers we offer a range of security testing services varying in depth and scope.
Secura has the mission to support organizations with up-to-date knowledge to work
toward a bright and safe future.
Keep updated with the latest insights on digital security and subscribe to our
periodical newsletter.
Interested?Contact us today at
visit secura.com for
more information.