SESIP methodology streamlines IoT security evaluation
Image by Freepik
GlobalPlatform’s security evaluation standard for IoT platforms (SESIP) methodology has been adopted as the basis for a European standard (EN) by the European Committee for Standardisation, European Committee for Standardisation (CEN) and European Committee for Electrotechnical Standardisation (CENELEC). The standard is working to help the IoT ecosystem address regulatory fragmentation and better understand, deploy, and explain security.
“This is all about raising the bar for IoT security,” comments Eve Atallah, a sub-task force chair at GlobalPlatform SESIP. “Security in IoT is a problem as a myriad of national and regional regulations have emerged in recent years. We are asking device makers and non-security experts to firstly identify relevant security requirements, implement technology to address them, and then demonstrate the security features of their products. This is complex, costly, and unsustainable.”
Value for IoT stakeholders
The World Economic Forum (WEF) reported in 2022 that cybersecurity threats have increased by over 358% in recent years, outpacing societies’ ability to effectively prevent or respond to them. A year on the challenge persists, with WEF noting cybersecurity as a constant concern and listing it as a top 10 global risk for 2023.
The SESIP methodology provides a standardised approach for evaluating IoT security implementations, tailored to the requirements and challenges of the evolving ecosystem. The methodology has analysed and mapped regulatory and industry requirements from various organisations, such as The European Union Agency for Cybersecurity (ENISA), European Telecommunications Standards Institute (ETSI), International Electrotechnical Commission (IEC), and National Institute of Standards and Technology (NIST).
The IoT community has a single, accessible reference point for assessing IoT cybersecurity in line with these and other requirements, reducing fragmentation, complexity, and cost from security certification processes for stakeholders.
The SESIP methodology also supports the composition and reuse of certificates. This enables previously certified components to be used to build a device with in-built security assurances, without having to repeat a complete evaluation of the same component in each and every targeted market. This drives greater efficiency, security, innovation, and cost savings across the certification process.
Both national and private certification bodies are creating and managing certification schemes based on the SESIP methodology. One recent example is Taiwan where the methodology is being assessed by the Institute for Information & Industry.
A rapidly growing ecosystem
The GlobalPlatform community is responsible for maintaining the methodology and enforcing a governance model with an associated quality brand between certification bodies (CBs), product vendors, and laboratories.
The certification body TrustCB has already licensed 10 laboratories and certified over 28 products from various companies, including Amazon Web Services, Microchip Technology, STMicroelectronics, NXP Semiconductors, Renesas, Secure Thingz, Silicon Labs, Trusted Objects and Winbond Electronics Corporation. Most recently, SGS Brightsight CB has joined the program to become a GlobalPlatform SESIP CB.
Simplifying and strengthening IoT security through standardisation
“SESIP is a result of the expertise of the GlobalPlatform community and its work to drive more cybersecurity into IoT devices without adding complexity,” said Gil Bernabeu, a CTO at GlobalPlatform. “By giving stakeholders a single point of reference for IoT cybersecurity, regardless of their security expertise, we can collectively raise the bar for security. When everyone can understand, better decisions can be made faster. When better security decisions are made, confidence both within industry and among end users grows. We believe in a digital society, but that goal is only achievable if we have trust in digital devices and services. Standardisation, evaluation, and certification are fundamental to this trust.”
More than 200,000 experts from industry, associations, public administrations, academia, and societal organisations are involved in the CEN and CENELEC network, which reaches over 600 million people in 34 countries. The development of a European Standard is based on the so-called National Delegation Principle and is governed by the principles of consensus, openness, transparency, national commitment, and technical coherence.
Comment on this article below or via X @IoTGN