Security is an important concern for developers of all types of systems. This frequently asked question addresses several important security standards for IoT cybersecurity, security vulnerabilities in industrial automation and control systems, standards for analyzing and identifying secure coding errors in C applications, and application software security concepts and trust levels.
The European Telecommunications Standards Institute (ETSI) EN 303 645 was developed to provide the basis for IoT basic level provision under the EU Cyber Security Act (CSA). This is a globally recognized standard for consumer IoT cybersecurity. The standard is based on 14 high-level recommendations used to establish 68 provisions, 33 mandatory requirements and 35 recommendations (Figure 1).
ETSI EN 303 645 is designed to help prevent large-scale attacks on smart devices, including toys and baby monitors, related safety-related products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances and smart home assistants. Compatible devices are expected to successfully counter distributed denial-of-service (DDoS) or hijacking of cryptocurrency digging or spying devices.
ETSI has also released a test specification, ETSI TS 103 701 (Cyber Security for Consumer Internet of Things: Conformity Assessment of Basic Requirements), which describes how a structured and comprehensive conformity assessment should be performed. This test specification is intended to be used by manufacturers, suppliers and distributors to assess the conformity of devices with ETSI EN 303 645 in self-assessments or through test laboratories.
Industrial automation and control systems
ISA / IEC 62443 is a series of standards that provide a flexible framework for addressing and mitigating security vulnerabilities in industrial automation and control systems (IACS). For example, one standard in the series, ISA 62443-4-2 (Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components), provides technical cybersecurity requirements for embedded devices, network components, host components, and software applications. which make up the IACS. The standard based on the security requirements of the IACS system of ISA / IEC 62443-3-3 (System Security Requirements and Security Levels) defines security capabilities that allow a component to mitigate threats to a level of security without the need for additional countermeasures.
ISA 62443-4-2 follows ISA / IEC 62443-4-1 (Product Security Lifecycle Development Requirements), which defines the requirements for the process of secure development of devices and products used in IACS and defines the security lifecycle development to maintain these protected devices and products. The life cycle structure includes:
- Defining security requirements
- Secure design parameters
- Secure deployment requirements (including coding guidelines)
- Security verification and validation
- Defect management
- Software patch management
Analyze secure coding in C
ISO / IEC TS 17961 is designed to establish basic requirements and rules for analyzers, including static analysis tools and C compilers, necessary to identify uncertain code outside the requirements of the language standard. The criterion for choosing the rules is that their application should identify errors in secure coding without generating excessive false positives. ISO / IEC TS 17961 is also designed to complement other C language standards and guidelines and is the only publication aimed at code analysts, not developers (Table 1). The qualifying analyst must detect any violation of any of the rules and diagnose each rule in the violated specification. If the analyzed program has violated multiple rules, the qualifying analyst must issue at least one diagnostic notification and may optionally provide summary diagnostics for all violated rules.
The basic rules can be extended to meet the needs of specific applications, if necessary to provide a minimum guarantee of performance for device users. ISO / IEC TS 17961 includes sample codes for each basic rule. Examples of non-compliant code are also included to demonstrate language constructs that have weaknesses with potentially exploitable security implications. Examples of usable code produce a diagnostic signal from a qualified analyst. Relevant examples should not be diagnosed by a qualified analyst.
Application code protection
The ISO 27034 standard focuses on application security. It defines specific concepts, terms and activities for developing a comprehensive approach to application code security, including:
- Application Security Control (ASC)
- Application Confidence Level (ALT)
- Organizational Regulatory Framework (ONF)
- Regulatory framework for the application (ANF)
- Application Security Verification Process (ASVP)
ASC is one of the basic concepts of ISO 27034 and is designed to prevent security vulnerabilities in applications. ASCs are sometimes called application security requirements. For example, SQL injections are a common security weakness of applications and can be addressed in ISO 27034 using connecting variables in SQL statements. Each ASC is based on the use of the application, such as the use of connecting variables in SQL statements in an application that uses databases, and context, such as the need to mask credit card numbers on the screen to meet data requirements. Payment Card Industry Security Standard (PCI DSS). Each ASC must also include a verification method, such as running a scan tool to identify vulnerabilities in SQL.
Level of trust in the application
Not every application needs the same level of security. External web-based applications that interact with personal data require a higher level of security than internal applications without access to sensitive information. Each ASC is defined by one or more levels of confidence. For example, a financial institution may use three ALTs:
- Level 0 can only include ASCs that reduce the highest risks
- Level 1 will include more ASC than level 0 and will reduce additional risks
- Level 2 will include even more ASC and mitigate the greatest number of risks
Each ASC has a predefined expectation for its ALT. Once developed, each application is audited to measure its actual ALT to identify ASCs with lower actual ALTs than those listed. The combination of ALT specifications and audits ensures that all security deficiencies can be remedied before the ASC enters the field.
Organizational regulatory framework
ONF is a collection of ASCs and processes throughout the organization called the ASC Library. It determines when and how an application should use specific security tests, such as a penetration test. It includes an “application lifecycle reference model” with a scope beyond software security alone and defines the planning, construction / purchase, testing and use of applications for decommissioning and related infrastructure. Another goal of ONF is to define when a specific ASC is used.
Applied regulatory framework
ANF is a set of ASC and application security processes that are applied to a specific application and is a subset of ONF. For example, a financial institution may have over 50 different ASCs with different combinations of ALTs that require different forms of threat modeling and code reviews. The ANF can also describe the ASC development process, plus its operational and decommissioning processes. (Figure 2).
Application security check process
Finally, ISO 27034 includes the requirement for a formal ASC security verification process. Code reviews, intrusion testing, and other aspects of security verification are directly related to individual ASCs. Prior to ISO 27034, security clearance was a more general process that did not necessarily take into account the specific ALT and other performance requirements of individual ASCs.
In today’s connected world, security is an important aspect of the development process. This FAQ reviews some of the key security standards for IoT cybersecurity, security vulnerabilities in industrial automation and control systems, standards for analyzing and identifying secure coding errors in C applications, and application software security concepts and trust levels, as well as is in ETSI EN 303 645, ISA / IEC 62443, ISO / IEC TS 17961 and ISO 27034, respectively.
ETSI EN 303 645 – Cybersecurity for the consumer Internet of Things: Assessing compliance with the essential requirementsETSI
IOT security for EN 303 645Ineltek
The ISA / IEC 62443 standard defines the security capabilities of the components of the control systemInternational Society for Automation
ISO / IEC 27034-2: 2015ISO
ISO / IEC TS 17961: 2013ISO
ISO / IEC TS 17961 C Secure coding rulesCarnegie Mellon University
ISO 27034 Beginner’s GuideSecurity compass