A B U R E A U V E R I TA S C O M PA N Y

CONSUMER IOT STANDARDS

AND CERTIFICATION

What are the best options for your

products?
 A B U R E A U V E R I TA S C O M PA N Y

SECURA

Vestdijk 59
5611 CA Eindhoven
Netherlands

Karspeldreef 8
1101 CJ Amsterdam
Netherlands

T +31 (0)88 888 3100

E [email protected]
W secura.com

Follow us on

2
 A B U R E A U V E R I TA S C O M PA N Y

1. Consumer IoT Products & Threats Landscape

The current rise of the Internet of Things (IoT) ecosystem The IoT is truly a holistic concept, resulted by the fact
is something that cannot be denied. For example, smart that the world becomes more and more connected.
building elements, vehicles connected to a smart transport The combination of “smart” devices, mobile or web
infrastructure, or gadgets that can be controlled remotely applications used to interact with them and cloud services
through mobile applications and cloud are only a few examples allowing them connect with each other lead to the
of the current state. Moreover, the rate at which IoT is development of overlapped IoT ecosystems.
expanding is currently accelerating. Based on recent reports, it
is expected that 5.8 billion IoT endpoints will be in use by the
end of 2020, only in automotive and enterprise environments1.

Whenever the term IoT is mentioned, the thoughts are

initially running towards smart consumer gadgets. In fact,
this paradigm, even though slightly outdated, is still correct
for a large extend. Based on reports, the market of consumer
IoT products is projected to reach 153.8 Billion $ by 20262.
However, together with the increase in connected products
volume and functionality, the cybersecurity risks associated
with these products are strongly increasing as well. Due to the
volume of this market, as well as its connectivity to other high-
risk environments, this becomes a serious issue.

Table of Contents

1. Consumer IoT Products & Threats Landscape 3

2. Reference Standards & Certification Schemes

for Consumer IoT 5

3. Focus on Common Criteria 6

4. Focus on ETSI EN 303 645 8

5. What is the Best Option for your Product? 9 1 https://informationmatters.net/internet-of-things-statistics/

2 https://www.verifiedmarketresearch.com/product/consumer-
6. Conclusion 11 iot-market/

Secura White Paper | Consumer IoT Standards and Certification 3

 A B U R E A U V E R I TA S C O M PA N Y

This also allows for a better understanding of how security

threats can affect the domain of consumer IoT products.
We know that the security of a general system, network
and ultimately, home, is as strong as the weakest link
involved. The multitude of “smart” consumer gadgets that
increasingly populate our homes opens up multiple potential
doors towards personal sensitive data.

In most of the cases, the actual component or gadget that

has an embedded vulnerability is not the actual target
of an attacker. Imagine for example a smart surveillance
camera that is used in a home environment. The camera
is connected to the home router, therefore to the trusted
network. All the other smart appliances and devices which
are found in the home are directly connected to the same
network.

In case an attacked can exploit a vulnerability embedded in

the mentioned camera and get access to the main home
network, then it would be theoretically possible to access the
other devices or information shared on the network. And
if a camera itself does not sound like a critical component
in case of a security attack, then how about the connected
smart door locks, the in-home alarm system, the connected
personal medical devices or the smart fire-detection system?
If we see things in this perspective, we can start observing
that an apparent “inoffensive” gadget can actually be much
more concerning than initially thought.

With these aspects in mind, in the last years there was an

intense focus on developing efficient standards aimed at
addressing the security of consumer IoT products. Together
with the standards, also options for certification schemes
were developed.

4
 A B U R E A U V E R I TA S C O M PA N Y

2. Reference Standards & Certification

Schemes for Consumer IoT
Starting from the premise that consumer IoT products need Besides the topic of issuing relevant standards, there is of
to start having a strong focus on their security capabilities course the discussion on certification options for smart
and functionalities, in the last years we have seen a devices. Here the concerns can be even stronger, as a good
wide range of standards, frameworks and best practice certification program for consumer IoT needs to have in
documents published on this matter. What started as a place several aspects, such as:
promising approach to make security more concrete in
such products, quickly transformed into a rather confusing • Clear requirements and testing methodology
aspect for manufacturers: If there are so many available • Smooth assessment and certification process, resulting
publications providing guidance and security requirements in a limited effort approach
for IoT products, which one is the best and which one should • High international visibility and recognition of the
be followed? resulting certificate

To briefly summarize, at this moment we have in place Furthermore, there is the topic of creating a certification
an extensive list of publications which manufacturers can program that can successfully address the various layers of
consider in order to approach security into their connected a consumer device, and also the supply chain interaction
products. Without the purpose of making this an exhaustive behind its development. Having these constraints in mind,
list, relevant examples include the IoT Security Foundation there are currently several certification options that are
Framework, IEC 62443, OWASP IoT requirements, possible options for manufacturers. Common Criteria
GSMA IoT requirements, UL 2900 family, ENISA Best certification is arguably the most recognized certification
Practices for connected products, or the ETSI EN 303 program for IT products, with its results recognized in
645. The list can of course become much more extensive many countries across multiple continents. To provide some
if we consider additional publications that are not issued alternatives to Common Criteria, the recent years have seen
by smaller security organizations, and furthermore if we the development of other, consumer focused certification
consider other local requirements which are published for schemes, such as SESIP (focused on the IC components and
specific countries and regions. platforms used for IoT), IoT Security Foundation label, or the
public and private certification schemes operating based on
The ETSI EN 303 645 standard was published with the main the ETSI EN 303 645 standard.
idea to provide a clearer view on consumer IoT products real-
life risks and vulnerabilities, and create a feasible testing and In this multitude of available standards and certification
evaluation approach. With this standard quickly obtaining options, it is critical for manufacturers to get the best
more and more attention, starting from the EU level, decision regarding the specific standard or certification in
many manufacturers have started to get interest into its which they will invest their efforts. With the aim of providing
security requirements. Furthermore, ETSI is also working on more clarity on the topic, the rest of this document will focus
publishing a methodology for performing validation testing on two specific programs, the Common Criteria international
in line with the requirements of the ETSI EN 303 645, which security certification and the ETSI EN 303 645 based
will be documented in the ETSI TS 103 701 publication. certification.

Secura White Paper | Common Criteria for Software and Embedded Products 5
 A B U R E A U V E R I TA S C O M PA N Y

3. Focus on Common Criteria

3.1. What is Common Criteria?
The Common Criteria for Information Technology A Common Criteria evaluation can be conducted based on
Security Evaluation, shortly referred to as Common Criteria seven increasing assurance levels, each of the levels coming
or CC, is an international standard for independent with more stringent requirements that need to be fulfilled
security evaluation and certification of IT products by the product, as well as the evaluation methodology. A
implemented as hardware, firmware or software. resulting Common Criteria certificate is mutually recognized
in a wide range of countries, spread across the EU, Asia,
Common Criteria consists of three main parts plus the North America, Australia or UK. Given its history, tradition
recommended methodology to perform evaluations: and large number of issued certificates, Common Criteria
is one of the most recognized certification methodologies
• Part 1: Introduction and general model, April 2017, across the world.
version 3.1, revision 5;
• Part 2: Security functional components, April 2017,
version 3.1, revision 5;
• Part 3: Security assurance components, April 2017,
version 3.1, revision 5;
• Common Methodology for Information Technology
Security Evaluation (further referred to as CEM), April
2017, version 3.1, revision 5.

Several stakeholders are involved in a CC evaluation, as

follows:

• Sponsor of the evaluation. The party that plans to

certify a product (could be either a developer of the
product or a third party).
• National certification scheme. National CC scheme,
providing own set of tailored rules for evaluation and
certification of IT products, based on the CC standard.
• IT Security Evaluation Facility (ITSEF). Accredited and
licensed lab specialized in performing CC evaluations for
a particular class of IT products.

Under Common Criteria, it is possible to evaluate and certify

a broad range of products, including:
• Smart cards and ICs
• Software and application products
• Operating systems
• Antivirus and network protection software
• Network equipment
• Embedded devices such as IoT, printers, automotive
components, medical devices, etc.

6 Secura White Paper | Consumer IoT Standards and Certification

 A B U R E A U V E R I TA S C O M PA N Y

3.2. How to Test & Certify based on

Common Criteria?
Common Criteria introduces seven different levels Selecting the desired evaluation level is based on the preference
of evaluation (EAL1 to EAL7) depending on the level of the manufacturer. Typically, embedded products including
of assurance in the security of the evaluated product. consumer IoT devices are suited for a lower level evaluation
According to CC, higher assurance results from the (e.g. EAL 1 to EAL 3). This is due to the less critical security
application of greater evaluation effort. The increasing level risks that are directly applicable to these devices, compared
of effort is based upon: for example with products like ICs or e-passports, which are
typically better suited for higher evaluation levels.
• Depth of Evaluation - the effort is greater
because it is deployed to a finer level of design and The evaluation activities include a combination of several
implementation detail; elements, such as:
• Coverage of Evaluation – the effort is greater • Evaluation of the product’s Security Target (the overview of
because more evaluation requirements are in scope the product’s security scope and capabilities)
• Rigor of Evaluation - the effort is greater because it is • Design review of the products and overview of its
applied in a more structured, formal manner. interfaces and architecture
• Review of the product’s guidance requirements
The assurance increases with every level and the “default” • Review of the product’s development life cycle processes
levels in a CC evaluation are identified in the following way: • Validation and penetration testing of the product’s security
EAL1 – functionally tested; capabilities.
EAL2 – structurally tested;
EAL3 – methodically tested and checked; The conducted assessment activities are documented in several
EAL4 – methodically designed, tested and reviewed; deliverables that are shared with the certification scheme. Once
EAL5 – semi-formally designed and tested; these deliverables are agreed by the scheme, a final certificate
EAL6 – semi-formally verified design and tested; is issued and published on the Common Criteria portal.
EAL7 – formally verified design and tested.

Secura White Paper | Consumer IoT Standards and Certification 7

 A B U R E A U V E R I TA S C O M PA N Y

4. Focus on ETSI EN 303 645

4.1. What is ETSI EN 303 645? There are multiple other instances of such requirements
where common interpretation is needed in order to reach a
The ETSI EN 303 645 norm is currently one of the main
testing verdict. In order to help in creating a common base
standards for the assessment and validation of IoT
for evaluation and testing, ETSI is currently working on a
products, with a special focus and relevance on the side
separate document, ETSI TS 103 701, aimed at providing
of consumer IoT. Originally inspired by the UK IoT Code of
an evaluation methodology based on the ETSI EN 303 645
Practice for security, the ETSI EN 303 645 grew up to an
standard.
EU recognized framework, therefore being a very good
reference for upcoming EU level certification schemes for
From a certification point of view, there are already some
consumer IoT products.
options that manufacturers can have in place in order to
obtain a compliance label based on the ETSI IoT standard.
The ETSI EN 303 645 norm is designed to provide an
The existing certification schemes are at the same time quite
efficient, baseline assessment methodology for the
new, given the fact that the standard itself has been formally
evaluation of IoT products and solutions. Aspects of this
published in 2020. Examples of national initiatives include
methodology include:
the Finland TRAFICOM certification scheme, as well as
• Password security
the Singapore Cybersecurity Label Scheme (CLS), both
• Secure software updates
operating based on the requirements of the ETSI standard.
• Security of interfaces and data communications
From a private point of view, some Certification Body
• Product’s availability
companies have developed their own programs focused on
• Completeness and correctness of user guidance
providing compliance labels, and example in such case being
• Vulnerability disclosure procedures and patch
the Bureau Veritas certification program based on ETSI EN
management
303 645.
• Product logging
• Protection of personal data
Given the fact that certification options based on ETSI EN
• Validation of data inputs
303 645 are relatively new, the number of already certified
products is smaller than compared with other “classic”
4.2. How to Test and Certify Based on approached such as Common Criteria. However, given the
ETSI EN 303 645? quick market adoption of the standard, combined with the
smooth and limited effort approach that some of these
The standard itself aims to provide a baseline of security
schemes are adopting, it is expected that such labels will
requirements, therefore, as expected, the testing depth is
become much more common in the next years.
medium. General security evaluation knowledge related to
hardware, software and protocols security are sufficient in
order to go through the requirements. The difficulty comes
however from interpreting some requirements which are
made “flexible” on purpose. For example, the requirement
“The product shall have an update mechanism for the secure
installation of updates” requires first of all consensus on
what is meant by “secure installation”, especially in sense of
what is good enough and what is not good enough.

8 Secura White Paper | Consumer IoT Standards and Certification

 A B U R E A U V E R I TA S C O M PA N Y

5. What is the Best Option for your Product?

As it was highlighted above in this document, currently
manufacturers of consumer IoT products have several
options in place in order to allow for certification of their
products. Some specific case studies have been presented
for the Common Criteria and ETSI EN 303 645 certification
schemes.

In the end, which one of these options is the best for

manufacturers to take, and based on which can this
decision be taken? While the final answer will depend
strongly on certain aspects that are manufacturer related,
the table on the next page aims to summarize the
characteristics of these schemes against several selected
aspects.

Characteristic Common Criteria Certification ETSI EN 303 645 Certification

International Common Criteria is widely known, being Certification schemes based on ETSI EN 303 645 are
recognition mutually recognized in multiple countries relatively new, therefore the international recognition
spread across the world. of these certificates is slowly emerging. That being
said, manufacturers are free to promote or display the
certificate on their products.

Value of A Common Criteria certificate is mutually While the international recognition of these schemes
certificate recognized in multiple countries, all over is gradually increasing, the value of the certificate is
the world. Many times, large institutions already quite good. ETSI EN 303 645 is already a
or asset owner organizations will ask for a well known standard in the domain of consumer
CC certificate in order to sign a partnership IoT. A certificate or label based on this standard
with a device manufacturer. Finally, having will therefore be an important confirmation of the
a CC certificate can represent a strong product’s capabilities.
differentiator against competitors.

Flexibility of the Common Criteria is a very carefully Certification approaches based on ETSI EN 303 645
process defined evaluation process. All the often allow for interpretation of requirements.
evaluation activities are documented, and While a product that does not fulfill a large part of the
a project cannot deviate from them. The requirements will likely not obtain a certificate, there is
relation between the stakeholders is clear currently room for alignment, such that manufacturers
and strict. can defend the design decisions that they adopted for
their products.

Secura White Paper | Consumer IoT Standards and Certification 9

 A B U R E A U V E R I TA S C O M PA N Y

Required effort The effort depends per the level of Certification schemes based on ETSI EN 303 645 were
evaluation, and will progressively increase designed to be market accessible. Therefore, the
among the seven possible levels in expected effort can be generally considered lower
Common Criteria. As a rought indication, than for example a Common Criteria evaluation.
40 – 60 person days can be expected for a A rough indication can be around 20-25 person days,
Level 2 evaluation, which is a well suited level which depends strongly on the type and complexity of
for consumer IoT devices. the product.

Required In a CC evaluation, the manufacturer These schemes have been developed in order to
involvement holds an important role. The manufacturer provide a smooth process, minimizing where
from the is responsible for drafting the evaluation possible the involvement of the manufacturer.
manufacturer evidence, in a particular format required by Often there is a clear checklist of documents that need
the CC scheme. A site-audit can be part of to be provided by the manufacturer in the beginning,
the evaluation process as well. such that the rest of the evaluation process can be
performed as much as possible by the laboratory
without further support.

Project Duration Typically, Common Criteria projects do The duration of the project, including the drafting
not result in quick verdicts. Of course, the of the final report and issuing of the certificate
duration strongly depends on the evaluation is minimized, the whole process being possible to be
level. As an indication, a duration of 3-4 finalized within 1 month.
months can be considered relevant for an
evaluation based on Level 23.

Specific Value Common Criteria is a highly recognized A certification based on ETSI EN 303 645 could be an
for Consumer evaluation and certification scheme. important milestone for a manufacturer of consumer
IoT Products Therefore, the value of such certificate will IoT products. While not as internationally recognized
be of importance, including in the domain as a Common Criteria certificate, such a certificate will
of consumer IoT products. Besides offering represent an appreciated label particularly among
possibilities for governmental or large asset users and integrators of consumer equipment.
owners access, a CC certificate can be an
important differentiator against the
competitors.

3
This indication is given considering an evaluation performed under the Dutch Common Criteria scheme, NSCIB.

10 Secura White Paper | Consumer IoT Standards and Certification

 A B U R E A U V E R I TA S C O M PA N Y

6. Conclusion
This document aimed to describe the existing standards and Both Common Criteria and ETSI EN 303 645 can result in
certification options applicable for the domain of consumer valuable certificates. While Common Criteria will provide
IoT products. Luckily, we do not lack in terms of available direct international recognition, ETSI EN 303 645 certification
standards. In fact, this can even be considered to be an is a label that will attract the attention especially among users
element that sometimes provides confusion among the and integrators of consumer IoT products.
manufacturers: which standard or certification scheme would
be the best one to follow. Would you like more guidance on which option might
be the best for your product, or more information about
Common Criteria has traditionally been the main international consumer IoT standards and certification? If yes, feel
certification program for IT products, applicable therefore free to contact Secura’s experts for more help.
also for consumer IoT devices. On the other hand, the ETSI
EN 303 645 standard came with an approach that aims to
make the evaluation of these devices smoother, and with less
involvement from the manufacturer. That could in particular
be useful for small-scale IoT manufacturers, due to the less
stringent evaluation methodology and less extensive required
effort.

About Secura
Secura is your independent cybersecurity expert. Secura provides insights to protect
valuable assets and data. We make cybersecurity tangible and measurable in the
field of IT, OT and IoT. With security advice, testing, training and certification services, Contact us today at
Secura approaches cybersecurity holistically and covers all aspects from people, [email protected] or
policies, organizational processes to networks, systems, applications and data.
visit secura.com for
For more information, please visit: secura.com. more information.
Keep updated with the latest insights on digital security and subscribe to our
periodical newsletter: secura.com/subscribe.
S UB S C R IB E
Follow us on
TO OUR NEWSLET TER

Secura White Paper | Consumer IoT Standards and Certification 11

A B U R E A U V E R I TA S C O M PA N Y