IoT Security and Common Criteria Framework

Roland Atoui
Illustration: © IoT For All

The Internet of Things (IoT) has entered the home. As cloud technology continues to expand its market reach, cloud-based applications are starting to make waves in the consumer market. Today, numerous mobile phones, desktops, and TV applications equipped with IoT capabilities are available to purchase. Combined with a robust market of industry-specific platforms already in use, it’s clear the future of digital integration into everyday life will come from IoT developments.

However, the development and implementation of IoT-based products is anything but a risk-free zone. Plenty of risks abound, especially in terms of security. The more people using IoT devices, there needs to be a clearly defined accreditation process in place to ensure the quality of products and a surveillance protection policy is in place.

With a robust security infrastructure in place, hacking and other forms of cybercrime can be prevented. Given these pressing concerns, the certification process for IoT products must be water-tight and efficient.

Setting standards and norms is difficult in every industry, as it requires a set of objective standards and strong third-party intervention. In IoT, security framework is particularly challenging because so few standards have been set.

The Common Criteria Framework

The Common Criteria framework for achieving security certification has been inherited from traditional IT security assurance. CC is an international standard for certifying IT security, though an exhaustive verification process which is defined on a case-by-case basis. There are seven security assurance levels in total.

In traditional IT such as firewalls, switches, and routers, new products are subject to Common Criteria (CC) evaluation. Under CC, companies can list the security functional requirements (SFRs) within a security target. Since every product can be designed differently, and new products are always being developed, Protection Profiles (PPs) have been created for common products (like a firewall system, for instance).

PPs act as a benchmark in terms of quality and security for the product. That means that if a company wants to introduce new security features to a firewall, they can use the PP of a standard product to compare their new offering against. Once validated by a third party, a certificate is given out by national governments and recognized by the global community.

This is the framework traditional IT and cloud companies must work through to gain security accreditation for any new products, or new product updates. Although it is a tedious system, it does provide strong third-party security standards.

Smart TVs and CC Framework

It is only within the last few years that IoT companies have been passing through the CC framework successfully. In 2016, Samsung achieved an Evaluated Assurance Level (EAL) 1 for their Smart TV. Then in April of 2017, LG took a step further and achieved an EAL 2 for their Smart TV product. The company published a study detailing its certification process, and here are two important takeaways:

The Certification Process

In order to achieve a level 2 rating, LG has to ensure the Smart TV back-end operates smoothly and has strong security built-in.

Step 1: Operational Capacity

It’s the company’s responsibility to show with adequate proof that their product is resistant to malware or external attack. LG put the software underlying Smart TV through a series of tests to show its operational capacity.

Step 2: Security Requirements

In the absence of PPs for the Smart TV, LG created security targets based on similar PPs, for kernel, mobile device, Digital Rights Management (DRM), and the application of Smart TV.

The security standards achieved by LG are more thorough than any other IoT product sold on the market to date.​

Conclusion

In achieving EAL 2 status, LG has both designed an internal IoT security assurance framework CC-ready and demonstrated that CC is one of the best available certification processes to increase the security and reliability of IoT products. Indeed, if tailored to IoT technical and commercial constraints as supported by specialized security labs, CC is the only existing certification framework that is recognized in many countries worldwide, provides flexible assurance levels, covers a large scope of IT/IoT product types, and finally delivers formal and objective results. Although it remains relatively a costly and time-consuming process, it is still the best choice for some specific products and markets and LG has shown it is very much delivering a strong value.

Author
Roland Atoui
Roland Atoui
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT tec...
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT tec...