VIEW ON THE IOT ENVIRONMENT The Internet of Things (IoT) IoT is truly a holistic concept, resulted by the

fact that the world becomes more and more connected. The combination

of “smart” devices, mobile or web applications used to interact with

them and cloud services allowing them connect with each other lead

to the development of overlapped IoT ecosystems. Therefore, even if

differences in products and solutions can occur across various verticals, by

making use of these building blocks, the security of IoT solutions can be

addressed in an efficient way.

The IoT domain is increasing at an accelerating speed across existing verticals, while at the same time expanding and interconnecting with new domains. In this dynamic environment, security threats need to be addressed structurally and simultaneously from an early design stage. Secura's IoT Security Lab expands across all the relevant verticals of the IoT ecosystem, allowing the manufacturers and developers to stay in control of their security.

Secura has worked in information

security and privacy for nearly

two decades. This is why

we uniquely understand the

challenges that you face like no

one else and would be delighted

to help you address your

information security matters

efficiently and thoroughly. We

work in the areas of people,

processes and technology. For

our customers we offer a range of

security testing services varying

in depth and scope.

IN CONTROL WITH SECURA

SECURA IOT SECURITY LAB

Web/Mobile Applications

Cloud Service

APPROACHING IOT SECURITYIn line with the drawing above, the IoT Security Lab of

Secura is addressing each particular type of element in

the IoT environment, supporting therefore the whole IoT

supply chain of an IoT solution. We believe that designing

specific services for specific target groups is essential

in addressing specific security needs across the supply

chain. Moreover, by directing the services to specific

targets, it is ensured that the resulted level of assurance

is as high as possible, by tailoring the assessment scope

towards domain specific objectives. Finally, we strongly

believe that security can be addressed better by relying

on internationally recognized publications addressing

requirements and metrics. Because of that, our services

include for all the addressed elements the option of

standardized assessments and certification.

The services provided by the lab are focusing on the IoT

building blocks: devices, web/mobile applications and

cloud connectivity. For each of these building blocks,

Secura is providing a complete and flexible service

offering, including:

• Design Reviews and Threat modelling: Tailored

reviews of the specific solution, with highlighting

of specific risks and design vulnerabilities. This

includes services such as documentation review,

source code review, security by design trainings or

security audits.

• Training courses: Courses given by our experts

concerning topics such as Automotive Security, ICS

SCADA Security or Embedded Devices Security

• Advisory and Audit: Services carried by

experienced and certified auditors (REs), aimed

at assessing and validating the security related

processes implemented within your organization

• (Standardized) testing: Assessing the presence and

sufficiency of implemented security features, in line

with relevant international publications. The testing

is performed in a tailored way, by selecting relevant

requirements from considered publications.

• Compliance and certification: Ensuring the

security by testing in line with the applicable

requirements of relevant international publications

(ex. IEC 62443, IoT Security Foundation Framework,

OWASP Testing Guide, etc.), while also offering

support for security certifications or regulations.

In particular, this factsheet will mostly focus on services

related with security testing, compliance and certification

of IoT products from various verticals in scope. These

verticals are summarized in the table below.

Testing, Compliance and/or Certification (Industry specific)

Testing, Compliance and/or Certification (Industry agnostic)

SECURA IOT SECURITY LAB SERVICES

VERTICALS (INDUSTRIES)

Devices & Systems

Consumer IoT

Medical Devices

Industrial Control Systems

Smart Vehicles

Financial and

Payments Telecom

Web/Mobile Apps

Cloud

CONSUMER IOT

The market of consumer products is expanding

continuously at a very fast pace. Smart gadgets which can

be used either inside homes (ex. Smart cameras, smart

doorbells, etc.) or personal devices (ex. wearables) are

providing functionalities that are designed to improve

the user experience and make everyday tasks easier.

However, together with these advantages, cybersecurity

risks associated with these devices are increasing as well.

Moreover, as the end-products interact with web/mobile

applications and upload/retrieve data from the cloud, the

attacks possibilities are considerably increasing.

Secura can support with security assessments covering

many dimensions of the consumer IoT ecosystem. The

security of these products can be assessed in line with

internationally recognized publications, ensuring an

assessment which takes into account all the various

security relevant aspects (ex. hardware, operating system,

applications, interfaces, authentication/authorization,

etc.). For such assessments, Secura makes use of an

IoT security assessment framework, resulted after

overlapping the security requirements of state-of-the-

art publications such as the IoT Security Foundation

Framework, IEC 62443, OWASP IoT Testing Guide and

the GSMA IoT checklist. This framework provides a

holistic approach on security assessment, by including

requirements addressing hardware (physical) security,

operating system and application, interfaces, cloud and

mobile connectivity, or process specific requirements such

as life cycle or privacy.

From a compliance perspective, demonstrating that your

product’s security follows the internationally recognized

requirements of publications such as the IoT Security

Foundation Framework, UK Consumer IoT Code of

Practice or IEC 62443 can represent a strong market

advantage. Secura can also support you in obtaining

official recognition of your product’s security through the

IoT Security Foundation Best Practices certification.

More details concerning the types of services and

specific security testing can be obtained by accessing the

dedicated factsheet on IoT products security.

INDUSTRY SPECIFIC IOT SECURITY

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura IoT testing framework (IOT SF, IEC 62443, GSMA, OWASP IOT)

Compliance: IoT Security Foundation, IEC 62443, UK Code of Practice

Certification: IoT Security Foundation certification

MEDICAL DEVICES

INDUSTRIAL CONTROL SYSTEMS

The healthcare domain is becoming increasingly connected

with the introduction of either personal or hospital smart

medical devices and systems. These systems have the

advantages of providing smart features, allowing the

patients to be more in control of their personal health.

At the same time, the possibility of interconnecting these

systems or devices introduce exciting new possibilities. For

example, a connected glucose monitor can generate data

which can be accessed by the patient using the mobile

app, in order to better control the amount of glucose in

the body, as well as the general nutrition. Of course, all of

these features are also coming with cybersecurity risks.

Considering also the high impact of medical devices (life

threatening), it is crucial to be able to control these risks.

Secura can support you with standardized security testing,

in line with internationally recognized publications (e.g.

IEC 62443, UL2900). This ensures that the testing activities

carried on the medical device or system are covering

the security of the device in a state-of-the-art way. The

standardized testing services cover the security of medical

devices from multiple perspectives, by addressing issues

such as authentication, user authorization, interfaces

security and session control, protection of data at rest and

in transit or secure software updates.

As the same time, Secura can support you with preparing

for the FDA or EU medical device approval, by executing

security testing in line with the requirements of these

regulations, and helping with the development of the

required documentation.

More details concerning the types of services and specific

security testing can be obtained by accessing the

dedicated factsheet on medical devices security.

Smart Industrial Control Systems (ICS) are increasingly

being used in both manufacturing environments or critical

infrastructures. These systems rely on products such as

PLSc, DCSs, HMIs, etc., which are used to monitor and

control a specific system or process. Especially since

these types of products are designed for long lifespans,

it is important that the security features which they are

providing are sufficient in order to protect against high risks.

For assessing ICS components and systems, it is important

to ensure a security by design approach towards including

sufficient security features. The security features can be

tested in line with internationally recognized standards

such as IEC 62443. This standard can be used to assess the

security of either individual components, as well as systems

made out of components (e.g. a system composed of a DCS

and a HMI). During such an assessment, various elements

of security are assessed, such as user authentication and

authorization, protection of transferred and stored data,

security of software updates or security of communication

interfaces.

Demonstrating compliance with this standard can represent

a valuable way to ensure that the products are protected

against state of the art practical attacks.

More details concerning the types of services and specific

security testing can be obtained by accessing the

dedicated factsheet on ICS SCADA security.

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura Medical devices testing framework (IEC 62443, UL 2900, FDA guidelines)

Compliance: IEC 62443, FDA, EU regulations

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura ICS SCADA product testing framework (IEC 62443, UL 2900)

Compliance: IEC 62443

SMART VEHICLES

Modern vehicles contain extensive amounts of smart features which enable

them to connect (to the Internet, to other vehicles - V2V, or to various

infrastructure elements - V2X) and to offer the users a more pleasant

experience. Similar with other domains involved in the IoT ecosystem, the

connectivity capabilities of smart vehicles also open doors to cybersecurity

risks. Regulations addressing the safety and performance of cars are already

in place for decades. Regulations concerning cybersecurity aspects have been

however absent, and are currently only in the drafting phase. This means

that the responsibility of maintaining a secure development, production and

post-production process lies with the car manufacturers. Recent examples

of practical hacks in the field (ex. the Jeep attack), demonstrate that

cybersecurity is something which manufacturers cannot afford to ignore.

Secura has designed services addressed at the whole smart vehicles

ecosystem. The security of the cars or their high risk systems can be assessed

by making use of relevant international publications, such as ISO 21434, IEC

62443, US Department of Transportation framework or the ENISA Smart

Cars best practices. By following such standardized assessments, Secura

can ensure manufacturers that their vehicles or subsystems are compliant

with the relevant state of the art security measures, reducing the risk of a

security incident. Examples of security measures in scope of an assessment

include authorization, authentication, vehicle interfaces security, separation

of internal sensitive networks (e.g. by isolating various CAN communication),

or secure software updates.

At the same time, Secura is at the forefront of international cybersecurity

regulations related to the automotive domain. Secura can support you in

preparing for the upcoming regulations (such as the UN/ECE regulations on

Cybersecurity or Software Updates), including the preparation of required

documentation and the performing of required testing and documentation

review. This will allow manufacturers to stay in control of their security

processes, and ensure that they can satisfy the requirements of the

regulations, the moment when they will be enforced.

More details concerning the types of services and specific security testing

can be obtained by accessing the dedicated factsheet on automotive security.

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura Automotive testing framework (IEC 62443, ISO21434, US Department of Transportation, ENISA smart cars best practices)

Compliance: IEC 62443, ISO 21434

Certification: UN/ECE regulations on Cybersecurity and Software Updates

FINANCIAL AND PAYMENTS

SMART COMMUNICATIONS

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Tailored testing services Certification: Support on certification preparation (building documents, pre-evaluation) – e.g. PCI DSS and PTS

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura Network devices testing framework (IEC 62443, Common Criteria Network Devices Protection Profile)

Compliance: IEC 62443

Certification: BSPA, Common Criteria (support)

Financial services are one of the critical infrastructures

of a nation. The whole ecosystem contains a complex

combination of banking services, payment devices and the

infrastructures used to communicate between all involved

elements. With the purpose of offering an enhanced

user experience, most of the banks make use nowadays

of mobile and web applications, allowing the users to

remotely access their accounts and perform transactions.

At the same time, payment devices (such as payment

terminals or ATMs) offer many modern payment methods

(such as mobile payment with NFC technology), designed

to reduce the effort and increase the user experience.

In this complex ecosystem, Secura designed services

aimed at supporting most of the involved actors. For

payment devices manufacturers, initial threat models and

architecture reviews (for both hardware and software

security) can ensure that the products are including

sufficient security elements. Penetration testing activities

can ensure that the devices include sufficient security

features. At the same time, support in building certification

specific documentation (ex. PCI PTS) can be offered.

Communication products and infrastructures are the

backbone of that we call IoT. Network elements such as

routers, switches, VNP gateways or data diodes allow other

devices to connect to each other and to the Internet.

Because of this, the cybersecurity risks associated with

these network elements and the infrastructures which

connect them (leading to the creation of WANs) can have

high impacts and affect a large number of people.

Secura provides assessment services designed to

highlight possible issues with these types of products and

infrastructures. Standardized testing activities can be

performed on products and networks, addressing security

features such as encryption mechanisms, secure storage,

physical security, authentication, authorization, etc.

Finally, in the case of network products, the highest level

of assurance can be obtained by means of certification.

Secura can support you in delivering the Baseline Security

Product Assessment (under NLNCSA) or support the

process to obtain a Common Criteria certification,

enabling you to highlight the security of your products.

INDUSTRY AGNOSTIC IOT SECURITY

SECURE WEB AND MOBILE APPLICATIONS

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura Web and mobile applications testing framework (in line with the OWASP Testing Guide)

Certification: OWASP ASVS, OWASP MSVS

Besides domain specific products, there are many solutions designed to be sector agnostic. For example, a chip

manufacturer would preferably wish that its products are embedded into many different IoT applications, for consumer

products, to higher risk payment devices. At the same time, solutions such as web/mobile applications or cloud platforms

are at the core providing similar functionalities from the perspective of the users, independent of the particular domain

in which they are used.

Web and mobile applications allow users to interact and

control the smart “things”, therefore coming at the heart

of IoT. While different risks apply for different use cases

(e.g. for a payment application the risks are different

than for a smart doorbell application), the assessment

methodology can be made horizontal, by validating the

security against internationally recognized standards and

best practices.

Secura makes use of the OWASP Application/Mobile

Testing Guide in order to assess the security of these

applications. As a result, tailored services can be provided,

in the form of black/grey/crystal box investigations,

approaching the security of the app from a real life

hacker’s point of view. Examples of tests in scope of these

services include security topics such as authentication,

authorization, client side testing, configuration and deploy

management, cryptography, identity management, data

validation or session management.

At the same time, assessing the security compliance of

these applications in line with recognized standards such

as the OWASP Application/Mobile Security Verification

Standard will go deeper, addressing technical security

testing, as well as elements of development lifecycle (such

as threat modelling, secure coding, etc.). The diversity

of these offered solutions allows customers to have the

flexibility of choosing the best approach for assessing their

software, in line with their needs and testing appetite.

SECURE CLOUD PLATFORMS

(STANDARDIZED) TESTING COMPLIANCE AND CERTIFICATION

Secura Cloud testing framework Certification: CSA STAR, Eurocloud StarAudit support

Cloud platforms allow the smart “things” to connect to

each other, share and store data. Therefore, they represent

one of the backbones of IoT. At the same time, due to the

sensitive data that is transferred, stored or processed by

these platforms, their cybersecurity becomes one of the

most important aspects.

Secura can support both IoT developers and cloud service

providers by performing tailored penetration testing on

specific cloud platforms, addressing security topics such

as cloud authentication, authorization, event logging or

security of the implemented APIs.

Moreover, Secura can support with the preparation

for cloud certification schemes (such as the CSA STAR

or Eurocloud StarAudit) by performing cloud security

compliance audits in line with the requirements of the CSA

Cloud Control Matrix.

INTERESTED?Would you like to learn more about our services?Please do not hesitate to contact us.

Vestdijk 595611 CA EindhovenNetherlands

Karspeldreef 81101 CJ AmsterdamNetherlands

T +31 (0)40 23 77 990E info@secura.comW www.secura.com

Follow us on

About SecuraSecura has worked in information security and privacy for nearly two decades. This

is why we uniquely understand the challenges that you face like no one else and

would be delighted to help you address your information security matters efficiently

and thoroughly. We work in the areas of people, processes and technology. For our

customers we offer a range of security testing services varying in depth and scope.

Secura has the mission to support organizations with up-to-date knowledge to work

toward a bright and safe future.

Keep updated with the latest insights on digital security and subscribe to our

periodical newsletter.

Interested?Contact us today at

info@secura.com or

visit secura.com for

more information.