EU Cybersecurity Act and IoT Certification: Landscape, Perspective and a Proposed Template Scheme
2022 (English)In: IEEE Access, E-ISSN 2169-3536, Vol. 10, p. 129932-Article in journal (Refereed) Published
Abstract [en]
The vulnerabilities in deployed IoT devices are a threat to critical infrastructure and user privacy. There is ample ongoing research and efforts to produce devices that are secure-by-design. However, these efforts are still far from translation into actual deployments. To address this, worldwide efforts towards IoT device and software certification have accelerated as a potential solution, including UK’s IoT assurance program, EU Cybersecurity Act and the US executive order 14028. In EU, the Cybersecurity Act was launched in 2019 which initiated the European cybersecurity certification framework for Internet and Communications Technology (ICT). The heterogeneity of the IoT landscape with devices ranging from industrial to consumer, makes it challenging to incorporate IoT devices in the certification framework or introduce a European cybersecurity certification scheme solely for IoT. This paper analyses the cybersecurity certification prospects for IoT devices and also places article 54 of the EU Cybersecurity Act in an international perspective. We conducted a comparative study of existing IoT certification schemes to identify potential gaps and extract requirements of a candidate IoT device security certification scheme. We also propose an approach that can be used as a template to instantiate an EU cybersecurity certification scheme for IoT devices. In the proposed template, we identify IoT-critical elements from the article 54 of the Cybersecurity Act. We also evaluate the proposed template using the ENISA qualification system for cybersecurity certification schemes and show its qualification on all criteria.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers Inc. , 2022. Vol. 10, p. 129932-
Keywords [en]
Conformity Assessment, EU Agency for Cybersecurity (ENISA), EU Cybersecurity Act, Internet of Things, IoT Certification, Security Certification Scheme, Cyber security, Security certification, Software certification, User privacy, Cybersecurity
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:ri:diva-62619DOI: 10.1109/ACCESS.2022.3225973Scopus ID: 2-s2.0-85144011821OAI: oai:DiVA.org:ri-62619DiVA, id: diva2:1729316
Note
This work was supported in part by the Swedish Foundation for Strategic Research (SSF) Secure Software for the Internet of Things(aSSIsT) Project, in part by the Horizon 2020 (H2020) Cyber security cOmpeteNCe fOr Research anD InnovAtion (CONCORDIA) Project under Grant 830927, and in part by the Cybersecurity Knowledge Platform at Research Institutes of Sweden (RISE).
2023-01-202023-01-202024-05-24Bibliographically approved