Securing the IoT: SESIP or Common Criteria? That is not the question

Carlos Serratos of GlobalPlatform

Since the introduction of SESIP, there have been some recurrent questions, says Carlos Serratos, GlobalPlatform Security Task Force co-vice-chair. One of those revolves around the relationship with Common Criteria. That is because, in reality, SESIP fills a gap in the security evaluation space, coexisting side by side with Common Criteria in a harmonious, complementary way. While this is easy to say, it is worth exploring and addressing some of the misunderstandings along the way.

The origins of Common Criteria

Before the SESIP methodology was established, there was the standard ISO/IEC 15408 which is often referred to as Common Criteria or ‘CC’. It is the most recognised and mature standard for qualifying the risk introduced by IT equipment.

First established as a methodology for IT procurement of public entities, Common Criteria has become a reference in the industry one which has been used in public and private sectors and addresses a large list of IT product types. However, the strength of Common Criteria, in terms of being a generic evaluation program, has become something of a ‘liability’ in the IoT domain. That is because, while IoT product time-to-market and cost sensitivities are key drivers, Common Criteria lives on the opposite corner of the chart (see Figure 1 below).

Figure 1. The relative position of Common Criteria (CC) versus the market needs of the IoT domain

The origins of SESIP

It is here where SESIP comes into the picture and offers a viable alternative. Addressing the IoT market with a methodology optimised for IoT components and platforms, SESIP takes best practices and lessons learned from the Common Criteria experience.

And so, here lies the first difference but also the complementary nature of the two standards: while Common Criteria can also be used for IoT platforms since it is made for all kinds of IT equipment it results in evaluations with a cost and effort unaligned with the IoT market expectations. Meanwhile, SESIP addresses it by applying best practices from Common Criteria, and security evaluation in general, in a custom-built manner for IoT.

Common Criteria’s approach to composition is from a general-purpose methodology perspective. It adds a level of complexity, and this problem is inherent to any ‘general’ solution in a world with a variety of scenarios. In comparison, SESIP focuses solely on IoT components and platforms.

What the audience requires from Common Criteria and SESIP

Due to historical reasons, Common Criteria addresses the evaluators and certifiers as the prime audience. It is oriented to a very specialised audience who have specific skills and knowledge (especially as Common Criteria is not easy to read), and the objective does not address the needs of developers. After all, the standard was created as an audit tool for the procurement of IT equipment.

In that regard, SESIP instead looks to address the developer’s needs. It aims for simplicity, clear understanding, and transparency and is designed to be understood by a non-specialised audience. For example, there might be a developer of a TLS stack looking to use an RTOS from another developer who is using a crypto library from another developer that relies on the random number generation of a chip. And although each professional has a different requirement, all of them will be using SESIP.

For that reason, the SESIP methodology requirements for the documentation, presentation of the evaluation results, and all related evaluation information are accessible, readable, and understandable by an audience made up of developers rather than evaluation and certification specialists, as is the case of Common Criteria.

Ultimately, SESIP is a tool for developers to select the right platforms and components to apply State-Of-The-Art technology according to their use cases, as we explored in a previous blog. The methodology is looking to solve a problem beyond security functionality and visibility, instead exploring fragmentation as there are hundreds of standards, policies, and regulations worldwide for the IoT.

Evidence from SESIP-certified components and platforms serve as evidence of the conformance for the device security functionality that can be mapped in the consumer (EN 303645, NIST 8259a, NIST 8425), industrial (IEC62443-4-2), medtech (DTSeC), and automotive markets (ISO21434).

The overall differences at-a-glance

Common CriteriaSESIP
Any kind of IT products and domainsSpecific for IoT platform and platforms
Long time and costly evaluationsQuick and cheaper compared to CC
Additional complexity due to its generic natureOptimised performance due to its specific use
Target audience: Evaluators, certifiers and auditorsTarget audience: IoT platform and product developers
Formalities first, usability nextUsability first, formalities next
Demonstrates the security capabilities of the productProvides evidence of the security capabilities for reusability
Addresses the proof of security capabilities problem by formal evaluationsAddresses the issue of IoT requirements fragmentation by means of evidence of component

In summary, a SESIP evaluation is never the end of the road, it is often the start of the security journey. The Common Criteria and SESIP standards are particularly good at something, and one will be the strong option over the other for a particular application and domain. In truth, that is a great place to be for security and standards because, by having similar origins, they are both complementary in nature.

The author is Carlos Serratos, co-vice-chair at GlobalPlatform Security Task Force.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Get a US$50 Amazon voucher for sharing your IoT brand knowledge

Posted on: March 28, 2024

We want to know what you know about the IoT space. Just 3 minutes could earn you a US$50 Amazon digital gift card!

Read more

Enhance EV charging performance with cellular connectivity

Posted on: March 28, 2024

Electric vehicles (EVs) are steadily growing their market share at the expense of internal combustion engine vehicles. The growth is fuelled by several factors. Perhaps most importantly, prices for EVs have started to drop as competition in the industry is intensifying. New players and models are emerging, prompting several established EV makers to lower their

Read more
FEATURED IoT STORIES

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more