Market Surveillance: how can we know that the delivered product is the certified one? (G21d)
Many security certification schemes exist and are a useful tool to check compliance or conformity to certain security criteria ideally nailed down in standards. However, the processes involved usually require the manufacturer to behave honest, i.e. that the evidence delivered during the evaluation process is the one relating to the product as finally released and delivered to the market in the certified configuration.
In traditional markets where security evaluations were of interest up to now, this worked well to some extent because the number of players were limited and trusted and eco-systems where it was relevant small or closed (e.g. EMVCo). With the rise of the IoT this is not the case anymore as there are thousands of players involved in the supply chain across the whole world who don‘t know each other. It can easily happen that the one assembling the final product does not really know which semiconductor chip is embedded in one of the subsystems. Therefore, like carried out in other domains, like electrical conformity, food or medicine, market surveillance becomes a crucial instrument, which is: making checks during supply of products and in the field to be sure that products are consistent with the specimen that has been analyzed during the evaluation & certification process.
While e.g. in food industry this is comparably easy, it is a huge challenge for (but is not limited to) the IoT wrt cyber security. This talk introduces – or better said – creates some awareness on market surveillance, as it shall not be underestimated and well understood before putting regulations and legislations in place around the globe for cyber security. Certification alone is not sufficient!