Welcome to the Acumen Security Blog

Common Criteria and Internet of Things (Iot)


The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. A thing, in the Internet of Things, can be a person with a heart monitor implant, a farm animal with a biochip transponder, an automobile that has built-in sensors to alert the driver when tire pressure is low, a military drone — or any other natural or man-made object that can be assigned an IP address and provided with the ability to transfer data over a network.

The IoT world may be exciting, but there are serious technical challenges that need a lot of consideration before they can be deployed. If we think in terms of cybersecurity, a few things immediately jump out as concerns. First since they are deployed over a wider geographical area (in most cases), the increase in the cyberattack surface area substantially increases. We will be adding on average over 2000 IoT devices a second in another 10-15 years — many with little or no security built in. Each one of those IoT devices may be acting up as a potential bot on a botnet. The major concern about their deployment is that it is harder and more costly to protect, defend and maintain 100 doors than one door. Next think of how the data is transferred. Most of the communication in the Internet of things is based on either TCP or UDP which can easily be sniffed. Stop and think of the value of some of that data and the impact if it is stolen or captured during transmission.

If we think about the commercial solutions or private sector, there is a huge demand to incorporate these devices for communication and hence improve the overall infrastructure. On the other hand Defense Department has identified the “Internet of Things” as a key component for the military’s modernization strategy. But as one of the cyber security experts stated “the Pentagon is behind the curve due to security concerns and other impediments”. So what is in it for the vendors who are good at making these advanced devices (IOT) and want to sell them in the Defense sector or even in the private sector? Though everyone is interested in deploying these IoT devices, but it all stands still when we think about IoT and cyber security. Are they safe? Are they certified as per the best security practices?

An aggressive testing , good security practices and a flexible infrastructure methodology  is what these IoT devices are lacking and we sincerely believe that the common criteria certification can be answer to a lot of these concerns. We absolutely believe creating a new standard, as proposed here (http://industries.ul.com/software-and-security/product-security-services/product-testing-and-validation) isn’t the answer. We already have too many standards and one more will not help other than create more headache without any real value addition.

Vulnerability Analysis and Common Criteria

With the advent of collaborative Protection Profiles (e.g., the NDcPP), a greater emphasis has been given to the vulnerability analysis requirements required as part of a product evaluation. Vulnerability analysis is a subset of risk management that involves looking at the system elements and layout and their failure modes based on a given set of threats. The vulnerability assessment answers the basic question, what can go wrong should the system be exposed to threats and hazards of concern?
Acumen sincerely believes that vulnerability analysis is a critical part of the certification process and a step forwards towards making sure that the product is built as per the best security standards and practices. The process usually starts with initial reconnaissance (Identifying the system components e.g.: software versions running on the system, Discover open ports and access points, Fingerprint the operating system etc.) and hence moving towards finding vulnerabilities and finally to exploitation.
We interpret system configuration settings by first understanding the overall architecture of the system and the role the device holds within an infrastructure. Armed with this information, we can then analyze the device configuration against industry best practices and hardening techniques. Our manual analysis strives to identify exposure and breach-response capabilities by looking at logging and alerting abilities, compensating controls, system roles, and defense best practices.
The process is usually targeted towards the following objectives –
Implementation of existing minimum security baseline.
Does the system configuration adhere to industry standards and best practices?
Use of protocols known to be insecure.
Up to date releases and known vulnerabilities.
Does the device configuration match its specified role?
“Who, what, when, where, and why” regarding system access.
Finally towards the end of this phase, these vulnerabilities are classified as follows –
• Very High: This is a high profile vulnerability that provides a very attractive target for potential adversaries, and the level of deterrence and/or defense provided by the existing countermeasures is inadequate.
• High: This is also considered as high profile vulnerability with a crucial impact on the security of the products.
• Moderate: This is a moderate profile vulnerability that provides a potential target and/or the level of deterrence and/or defense provided by the existing countermeasures is marginally adequate.
• Low: This is not a high profile vulnerability and provides a possible target and/or the level of deterrence and/or defense provided by the existing countermeasures is adequate.

All the products evaluated against the NDcPP (and various other PPs) will need to go through this additional vulnerability analysis process ensuring much more level of confidence towards the security level of the products.