Towards Cybersecurity Act: A Survey on IoT Evaluation Frameworks

International audienceOn the 7 th of June 2019, the Cybersecurity Act was adopted by the European Union. Its objectives are twofold: the adoption of the permanent mandate of ENISA and the definition of a European cybersecurity certification framework, which is essential for strengthening the security of Europe's digital market. Delivered certificates according to this scheme will be mutually recognized among European countries. The regulation defines three certification levels with increasing requirements. Among them, the "basic level" which typically targets noncritical, consumer objects (e.g.,smart-home or "gadget" IoT). Yet, various evaluation and certification schemes related to the IoT already exist prior to the adoption of the Cybersecurity Act. Thus, discussions are being carried on at the moment of redaction in order to either choose an existing scheme or to design a unified scheme based on existing ones. In this paper, we focus on the basic level, and assemble a survey on existing evaluation and certification schemes for consumer IoT and compare them based on various criteria. Then, we propose a unified evaluation scheme for the basic level driven by Bureau Veritas, based on existing schemes

HistoTrust: Attestation of a Data History based on off-the-shelf Secure Hardware Components

International audienceDevice- or user-centric system architectures allow everyone to manage their personal or confidential data. But how to provide the trust required between the stakeholders of a given ecosystem to work together, each preserving their interest and their business? HistoTrust introduces a solution to this problem. A system architecture separating the data belonging to each stakeholder and the cryptographic proofs (attestations) on their history is implemented. An Ethereum ledger is deployed to maintain the history of the attestations, thus guaranteeing their tamper-resistance, their timestamp and their order. The ledger allows these attestations to be shared between the stakeholders in order to create trust without revealing secret or critical data. In each IoT device, the root-of-trust secrets used to attest the data produced are protected at storage in a TPM ST33 and during execution within an ARM Cortex-A7 TrustZone. The designed solution is resilient, robust to software attacks and presents a high level of protection against side-channel attacks and fault injections. Furthermore, the real-time constraints of an embedded industrial application are respected. The integration of the security measures does not impact the performance in use