Cybersecurity services for software and embedded products

With the introduction and continuous expansion of the Internet of Things (IoT), the world becomes more and more connected. The combination of “smart” devices, mobile or web applications used to interact with them and cloud services allowing them to connect with each other lead to the development of overlapped IoT ecosystems.

Moreover, as the IoT has long ago passed the barriers of consumer products, organizations are making use of such products and solutions, making them an integral part of the ecosystem. In the ecosystem of IoT, manufacturers of products hold one of the most important roles: they are ultimately the ones that decide which features will be included in their products.

Historically, the world of IoT has been driven by functionality in the past years. The products with the most and more revolutionary features got an edge over their competition. Recently, the aspect of cybersecurity in IoT has become a topic that cannot be ignored. Moreover, we are at the point when cybersecurity issues associated with these products are not theoretical anymore and can very likely happen with the products that we use in our daily life. Scaling up this idea to the fact that what we call today IoT is not anymore linked fully to smart gadgets, but also includes vehicles, medical devices, industrial and telecommunication equipment, and more, gives the perspective of how critical a cybersecurity attack can prove to be.

Our services for your different products and systems

• Consumer Products
  
• Industrial Products
  
• Medical Devices
  
• Network Devices
  
• Vehicles and automotive components
  
• Common Criteria and EU CC
  
• BSPA certification
  
• Marine and Offshore
  

Support and Preparation

The road to product compliance (in line with a standard or regulation) starts with careful preparation. In some cases, for example for vehicles development, manufacturers need to focus strongly on how to meet all the applicable regulatory requirements from an early phase, to ensure that the vehicles can be afterwards placed on the market. The same applies to medical devices, which are also regulated from a security perspective. At the same time, Bureau Veritas Cybersecurity can support manufacturers with design reviews or recommendations to achieve compliance to a certain standard for products such as consumer IoT, network components or industrial products. Finally, preparation for an international certification program such as Common Criteria or IEC 62443 can be offered to interested manufacturers.

Compliance

One of the most effective ways to improve market recognition and demonstrate a good security posture is demonstrating the product's compliance with the relevant international standards. Bureau Veritas Cybersecurity can support testing and compliance services in line with multiple standards, applicable for specific types of products. IEC 62443 testing and compliance can considerably increase the market recognition for industrial products, while UL 2900 compliance is a strong start for medical devices. In the world of consumer products, standards such as ETSI EN 303 645 or IoT Security Foundation can be used as a very good baseline for testing. Finally, the ISO 21434 standard for automotive cybersecurity management systems is a highly recognized standard that vehicle and components manufacturers can seek compliance with.

Certification

Official certification is ultimately the most important recognition that a product can achieve. It means that the product's security is backed not only by a test report but by an accredited organization or government that has reviewed and approved the results of the test report. There are multiple certification programs that Bureau Veritas Cybersecurity can support manufacturers with, depending on the type of product. Common Criteria is the most internationally recognized security certification scheme, allowing international product recognition and easier access to local governments or large-scale asset owners. Locally in the Netherlands, Bureau Veritas Cybersecurity is one of the few labs that can support the BSPA evaluation, which is seen as a light version of Common Criteria. Bureau Veritas Cybersecurity can support vehicle manufacturers in the process of obtaining an official type approval based on the UNECE regulations on Cybersecurity (R155) and Software Updates (R156). Finally, industrial systems and components can obtain their certification based on the IECEE scheme (based on IEC 62443), while consumer IoT products can be certified based on ETSI EN 303 645.