The Security Evaluation Standard for IoT Platforms (SESIP) defines a standard for trustworthy assessment of the security of the IoT platforms, such that this can be re-used in fulfilling the requirements of various commercial product domains. TrustCB has used this standard to develop and operate the “TrustCB SESIP scheme”.
The security functionality provided by the platform is expressed using the catalog included. Commonly provided sets of functionality will be covered in SESIP profiles, such as Arm PSA L1 (Chip). Currently mappings for IEC 62443, Javacard, PP-0084, etc are also under development within TrustCB.
There are five Assurance Levels in SESIP, which in SESIP v1.3* onwards are labelled and defined as:
SESIP Assurance Level 1 (SESIP1) is a self-assessment-based level. There is no independent check by the evaluators the platform actually implements the SFRs.
SESIP Assurance Level 2 (SESIP2) is a black-box penetration testing level. This is the highest level that can be applied to a closed-source platform without cooperation by the developer.
SESIP Assurance Level 3 (SESIP3) is a traditional white-box vulnerability analysis. The evaluation is structured around a time-limited source code analysis combined with a time-limited penetration testing effort.
SESIP Assurance Level 4 (SESIP4) is also a traditional white-box vulnerability analysis, without the strict time-limitations imposed on SESIP3.
SESIP Assurance Level 5 (SESIP5) is the traditional full CC evaluation against an EAL4+ALC_DVS.2+AVA_VAN.5 level. This level is intended for re-use of SOG-IS certified platforms, allowing those platforms to utilise the mappings from SESIP to specific commercial product domains. There is no stand-alone SESIP5 evaluation possible under the current SESIP.
(* The assurance levels SESIP 1-SESIP5 were previously labelled SESIP1, 1+, 2, 2+ and 3 in SESIP v1.2 and ITP1-3 in SESIP v1.0. This definitive labelling of assurance levels as SESIP1-SESIP5 has been confirmed with all parties currently active within the SESIP community and will not change further! The decision to finally adopt SESIP1-SESIP5 was taken on the basis that they closely link to the AVA_VAN levels specified in the Common Criteria)
TrustCB is working with the following licensed lab for the SESIP scheme:
- Brightsight B.V. (Delft, The Netherlands and Barcelona, Spain)
TrustCB has awarded the following labs with Candidate status, reflecting that confidence in the lab’s technical competence to perform SESIP evaluations, while full Licensing is pending:
- Applus+ (Barcelona, Spain)
- Riscure B.V. (Delft, The Netherlands)
- SRC Security Research and Consulting GmbH (Bonn, Germany)
- UL VS Limited (Basingstoke, UK)
Further details of the licensed labs can be found under Labs
