GlobalPlatform - Experts & Thought Leaders

In response to the growing uptake of GlobalPlatform’s Security Evaluation Standard for IoT Platforms (SESIP) methodology, the organisation has introduced several initiatives to further accelerate adoption. These include the launch of new certification stamps, expanding the number of labs and certification bodies (CB), new partnerships and the creation of an adopter program. Together, this raises the bar for IoT security by enabling the adoption of the methodology across new sectors, use cases and markets. Relevant security requirements “We are at an inflection point in SESIP adoption,” commented Gil Bernabeu, CTO of GlobalPlatform. “SESIP is getting recognised for eliminating the complexity and fragmentation surrounding security evaluation, making IoT device security economically viable for the entire value chain." "It helps the market identify and align relevant security requirements, implement appropriate security in devices, and demonstrate compliancy across markets, while minimising costs, effort, and time-to-market. The recent ratification of SESIP as a European Standard (EN 17927) serves as both a vote of confidence and a trigger for further adoption.” A rapidly growing ecosystem The longstanding diploma body TrustCB has already issued 47 SESIP diplomae to firms SESIP has rapidly become an internationally recognised standard for security evaluation, supported by a large community of security providers, industry bodies, security laboratories, and other stakeholders. The longstanding certification body TrustCB has already issued 47 SESIP certificates to companies including NXP Semiconductors, STMicroelectronics and Winbond Electronics Corporation. These products were evaluated by a growing group of GlobalPlatform licenced security laboratories. Currently, these labs are Applus+, Riscure, SERMA, SGS Brightsight, and Thales ITSEF with more expected to join this list in the coming year. Two additional certification bodies are currently working to become GlobalPlatform SESIP CBs to bring even more capacity and reach to the ecosystem. SESIP-certified software   The methodology is also already used or referenced by bodies including the CCC, ETSI, FiRa Consortium   Importantly, the methodology is also already used or referenced by bodies including the Car Connectivity Consortium (CCC), ETSI, FiRa Consortium, National Institute of Standards & Technology (NIST), PSA Certified and Wireless Power Consortium. This adoption first demonstrates the value of the methodology to strengthen IoT security across diverse vertical markets and use cases.  It also helps device manufacturers using these technologies to compose their final device based on SESIP-certified software or hardware components, while quickly and easily ensuring compliance with relevant regulations. Collaborating to expedite adoption The GlobalPlatform community is responsible for maintaining the methodology, enforcing a governance model with an associated quality brand between CBs, product vendors and laboratories. The support and expedite growth, GlobalPlatform has delivered several important initiatives and resources: SESIP Committee & Working Groups – A dedicated Committee and Working Groups have been established to drive GlobalPlatform’s strategy for SESIP ecosystem development, initiate new technical projects, facilitate adoption efforts, and oversee governance. A primary focus is to engage with regulators and the security evaluation ecosystem to identify requirements and demonstrate SESIP’s applicability for different regions and vertical markets.  New SESIP Product, Lab and Certification Body Marks – A suite of branded logos have been made available for certified products, and accredited laboratories and certification bodies, to promote and bring trust to their offerings. SESIP Profiles and Mappings – GlobalPlatform develops and maintains a growing suite of SESIP Profiles and Mapping documents to facilitate the adoption and use of the methodology. SESIP Profiles are used in the security evaluation of a component or device, while SESIP Mappings bridge the security requirements defined in the methodology with those of global cybersecurity regulations. SESIP Adopters Community – As the methodology is now being used by a diverse range of different stakeholders, GlobalPlatform has created the ‘SESIP Adopters’ community. This program informs non-members about the latest GlobalPlatform SESIP developments, provides access to relevant technical documents, and allows them to showcase their certified products and/or support for SESIP. Development of SESIP “SESIP leverages the expertise of the GlobalPlatform ecosystem to incorporate better cybersecurity in IoT devices, at the right cost and aligned with market regulation,” added Bernabeu. “By giving stakeholders a single point of reference for IoT cybersecurity, regardless of their security expertise, we can collectively raise the bar for security. But we need to reach beyond this GlobalPlatform community. These programs, partnerships and resources will extend our ecosystem, enabling anyone to join us in driving the development of SESIP for the benefit of the growing IoT industry.”

GlobalPlatform’s Security Evaluation Standard for IoT Platforms (SESIP) methodology has been adopted as the basis for a European Standard (EN) by the European Committee for Standardisation, CEN and CENELEC. The standard is working to help the IoT ecosystem address regulatory fragmentation and better understand, deploy and explain security. “This is all about raising the bar for IoT security,” comments Eve Atallah, GlobalPlatform SESIP Sub-Task Force Chair. “Security in IoT is a problem as a myriad of national and regional regulations have emerged in recent years. We are asking device makers and non-security experts to firstly identify relevant security requirements, implement technology to address them and then demonstrate the security features of their products. This is complex, costly and unsustainable.” Value for all IoT stakeholders SESIP procedure provides a standardised approach for evaluating IoT security enactments The World Economic Forum (WEF) reported in 2022 that cybersecurity threats have increased by over 358% in recent years, outpacing societies' ability to effectively prevent or respond to them. A year on the challenge persists, with WEF noting cybersecurity as a constant concern and listing as a top 10 global risk for 2023. The SESIP methodology provides a standardised approach for evaluating IoT security implementations, tailored to the unique requirements and challenges of the evolving ecosystem. The methodology has analysed and mapped regulatory and industry requirements from pioneering organisations such as ENISA, ETSI, IEC and NIST. The IoT community therefore has a single, accessible reference point for assessing IoT cybersecurity in line with these and other requirements, reducing fragmentation, complexity and cost from security certification processes for stakeholders. SESIP methodology Additionally, the SESIP methodology also supports the composition and reuse of certificates. This enables previously certified components to be used to build a device with in-built security assurances, without having to repeat a complete evaluation of the same component in each and every targeted market. This drives greater efficiency, security, innovation, and cost savings across the certification process. Importantly, both national and private certification bodies are creating and managing certification schemes based on the SESIP methodology. One recent example is Taiwan where the methodology is being assessed by the Institute for Information & Industry. A rapidly growing ecosystem SESIP has rapidly grown into an internationally recognised standard for security evaluation, supported by a large community of security providers, industry bodies, security laboratories and other stakeholders. SESIP has rapidly grown into an internationally recognised standard for security evaluation The GlobalPlatform community is responsible for maintaining the methodology, enforcing a governance model with an associated quality brand between CBs, product vendors and laboratories. The longstanding certification body (CB) TrustCB has already licenced 10 laboratories and certified 28+ products from industry-pioneering companies including Amazon Web Services, Microchip Technology, STMicroelectronics, NXP Semiconductors, Renesas, Secure Thingz, Silicon Labs, Trusted Objects and Winbond Electronics Corporation. Most recently, SGS Brightsight CB has joined the programme to become a GlobalPlatform SESIP CB. The methodology is also already recognised and referenced by bodies including PSA Certified, the National Institute of Standards & Technology (NIST) and Car Connectivity Consortium (CCC). Standardisation, evaluation and certification Simplifying & strengthening IoT security through standardisation “SESIP is a result of the expertise of the GlobalPlatform community and its work to drive more cybersecurity into IoT devices without adding complexity,” adds Gil Bernabeu, GlobalPlatform CTO. “By giving stakeholders a single point of reference for IoT cybersecurity, regardless of their security expertise, we can collectively raise the bar for security. When everyone can understand, better decisions can be made faster. When better security decisions are made, confidence both within the industry and among end users grows. We believe in a digital society, but that goal is only achievable if we have trust in digital devices and services. Standardisation, evaluation and certification are fundamental to this trust.” When better security decisions are made, confidence both within the industry and among end users" More than 200,000 experts from industry, associations, public administrations, academia, and societal organisations are involved in the CEN and CENELEC network, which reaches over 600 million people in 34 countries. The development of a European Standard is based on the so-called National Delegation Principle and is governed by the principles of consensus, openness, transparency, national commitment and technical coherence. Author's quote “CEN and CENELEC, as two of the officially recognised European Standardisation Organisations (ESOs), have a strong commitment to making the digital transition in Europe a reality, working together with all relevant stakeholders to ensure that new technologies are safe, trustworthy and beneficial for all,” comments Cinzia Missiroli, Director, Standardisation and Digital Solution. “In this context, our collaboration with GlobalPlatform is key. The work on the European standard based on their SESIP methodology is a good example of what can be achieved in working together for an inclusive and safe digital society for Europe.”

GlobalPlatform, the standard for secure digital devices and services, will host a Security Evaluation Standard for IoT Platforms (SESIP) methodology seminar in Barcelona on October 19. The full-day seminar explores how the methodology is positioned in the context of European regulations and offers an optimised approach for evaluating the security of connected products that meet the specific compliance, security, privacy, and scalability challenges of the evolving IoT ecosystem. IoT reduces complexity and cost  “SESIP reduces complexity and cost from security certification processes for stakeholders throughout IoT, by mapping different schemes from industry-leading organisations such as ENISA, ETSI, IEC, and NIST,” comments Gil Bernabeu, GlobalPlatform Technical Director. Gil Bernabeu adds, “In Barcelona, GlobalPlatform brings key players from these organisations, as well as individual companies that have benefitted from the methodology, to explore real-life implementations and showcase the business case of SESIP to the entire ecosystem.” SESIP methodology The SESIP methodology also allows for the ‘composition and reuse’ of certified components, so that they can be used to meet the requirements of multiple markets. The seminar will be presented by keynote speakers from CEN/CENELEC, STMicroelectronics, and Winbond and involve live panel discussions and use cases, presented by speakers from Amazon, Arm/PSA Certified, ETSI, ECSO, Eurosmart, Microsoft, and many more. Sponsored by Winbond, STMicroelectronics, and SGS Brightsight, the seminar takes place at the Gran Hotel Havana. It will also be available virtually for those unable to travel. Register for the seminar.