6471 - OCP and SESIP - Envisioning A Scalable Security Framework To Streamline CRA Compliance For Data Centres.pdf

1、OCP&SESIP:Envisioning A Scalable Security Framework to Streamline CRA Compliance for Data CenterJeremy ODonoghue,Security Architect at Qualcomm,GlobalPlatform Attack Experts WG Chair,CENELEC CLC/TC47X delegateChristian Walter,Managing Director Firmware,9elementsCyber Security&Data ProtectionProducts

2、 with digital elements:Executable binary code or hardware with binary code execution capabilityCRA ScopeOCP S.A.F.E.CRA OverviewDefault CategoryImportant Product“Class 1”Important Product“Class 2”Critical ProductCategoryIndustrial PLCSmartphoneEV ChargersRouters,modems intended for connection to the

3、 Internet(incl.switches)Smart home virtual assistantsInternet connected toysSmart lockWearablesPhysical and virtual network interfacesOperating SystemsHypervisors and container runtime systemsFirewalls,intrusion detection and/or prevention systemsTamper-resistant MCUs/MPUsSmart meter gatewaysSmartca

4、rds and similar devices(including Secure Elements)Hardware devices with security boxesExamplesSelf-assessmentHarmonised standards(ensuring CRA principles are met)3rd Party product assessment(product and/or process)Common Criteria certification(by default)ConformanceComposition on CRACRA is,to a larg

5、e degree,an exercise in aggregation(composition)Obligations on Open-Source under the CRACollaborationUpdatesSecurity PoliciesDocument Lifecycle&Vuln.Transparency of componentsLower Compliance CostsBenefit from other CRA compliance evaluation Lower costs for CRA complianceTransparency&AuditabilitySim

6、plifying vuln.assessment and security auditing Enables easier demonstration of complianceFaster Vulnerability ResponseCommunity-driven EuCRAs strict vulnerability-management requirementsBenefits using Open-SourceAvoid Vendor Lock-InReduce dependencies and easier switching between multiple service pr