Cybersecurity Management Throughout the IoT Systems Lifecycle – The CERTIFY Approach

Cyber-attacks get more sophisticated every day, potentially affecting a large number of Internet of Things (IoT) -based infrastructures and raising security and privacy concerns in consumer and business products. The EU Cybersecurity Act (CSA) first and the Cyber Resilience Act (CRA) more recently have established the pivotal role covered by a cybersecurity management encompassing the full lifecycle of products and services, and a continuous certification process. CERTIFY defines a methodological, technological, and organizational approach towards IoT security lifecycle management. To ensure security compliance throughout the device lifetime, CERTIFY designs and implements a cybersecurity lifecycle management framework for IoT devices. The framework is intended to support the device security management by collecting and sharing relevant security information both internally (via monitoring and attestation services) and externally, e.g., by interacting with device manufacturers, threat databases, certification authorities, Information Sharing and Analysis Centers (ISACs), and more. The received information is meant to support a local decision making with respect to the security monitoring, updating, and configuration of the device. Moreover, this information sharing will enable a continuous risk assessment, gathering evidence that could agile future recertifications. CERTIFY provides IoT stakeholders with mechanisms achieving high-level of security to detect and respond to a wide spectrum of attack, in a collaborative and decentralized fashion. CERTIFY will validate the architecture through cutting-edge use cases and pave the way towards innovative security in a broad spectrum of IoT environments.