Decra It is a global company that already has a century of history, since it was founded in 1925 in Berlin, and that offers different inspection, certification and consulting services, as well as various tests. It has activity in sectors such as automotive, energy, industry and transport, and among other things is PRincipal Vehicle Technical Inspection Company (ITV) of the world. In addition, it also offers specialized training in sectors such as the electric vehicle.
Given the importance of security for the sectors with which the company worksDekra experts keep in mind the need to extreme precautions for protection not only of the data of the companies or their digital systems, but also of their industrial equipment and the technology systems that have connected to the Internet. To deepen all these issues we have talked to Antonio David Vizcaíno Gómez, Cybersecury Technical Sales of Dekra.
(MCPRO) Currently all types of devices are connected to the Internet. Not only computers or smartphones, but also heavy machinery, appliances and even vehicles, what importance is it to take care of its cybersecurity? What consequences would you have not to do it?
(Antonio David Vizcaíno Gómez) There are several factors to take into account. There are more and more connected devices, so the probability that a critical vulnerability appears increases. On the other hand, we must consider the impact of cybersecurity on the safety of people, mainly, and other devices and systems.
The commented examples of heavy machinery and cars are good examples of this, since a failure in cybersecurity could affect people’s physical safety. Finally, in many cases these are devices that are not easily accessible, or that do not have frequent security updates, so any safety failure can be persistent or hardly rectifiable.
That is why the introduction of new standards, certifications and security regulations such as the requirements of the EU machinery directive, or the new Cyber Resilience Act are so important: they focus not only on product safety, but also in how it develops and maintains security throughout its life cycle.
(MCPRO) How can companies that use all kinds of systems connected in their operations and processes protect your data?
(Antonio David Vizcaíno Gómez) In this case we are talking about cybersecurity of organizations. The basic recommendation in this case would be to have IT and OT teams that apply best practices in risk management, response to incidents, protection and data backup, etc. Other recommended actions include periodic vulnerability analysis of network systems and components, simulations of incident response scenarios, staff training, etc.
Many of these measures are security certifications such as ISO 27001, Tisax, national security scheme and other similar ones, which in many cases are mandatory for certain companies (such as the CAR for public sector companies in Spain), or are required within a certain sectoral field (such as Tisax for automotive).
(MCPRO) The expansion of the Big Data has given the process of large amounts of data in companies of all types of sectors what precautions and measures should take to protect their privacy and safety?
(Antonio David Vizcaíno Gómez) The recommended security measures for Big Data begin to understand what data types we are processing and develop safety controls associated with risks, among which can be included: data encryption, both at rest and in transit; access and permissions management; Compliance with regulations, such as the General Data Protection Regulation (GDPR) in the US; monitoring and auditing, to quickly detect and respond to any suspicious activity or safety violation, as well as education and awareness of employees.
(MCPRO) What role have cybersecurity tests of products, processes and services within the safety and connectivity tests that are made with them?
(Antonio David Vizcaíno Gómez) Cybersecurity tests are relatively a novelty within the scope of the tests of products, processes and services, although they are gaining more and more importance for what we said before: the proliferation of connected devices and the impact that has a potential vulnerability on them.
More and more manufacturers and developers include cybersecurity in their validation and compliance strategy, whether by internal requirements or by imposition of a third party (client, sectoral scope or regulation). And in many cases cybersecurity, safety and connectivity tests are complemented due to the cross impact between all these variables. In general, to guarantee the safety and connectivity of the product or service it is vital to evaluate the cybersecurity of the same.
(MCPRO) What does it mean for a company to certify its processes, products and services in terms of cybersecurity? What implies the use of devices already certified in this field for the protection of companies?
(Antonio David Vizcaíno Gómez) Here you have to take into account two dimensions: certification as an organization and certification as a supplier, although in many cases they are linked. If the company develops products or services, an important part of the compliance requirements will be related to cybersecurity.
In this case, it is vital to determine the requirements of the client (for example, have a security evaluation carried out by an external laboratory) and the national or regional regulations that can be applied (for example, the cybersecurity requirements of the EU radio products directive). Taking this into account, the company must develop the product or service taking into account those requirements and, subsequently, carry out the tests and, where appropriate, obtain the corresponding certificate.
Regarding the certification at the organizational level, the use of products, services and processes already certified provides an additional confidence factor to guarantee the safety of the supply chain. And to obtain certificates associated with requirements such as NIS2 regulation in the EU and the national security scheme in Spain the use of certified products and services goes beyond the advisable to become mandatory.
(MCPRO) How is, in broad strokes, a cybersecurity certification process of a product or service? What stages and tests are carried out for it?
(Antonio David Vizcaíno Gómez) Although it depends a lot on the type of evaluation and certification on which we are speaking, some common elements can be identified. The first thing is to be clear what requirements apply to the product or service and what test standards are necessary. Sometimes a previous analysis may be necessary to identify possible deviations between the test requirements and the implementation made by the developer.
The second step is to determine whether it is possible or advisable to make a self -assessment; otherwise you must contact a laboratory that has knowledge, experience and accreditations necessary for the task. Once the trials have been started, there must be a fluid communication between the developer and the laboratory so that any deviation found is resolved in the product as soon as possible. And once the tests have been completed, provide the corresponding certificate or test report.
Regarding the tests itself, two large groups can be distinguished basically: functional security tests, in which it is verified that the product meets the corresponding requirements, and tests of vulnerability or penetration analysis, in which the laboratory identifies potential vulnerabilities in the product and tries to exploit them.
Depending on the type of evaluation that we consider we can have both types (for example, in Common Criteria) or only one of them (for example, for the standard of Internet products of ETSI things in 303 645 functional tests are normally performed, the analysis of vulnerabilities being optional). Finally, it is worth mentioning that certain advanced certifications, such as Common Criteria, include other types of evidence such as documentation review, source code analysis, audit of the product development center, etc.
(MCPRO) What is a connectivity certification process and wireless technologies? What type of devices is done with?
(Antonio David Vizcaíno Gómez) Each wireless technology has its reference certification, which in turn makes use of different standards. For example, for cellular technologies such as 5G and LTE we have the GCF certification, which uses mostly the standards developed by 3GPP and GSMA.
In general we have the following types of trial: radio conformity, protocol compliance, interoperability, field and performance tests. The GCF certification includes radio and protocol conformity, as well as field tests and (optionally) performance, while Wi-Fi certification consists essentially of interoperability tests.
Special cases are regulatory certifications, which are limited to radio tests, and certifications for mobile operators, which may include tests of all types cited.
As for the necessary equipment, the tests of conformity and performance are usually carried out with laboratory test systems that configure certain scenarios to verify that the device behaves according to the specifications.
On the other hand, interoperability tests are performed with real equipment, whether with cellular base stations, wireless access points or reference devices, normally in a laboratory environment. And finally, the field tests are performed on real deployments, for example displacing the device along a route to validate its behavior in different scenarios while connected to a cellular network.
