《EN 18031-3 2024原版完整文件.docx》由会员分享,可在线阅读,更多相关《EN 18031-3 2024原版完整文件.docx(181页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、EN 18031-3:2024 (E)EUROPEAN STANDARDEN 18031-397August 2024NORME EUROPEENNE EURoPAISCHE NORMICS 33.060.20English versionCommon security requirements for radio equipment - Part3: Internet connected radio equipment processing virtualmoney or monetary valueExigences de securite communes applicables aux
2、equipements Fadioelectriques - Partie 3 : EquipementsFadioelectriques connectes a Finternet qui traitent unemonnaie VirtuelIe ou de la valeur monetaireGemeinsame Sicherheitsanforderungen fur mit demInternet verbundene Funkanlagen, die fur dieDatenverarbeitung im Zusammenhang mit VirtuellenWahrungen
3、oder monetaren Werten eingesetztwerdenThis European Standard was approved by CEN on 1 August 2024.CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alter
4、ation. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member.This European Standard exists in three official versions (English, French, German). A version in any other la
5、nguage made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.CEN and CENELEC members are the national standards bodies and national electrotechnical committees of A
6、ustria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Maltal Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Swed
7、en, Switzerland, Tiirkiye and United Kingdom.Ref. No. EN 18031-3:2024 ECEN-CENELEC Management Centre:Rue de la Science 23, B-1040 Brussels 2024 CEN/CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN national Members and for CENELEC Members.ContentsPageEuropean
8、 foreword5Introduction61 Scope72 Normative references73 Terms and definitions74 Abbreviations125 Application of this document136 Requirements166.1 ACM Access control mechanism166.1.1 ACM-1 Applicability of access control mechanisms166.1.2 ACM-2 Appropriate access control mechanisms216.2 AUM Authenti
9、cation mechanism256.2.1 AUM-1 Applicability of authentication mechanisms256.2.2 AUM-2 Appropriate authentication mechanisms366.2.3 AUM-3 Authenticator validation426.2.4 AUM-4 Changing authenticators466.2.5 AUM-5 Password strength496.2.6 AUM-6 Brute force protection576.3 SUM Secure update mechanism61
10、6.3.1 SUM-1 Applicability of update mechanisms616.3.2 SUM-2 Secure updates646.3.3 SUM-3 Automated updates686.4 SSM Secure storage mechanism726.4.1 SSM-1 Applicability of secure storage mechanisms726.4.2 SSM-2 Appropriate integrity protection for secure storage mechanisms766.4.3 SSM-3 Appropriate con
11、fidentiality protection for secure storage mechanisms816.5 SCM Secure communication mechanism866.5.1 SCM-1 Applicability of secure communication mechanisms866.5.2 SCM-2 Appropriate integrity and authenticity protection for secure communicationmechanisms916.5.3 SCM-3 Appropriate confidentiality prote
12、ction for secure communicationmechanisms976.5.4 SCM-4 Appropriate replay protection for secure communication mechanisms. 1026.6 LGM Logging Mechanism1076.6.1 LGM-1 Applicability oflogging mechanisms1076.6.2 LGM-2 Persistent storage of log data1106.6.3 LGM-3 Minimum number of persistently stored even
13、ts1136.6.4 LGM-4 Time-related information of persistently stored dog data1166.7 CCK Confidential cryptographic keys1196.7.1 CCK-1 Appropriate CCKs1196.7.2 CCK-2 CCK generation mechanisms1236.7.3 CCK-3 Preventing static default values for preinstalled CCKs1276.8 GEC General equipment capabilities1316
14、.8.1 GEC-1 Up-to-date software and hardware with no publicly known exploitable vulnerabilities1316.8.2 GEC-2 Limit exposure of services via related network interfaces1356.8.3 GEC-3 Configuration of optional services and the related exposed network interfaces1396.8.4 GEC-4 Documentation of exposed ne
15、twork interfaces and exposed services via network interfaces1436.8.5 GEC-5 No unnecessary external interfaces1466.8.6 GEC-6 Input validation1486.8.7 GEC-71536.8.8 GEC-8 Equipment Integrity1536.9 CRY Cryptography1576.9.1 CRY-1 Best practice cryptography157Annex A (informative) Rationale162A.1 General
16、162A.2 Rationale162A.2.1 Family of standards162A.2.2 Security by design162A.2.3 Threat modelling and security risk assessment163A.2.4 Functional sufficiency assessment164A.2.5 Implementation categories164A.2.6 Assets165A.2.7 Mechanisms167A.2.8 Assessment criteria167A.2.8.1 Decision trees167A.2.8.2 T
17、echnical documentation168A.2.8.3 Security testing169A.2.9 Interfaces169A.2.9.1 Example: Laptop with a built-in keyboard170A.2.9.2 Example: Equipment with a USB-keyboard170A.2.9.3 Example: User interface over a network171A.2.9.4 Example: USB-printer171A.2.9.5 Example: Network printer172Annex B (infor
18、mative) Mapping with EN IEC 62443-4-2:20191738.1 General1738.2 Mapping173Annex C (informative) Mapping with ETSIEN 303 645 (Cyber Security for Consumer Internet ofThings: Baseline Requirements)176C.l General176C.2 Mapping176Annex D (informative) Mapping with Security Evaluation Standard for IoT Plat
19、forms (SESIP) 180D.l General180D.2 Mapping180Annex ZA (informative) Relationship between this European Standard and the Delegated Regulation (EU) 2022/30 supplementing Directive 2014/53/EU of the European Parliament and of the Council with regard to the application of the essential requirements refe
20、rred to in Article 3 ,points (d) (e) and (f), of that Directive aimed to be covered183184BibliographyEuropean forewordThis document (EN 18031-3:2024 has been prepared by Technical Committee CEN/CENELEC JTC 13 Cybersecurity and Data Protectionw, the secretariat of which is held by DIN.This European S
21、tandard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2025, and conflicting national standards shall be withdrawn at the latest by February 2025.Attention is drawn to the possibility that some of the elements
22、 of this document may be the subject of patent rights. CEN shall not be held responsible for identifying any or all such patent rights.This document has been prepared under a standardization request addressed to CEN-CENELEC by the European Commission. The Standing Committee of the EFTA States subseq
23、uently approves these requests for its Member States.For the relationship with EU Legislation, see informative Annex ZA, which is an integral part of this document.Any feedback and questions on this document should be directed to the users, national standards body. A complete listing of these bodies
24、 can be found on the CEN website.According to the CEN-CENELEC Internal Regulations, the national standards organisations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany,
25、Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Tiirkiye and the United Kingdom.IntroductionVigilance is required from manufacturers to
26、 improve the overall resilience against cybersecurity threats caused by the increased connectivity of radio equipment 34 and the growing ability Ofmalicious threat actors to cause harm to users, organizations, and society.The security requirements presented in this baseline standard are developed to
27、 improve the ability of radio equipment to protect its security and financial assets against common cybersecurity threats and to mitigate publicly known exploitable vulnerabilities.It is important to note that to achieve the overall cybersecurity of radio equipment, defence in depth best practices w
28、ill be needed by both the manufacturer and user. In particular, no single measure will suffice to achieve the given objectives, indeed achieving even a single security objective will usually require a suite of mechanisms and measures. Throughout this document, the guidance material includes lists of
29、 examples. These examples given are only indicative possibilities, as there are other possibilities that are not listed, and even using the examples given will not be sufficient unless the mechanisms and measures chosen are implemented in a coordinated fashion.1 ScopeThis document specifies common s
30、ecurity requirements and related assessment criteria for internet connected radio equipment 35.That equipment enables the holder or user to transfer money, monetary value or virtual currency 35 (hereinafter referred to as equipment).2 Normative referencesThere are no normative references in this doc
31、ument.3 Terms and definitionsFor the purposes of this document, the following terms and definitions apply.ISO and IEC maintain terminology databases for use in standardization at the following addresses:- ISO Online browsing platform: available at https:/www.iso.org/obp/- IEC Electropedia: available
32、 at https:/www.electropedia.org/- ISO Online browsing platform: available at https:/www.iso.org/obp/3.1access control mechanismequipment functionality to grant, restrict or deny access to specific equipments resourcesNote 1 to entry: Access to specific equipments resources can amongst others be:- re
33、ading specific data; or- writing specific data to equipments persistent storage; or- performing a specific equipment functionality such as recording audio.3.2authenticationprovision of assurance that an entity is who or what it claims to beNote 1 to entry: An entity can amongst others claim to be:-
34、a specific human, owner of a user account, device, or service; or- a member of specific groups such as an authorized group to access a specific equipments resource; or- authorized by another entity to access a specific equipments resource.3.3authentication mechanismequipment functionality to verify
35、that an entity is who or what it claims to beNote 1 to entry: Typically, the verification is based on examining evidence from one or more elements of the categories:- knowledge; and- possession; and- inherence.3.4authenticatorsomething known or possessed, and controlled by an entity that is used for
36、 authenticationNote 1 to entry: Typically, it is a physical device or a password.EXAMPLE A password or token can be used as an authenticator.3.5assessment objectivestatement, provided as part of the assessment input, which defines the reasons for performing the assessmentSOURCE: ISO/IEC 33001:2015,
37、3.2.6 283.6best practicemeasures that have been shown to provide appropriate security for the corresponding use case3.7brute force attackattack on a cryptosystem that employs a trial-and-error search of a set of keys, passwords or other data3.8communication mechanismequipment functionality that allo
38、ws communication via a machine interface3.9confidential cryptographic keyconfidential security parameter, excluding passwords, which is used in the operation of a cryptographic algorithm or cryptographic protocol3.10confidential financial datafinancial data whose disclosure can lead to fraud3.11conf
39、idential financial function configurationfinancial function configuration whose disclosure can lead to fraud3.12confidential security parameterssecurity parameter whose disclosure can lead to fraud3.13denial of serviceprevention or interruption of authorized access to an equipment resource or the de
40、laying of the equipment operations and functionsSOURCE: IEC 62443-1-1:2019, 3.2.42 29 modified3.14 deviceproduct external to the equipment3.15entityuser, device, equipment or service3.16entropymeasure of the disorder, randomness Orvariability in a closed system3.17external interfaceinterface of an e
41、quipment that is accessible from outside the equipment3.18factory default statedefined state where the configuration settings and configuration of the equipment is set to initial valuesNote 1 to entry: A factory default state may include security updates, installed after the equipment being placed o
42、n the market.3.19financial assetsensitive financial data or confidential financial data or sensitive financial function configuration or confidential financial function configuration or financial functions3.20financial datadata that represents, provides information about, or is processed for transfe
43、rring money, monetary assets or virtual currencies 353.21financial functionequipments functionality that processes financial data3.22financial function configurationdata processed by the equipment that defines the behaviour of the equipments financial functions3.23hard-codedsoftware development prac
44、tice of embedding data directly into the source code of a program or other executable object3.24 initializationprocess that configures the network connectivity of the equipment for operationNote 1 to entry: Initialization can provide the possibility to configure authentication features for a user or
45、 for network access.3.25interfaceshared boundary across which entities exchange information3.26justificationdocumented information providing evidence that a claim is true under the assumption of common expertise.Note 1 to entry: Such evidence can be supported for example by:- a description of the eq
46、uipments intended equipment functionality,- a descriptions of equipments operational environment of use,- a description of equipments technical properties such as security measures- an analysis of relevant risks related to the operation of the equipment within its reasonably foreseeableuse and inten
47、ded equipment functionality.3.27log datarecord(s of certain events (of processes on a computing equipment3.28logging mechanismequipment functionality to log internal activities3.29machine interfaceexternal interface between the equipment and a service or device3.30network interfaceexternal interface enabling the equipment to have or provide access to a networkNote 1 to entry: Examples for network interfaces are a LAN port (wired) or a wireless network interface enabling WLAN or