Data protection is very important at VDE

Glebstock / stock.adobe.com

2022-08-30 Testing + Certification

Information Security/Cyber Security – Testing and Certification at the VDE Institute

Information is highly valuable for companies, authorities and private persons and must therefore be reasonably protected. Handling this information in a trustworthy manner and protecting it are the fundamental goals of information security. The VDE Institute helps you achieve these goals.

Information security, IT security or cyber security?

Information security is protecting sensitive information from loss and manipulation

bluebay2014 / Fotolia

Personal and sensitive data can be saved both on paper, computers or even in minds. Information security primarily deals with protecting and processing electronically saved information. Information security is also the state in which the confidentiality, integrity and availability of information and information technology are protected by reasonable measures.

The term information security is more comprehensive than IT security and therefore sees increased use. However, the term “IT Security” continues to be used in some publications like “IT Baseline Protection” (IT Sicherheit). Nevertheless, different texts and the standardization are becoming increasingly more tailored to examining information security. Cyber security, cybersecurity, IT safety or information security are terms that are also used very frequently, mainly when companies operate at an international level.

Protecting against cyber attacks with VDE certification

The expansion of digitization and the accompanying progress of intelligent networking in one’s own home as well as in industry have seen an increased risk in data theft and manipulation. Many cases show how easy it is for hackers to penetrate smart homes and management systems.

In addition to implementing uniform testing standards and the interoperability of systems and technologies, the VDE Institute’s tasks include testing and certifying security in the field of data protection, cyber security, and functional safety. Interoperability guarantees communication between different manufacturers, devices and technologies.

Our tests for information security (including cyber security) are based on the following regulations and standards:

VDE PB-0004 and -0005
IEC 62443-4-1 and -4-2
ETSI EN 303 645

The BSI Common Criteria security standard and the BSI IT Baseline Protection (IT-Grundschutz) serve as a foundation for our VDE testing regulation. These standards were fleshed out for the requirements of smart home solutions and expanded with data protection aspects. As such, the tests can be used for the entire smart home field, e.g. for energy, comfort, multimedia, security or AAL.

The testing of information security is divided into the following areas:

Testing the devices (communication devices and gateways)
Testing the backend and cloud systems
Testing the apps for smartphones and tablets
Security software systems (for a secure electronic identity for authentication purposes)

During these processes, the security goals for cyber security in the product, system design and in the implementation undergo testing. User documentation and the technical aspects of privacy are part of the testing.

Security goals include the following:

Protecting communication from eavesdropping and manipulation
Protecting the systems from unauthorized infiltration,
-Unauthorized use, manipulation
-And data loss
Protecting personal data
Protected security updates for the system

We protect your smart home products from cyber attacks by using ultra-modern technology

Smart Home products protected from hacker attacks

iconimage / Fotolia

The information security test

1. Confirmation of the basic implementation of an IT security concept.
2. Confirmation of the effective implementation of IT security.
3. Confirmation of the completeness of IT security documentation.

Testing data protection

1. Identifying the importance of data protection
2. Testing data protection in accordance with
3. European Guidelines (DGPR General Data Protection Regulation)

Request your offer here

Cyber security for devices with radio interfaces

According to Delegated Regulation (EU) 2022/30, the range of radio equipment covered by the cyber security requirements of the Radio Equipment Directive 2014/53/EU (RED) will be expanded from mid-2024. Prepare your products now – the VDE Institute will assist you.

The Delegated Regulation, which was published by the European Commission on January 12, 2022, supplements the Radio Equipment Directive. It specifies which radio equipment (equipment with radio interface) must meet the essential requirements of Article 3, 3, (d), (e) and (f) of the Radio Equipment Directive.

The essential requirement as per Article 3, 3. (d) of the RED "Radio equipment shall not have a harmful effect on the network or its operation, nor shall it cause an abusive use of network resources, which would cause an unacceptable degradation of the service." applies, according to the Delegated Regulation, to all equipment "capable of communicating over the internet, either by means of direct communication or through other equipment ('radio equipment connected to the internet')" (Article 1.1, DR (EU) 2022/30).

The essential requirement as per Article 3, 3. (e) of the RED "Radio equipment shall have security devices to ensure that personal data and the privacy of the user and the subscriber are protected." applies to all equipment that can process personal data, traffic data and location data (Article 1.2, DR (EU) 2022/30), but only if the radio equipment is connected to the internet, equipment used for childcare (e.g. baby monitors), a toy as per Directive 2009/48/EU (Toys Directive), or radio equipment worn on the body or clothing ("wearables").

The essential requirement as per Article 3, 3. (f) of the RED "Radio equipment supports certain functions to protect against fraud." applies to any device that is a radio device connected to the internet and that "enables the owner or user to transfer money, monetary value or virtual currencies [...]" (Article 1.3, DR (EU) 2022/30).

There is no exhaustive list of all affected devices. However, the experts of the VDE Institute will be happy to support you in analyzing whether your product falls under the requirements of the Radio Equipment Directive according to the new Delegated Regulation.

The essential requirements of Article 3.3 (d), (e) and (f) of the Radio Equipment Directive are made mandatory by the Delegated Regulation as understood by the New Legislative Framework. Harmonized standards have not yet been published for the new essential requirements. However, a mandate to the standardization organizations is to be issued shortly. The experts at the VDE Institute are nevertheless prepared. In coordination with the RED Notified Body in the VDE, internal test requirements have been drawn up that already cover the requirements from the Delegated Regulation. An important basis is the ETSI EN 303 645 standard with the corresponding test requirement ETSI TS 103 701, which has already been successfully applied at the VDE for many devices.

If you as a manufacturer wish to declare conformity with Articles 3, 3. (d), (e) and (f) for your radio equipment, you must involve a Notified Body in a mandatory manner until the publication of references of applicable harmonized standards in the Official Journal of the EU (2014/53/EU Article 17, (4)). The VDE Institute is at your disposal, giving you the possibility to obtain an EU-Type Examination Certificate (EU-TEC).

The new regulation has been in force since February 1, 2022, and will be mandatory from August 1, 2024, on. For manufacturers, now is the time to address the new requirements. This is because from August 1, 2024, only products that meet the new essential requirements set out in Article 3, 3. (d), (e) and (f) may be placed on the European market.
The VDE Institute will be happy to help you achieve conformity with these new radio equipment requirements.

Functional safety for the connected home

Are there further hazards due to the system’s additional communication capabilities?

Functional safety according to DIN EN 61508-4:2011 and functional safety in product standards (e.g. household devices) provide information about it. We also help you with this challenge in order to complete the security examination. Learn more about our services in functional safety.

What separates functional safety from information security?

The VDE Institute tests and certifies functional safety

Ryan McVay / Photodisc

Functional safety is using automated technology to ensure that no device or system poses a hazard to people or the environment. This type of safety is to some extent tailored “from the device to the outside”.

Information security deals with fending off hazards that affect the system from the outside. It relates to matters such as malware or unauthorized system access. In both cases, system functionality may be affected or it can even be made to do nothing or do something improperly.

As such, the connection between both topics has been established: If, for instance, the examined system is a safety-related control system or a field device in safety equipment, then anything that affects its functionality simultaneously affects its (functional) safety.

Protect your smart factory with VDE certification

In the office IT and operations OT areas, we test the interfaces between machines, management, office systems and to the internet. While doing so, it is irrelevant if the network is only operated inside a factory or if external communications partners such as branch offices are connected to this network over the internet. Testing also includes assessing the risk analysis related to information security as per IEC 62443. After a successful test, the network operator receives the VDE Certificate for information security.

The tested network is classified using a four-level scale. According to the existing IEC 62443 outlines, the use and certainty with which the attack is expected is described using this scale; they are called security levels (SL).

Security Level 1: Protection against undesired, casual violation.
Security Level 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation.
Security Level 3: Protection against intentional violation using sophisticated means with moderate resources, IACS-specific skills and moderate motivation.
Security Level 4: Protection against intentional violation using sophisticated means with extended resources, IACS-specific skills and high motivation.