In this repository, you will find resources to assist you with IoT cybersecurity compliance, primarily focusing on compliance with the EU RED Delegated Act (DA) and its harmonized standards, EN 18031 (hEN 18031). These resources are designed to support manufacturers of connected products in various compliance activities, including the creation of Technical Documentation and conformance assessments.
Zealience is a German company pioneering the software solution Z-CMS, which automates the generation of technical documentation and test plans for EN 18031. Our customers worldwide have successfully used it to demonstrate compliance with the RED DA. If you're interested in learning more about our software, please reach out for a demo! Visit us at zealience.com.
- Available Contents
- You Can Now Ask Questions
- Open-Source Script to Automate GEC-1 Documentation
- Further Resources
- A Little Bit About the Author
In this repository, you will find the following contents:
๐ EN18031-CheatSheets
- Cheat sheets to help you identify the applicable requirements of EN 18031-1, -2 and -3 for each asset type (security, network, privacy and financial)
๐ EN18031-Resources
- Complementary documents to assist you in utilizing and completing the Technical Documentation template available in EN18031-Templates
๐ EN18031-Templates
- Templates for EN 18031-1, -2 and -3 Technical Documentation
๐ EN18031-TestPlan
- Templates for EN 18031-1 and -2 Test Plans, which will aid you in your assessment and testing procedures
Would you like an EN 18031 expert, Dr. Guillaume Dupont, to answer your specific questions? If you have inquiries about this repository, EN 18031, RED DA, or CRA, you can head to the "Discussions" section at the top of this repository. He will do his best to respond to your questions in a timely manner.
"Discussions" is a community space where anyone on GitHub can ask and answer questions and share ideas. Feel free to use it as you wish, as long as your contributions are polite and beneficial for everyone. If you can answer other people's questions, that will be amazing too! Thank you for being a part of the community in advance ๐
GEC-1 mandates comprehensive documentation of software and hardware components and their associated vulnerabilities. For each software component and vulnerability, manufacturers must document GEC-1 Decision Tree paths, results and justifications. When it is common to have more than 2000 vulnerabilities in an IoT device, it is imperative that you automate the documentation work. This is why we developed and open-sourced our script, en18031-vulnerability-documentation.
We are planning to continuously add more documentation on our website to assist you with your self-assessment procedures related to EN 18031. To start, we currently offer the following resource that you may find useful:
- [NEW!๐] EN 18031 & RED Cybersecurity Ultimate Guide for IoT Manufacturers
- https://medium.zealience.com/en-18031-red-cybersecurity-ultimate-guide-for-iot-manufacturers-bc57daad0be4
- This is the most comprehensive article you can find online about what the RED DA and EN 18031 are and how to apply them
- GEC-1: Everything You Need to Know to Ace It
- https://zealience.com/resource-hub/gec-1-everything-you-need-to-know
- This article provides actionable strategies to meet GEC-1
- What Are Network Assets?
- https://zealience.com/resource-hub/what-are-network-assets
- This article helps you identify network assets in your device
- What Are Security Assets?
- https://zealience.com/resource-hub/what-are-security-assets
- This article helps you identify security assets in your device
- What Are Privacy Assets?
- https://zealience.com/resource-hub/what-are-privacy-assets
- This article helps you identify privacy assets in your device
- What Are External Interfaces?
- https://zealience.com/resource-hub/what-are-external-interfaces
- This article explains what external interfaces and helps you identify them in your device
Dr. Guillaume Dupont is a co-founder of Zealience. He holds a PhD in IoT cybersecurity. As a former Senior Security Expert at UL Solutions, he helped IoT manufacturers prepare for the RED DA by performing evaluations against product security standards such as ETSI EN 303 645 and IEC 62443-4-2. He has contributed to the drafting of EN 18031 and also trained a Notify Body for RED DA assessments. He previously worked at Forescout on automotive security and developed intrusion detection systems for in-vehicle networks. He is also a seasoned IoT vulnerability researcher and disclosed CVEs found in medical devices to Siemens Healthineers. His research on IoT security led him to obtain a US patent: He invented a novel approach to enhance the accuracy of IoT device classification leveraging machine learning algorithms (US20220353153).