ISO/IEC 27071
ISO/IEC 27071:2023 — Cybersecurity — Security recommendations for establishing trusted connections between devices and services
(first edition)
Abstract
ISO/IEC 27071 "provides a framework and recommendations for establishing trusted connections between devices and services based on hardware security modules. It includes recommendations for components such as: hardware security module, roots of trust, identity, authentication and key establishment, remote attestation, data integrity and authenticity. [ISO/IEC 27071] is applicable to scenarios that establish trusted connections between devices and services based on hardware security modules. [ISO/IEC 27071] does not address privacy concerns.”
[Source: ISO/IEC 27071:2023]
Introduction
This standard concerns mutual authentication between distributed network devices (such as sensors and other IoT things) and [cloud-based] information services, using Public Key Infrastructure and physical Hardware Security Modules - complementing the virtual roots of trust described in ISO/IEC 27070.
Scope
The standard lays out a conceptual framework for establishing trusted connections between devices and services based on HSMs with recommendations roots of trust, identity, authentication and key establishment, remote attestation, data integrity and authenticity.
Structure
The standard is admirably succinct with just 30 pages and two main sections:
5: Framework and components for establishing a trusted connection: this section lays out the concepts and architectures.
6: Security recommendations for establishing a trusted connection: brief descriptions of the information and physical security controls recommended to ensure that device-service connected are sufficiently secure, trusted and trustworthy.
... plus three annexes briefly covering:
[deliberate] threats;
‘solutions’ [non-aqueous]; and
an example [securely connecting a mobile device to an information service].
Status
The current first edition was published in 2023.
Commentary
Here is a fictitious scenario illustrating the need for mutual authentication. Imagine your electric car maintains detailed technical data about the places its has been driven to, the manner of driving, battery performance etc. You agree to share the data routinely with the vehicle manufacturer through a 4G or 5G connection to a car monitoring app, in return for a warranty extension, driving tips or advanced warning of issues requiring a service visit. How does the manufacturer know the data uploaded by your car is, in fact, your car, not a cloned or modified vehicle? How does your car know that the car monitoring app is, in fact, the car monitoring app run by the manufacturer, not some naughty hacker intent on discovering your movements and habits for blackmail or kidnap, or another car manufacturer snooping on its competitor’s technology, or an agent for the insurance companies illicitly checking on your driving competence and hence risk profile?