Translated with DeepL
As digitalisation progresses and networking increases, the attack surfaces for cyber criminals are growing. In recent years, the risks posed by malware have received comparatively high levels of attention, while the risks in the supply chain have tended to be underestimated. However, the security features of networked devices can be manipulated along the entire procurement and value chain: during the development of chips, during the manufacture and integration of components and during transport to the retailer or end user. Tampering with hardware and firmware is extremely difficult to detect, as integrated malfunctions and backdoors are often only activated after delivery and do not respond in test situations due to built-in "test bench modes". This is exacerbated by the ever-increasing complexity of processors and systems, which shifts the threat towards the design of these components.
Apart from data protection, there are hardly any binding and legally valid standards in the cyber sector that legally regulate the security and integrity of products. The situation is different in critical industrial sectors such as medical technology, where quality tests by independent bodies are an integral part of product authorisation. The need for independent and effective testing of digital products is likely to increase in the future in industry, public authorities, the police and the army. In order not to be dependent on foreign partners - as is the case in other disciplines - it is important that Switzerland builds up its own testing capacities. In its work, the group of experts addressed the following questions, among others:
In principle, a Swiss testing institute would have to test the quality of the test objects in terms of security on behalf of manufacturers, suppliers and in the interests of consumers. The examples of cyber testing bodies in neighbouring countries show that the demand from manufacturers and suppliers depends largely on national and international regulations. However, the possible field of products to be tested is immense: all network-compatible devices come into question. A strict differentiation between hardware and software products is often not expedient, as security gaps can arise, particularly in interaction (e.g. in the firmware). Among other things, the expert group suggests focussing on criticality when selecting test objects. This is measured by the expected damage in the event of manipulation or failure of the test object or by its economic and security significance. However, components that are not critical in themselves can also be misused to attack critical components. For example, a botnet with compromised IoT air conditioning units and
-Heaters (non-critical as individual devices) can threaten the power supply of an entire region.
The expert group demands that testing procedures follow a well-defined process and are subject to strict documentation requirements. The specification required for each order should regulate which questions are part of the inspection and whether the existence of known weak points is checked or fundamental anomalies are investigated. The fundamental questions include compliance with security-by-design and security-by-default. Reference to existing standards is possible. The range of tests extends from basic tests, which can ideally be automated, to highly specialised tests, which are often research-related and require complex equipment, specialised material and specialist knowledge. The tests carried out by the test centre should typically include at least the following points:
The experts assume that the testing of networked devices in Switzerland should be organised in a similar way to other countries. The institute functions as a body that organises and authorises tests and works together with recognised test centres and laboratories. In this model, which corresponds to that of the German Federal Office for Information Security (BSI) or the French Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), the testing institute is a normative audit and controlling body. It could be institutionally located in the environment of the sector organisations. To this end, the current initiators (ICTswitzerland and Zuger Initiative) will quickly enter into negotiations with the organisations, involving the federal government where appropriate. Mixed funding (public-private partnership) with the federal government, represented by the National Cyber Security Centre (NCSC), universities, large tech companies and the Swiss Accreditation Service (SAS), among others, seems possible given the large number of stakeholders. As part of a pilot project with initially limited funding, the establishment of a testing body is now being evaluated. The experience gained will be used to enable a national implementation with greater capacities and a broader range of services at a later date, as well as to strive for an international orientation in the longer term.