|
TECHNICAL SPECIFICATION
Cyber Security (CYBER);
Cyber Security for Home Gateways;
Conformance Assessment of Security Requirements
as vertical from Consumer Internet of Things
---------------------- Page: 1 ----------------------
2 ETSI TS 103 928 V1.1.1 (2023-07)
Reference
DTS/CYBER-0066
Keywords
home gateway, security, testing
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871
Important notice
The present document can be downloaded from:
https://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format at www.etsi.org/deliver.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
If you find errors in the present document, please send your comment to one of the following services:
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure Program:
https://www.etsi.org/standards/coordinated-vulnerability-disclosure
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
and/or governmental
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.
Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2023.
All rights reserved.
ETSI
---------------------- Page: 2 ----------------------
3 ETSI TS 103 928 V1.1.1 (2023-07)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 6
Introduction . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Definition of terms, symbols and abbreviations . 8
3.1 Terms . 8
3.2 Symbols . 8
3.3 Abbreviations . 8
4 Conformance assessment methodology . 9
4.1 Overview and document structure . 9
4.1.0 General overview of the present document . 9
4.1.1 Handling of test groups . 10
4.1.2 Handling of IXIT entries . 11
4.1.3 Naming conventions . 11
4.2 Roles and objects . 11
4.2.1 Device Under Test (DUT) . 11
4.2.2 Supplier Organization (SO) . 11
4.2.3 Test Laboratory (TL) . 11
4.3 Assessment procedure . 11
4.4 Implementation Conformance Statement (ICS) . 12
4.5 Implementation eXtra Information for Testing (IXIT) . 12
4.6 Assignment of verdicts . 12
4.7 Usage of external evidences . 12
4.8 Assessment scheme amendments . 12
5 Test groups for adapted cyber security and data protection provisions for Home Gateway . 12
5.0 TSO 4: Reporting implementation . 12
5.0.1 Test group HG 4-1 (extended) . 12
5.0.1.0 Test group objective . 12
5.0.1.1 Test case HG 4-1-1 (conceptual) . 12
5.1 TSO 5.1: No universal default passwords . 13
5.1.1 Test group HG 5.1-1 (extended) . 13
5.1.1.0 Test group objective . 13
5.1.1.1 Test case HG 5.1-1 (extended)-1 (conceptual) . 13
5.1.1.2 Test case HG 5.1-1 (extended)-2 (functional) . 13
5.1.2 Test group HG 5.1-4 (extended)-a . 14
5.1.2.0 Test group objective . 14
5.1.2.1 Test case HG 5.1-4 (extended)-a-1 (conceptual) . 14
5.1.3 Test group HG 5.1-4 (extended)-b . 14
5.1.3.0 Test group objective . 14
5.1.3.1 Test case HG 5.1-4 (extended)-b-1 (conceptual) . 14
5.1.3.2 Test case HG 5.1-4 (extended)-b-2 (functional). 15
5.1.4 Test group HG 5.1-4 (extended)-c . 15
5.1.4.0 Test group objective . 15
5.1.4.1 Test case HG 5.1-4 (extended)-c-1 (conceptual) . 15
5.1.4.2 Test case HG 5.1-4 (extended)-c-2 (functional) . 16
5.1.5 Test group HG 5.1-5 (refined) . 16
5.2 TSO 5.3: Keep software updated . 16
5.2.1 Test group HG 5.3-1 (extended)-a . 16
5.2.1.0 Test group objective . 16
ETSI
---------------------- Page: 3 ----------------------
4 ETSI TS 103 928 V1.1.1 (2023-07)
5.2.1.1 Test case HG 5.3-1 (extended)-a-1 (conceptual) . 16
5.2.2 Test group HG 5.3-1 (extended)-b . 17
5.2.2.0 Test group objective . 17
5.2.2.1 Test case HG 5.3-1 (extended)-b-1 (conceptual) . 17
5.2.2.2 Test case HG 5.3-1 (extended)-b-2 (functional). 17
5.2.3 Test group HG 5.3-2 (refined) . 18
5.2.4 Test group HG 5.3-6 (extended) . 18
5.2.4.0 Test group objective . 18
5.2.4.1 Test case HG 5.3-6 (extended)-1 (conceptual) . 18
5.2.4.2 Test case HG 5.3-6 (extended)-2 (functional) . 18
5.2.5 Test group HG 5.3-9 (extended)-b . 19
5.2.5.0 Test group objective . 19
5.2.5.1 Test case 5.3-9 (extended)-b-1 (conceptual) . 19
5.2.5.2 Test case 5.3-9 (extended)-b-2 (functional) . 20
5.2.6 Test group HG 5.3-16 (extended) . 20
5.2.6.0 Test group objective . 20
5.2.6.1 Test case HG 5.3-16 (extended)-1 (conceptual) . 20
5.2.6.2 Test case HG 5.3-16 (extended)-2 (functional) . 21
5.3 TSO 5.6: Minimize exposed attack surfaces . 21
5.3.1 Test group HG 5.6-1 (extended) . 21
5.3.1.0 Test group objective . 21
5.3.1.1 Test case HG 5.6-1 (extended)-1 (conceptual) . 21
5.3.1.2 Test case HG 5.6-1 (extended)-2 (functional) . 22
5.4 TSO 5.9: Make systems resilient to outages . 22
5.4.1 Test group HG 5.9-2 (promoted) . 22
6 Test Groups for additional cyber security provisions for Home Gateway . 22
6.0 Overview . 22
6.1 TSO 7.3: Keep software updated . 23
6.1.1 Test group HG 7.3-1 (added) . 23
6.1.1.0 Test group objective . 23
6.1.1.1 Test case HG 7.3-1 (added)-1 (conceptual) . 23
6.1.1.2 Test case HG 7.3-1 (added)-2 (functional) . 23
6.1.2 Test group HG 7.3-4 (added) . 24
6.1.2.0 Test group objective . 24
6.1.2.1 Test case HG 7.3-4 (added)-1 (conceptual) . 24
6.1.2.2 Test case HG 7.3-4 (added)-2 (functional) . 24
6.1.3 Test group HG 7.3-6 (added) . 25
6.1.3.0 Test group objective . 25
6.1.3.1 Test case HG 7.3-6 (added)-1 (conceptual) . 25
6.1.3.2 Test case HG 7.3-6 (added)-2 (functional) . 25
6.1.4 Test group HG 7.3-7 (added) . 26
6.1.4.0 Test group objective . 26
6.1.4.1 Test case HG 7.3-7 (added)-1 (conceptual) . 26
6.1.4.2 Test case HG 7.3-7 (added)-2 (functional) . 26
6.1.5 Test group HG 7.3-8 (added) . 27
6.1.5.0 Test group objective . 27
6.1.5.1 Test case 7.3-8 (added)-1 (conceptual) . 27
6.2 TSO 7.4: Securely store sensitive security parameters . 28
6.2.1 Test group HG 7.4-1 (added) . 28
6.2.1.0 Test group objective . 28
6.2.1.1 Test case HG 7.4-1 (added)-1 (conceptual) . 28
6.2.1.2 Test case HG 7.4-1 (added)-2 (functional) . 29
6.2.2 Test group HG 7.4-2 (added) . 29
6.2.2.0 Test group objective . 29
6.2.2.1 Test case HG 7.4-2 (added)-1 (conceptual) . 29
6.2.2.2 Test case HG 7.4-2 (added)-2 (functional) . 30
6.2.3 Test group HG 7.4-3 (added) . 30
6.2.3.0 Test group objective . 30
6.2.3.1 Test case HG 7.4-3 (added)-1 (conceptual) . 31
6.2.3.2 Test case HG 7.4-3 (added)-2 (functional) . 31
6.2.4 Test group HG 7.4-9 (added) . 32
ETSI
---------------------- Page: 4 ----------------------
5 ETSI TS 103 928 V1.1.1 (2023-07)
6.2.4.0 Test group objective . 32
6.2.4.1 Test case HG 7.4-9 (added)-1 (conceptual) . 32
6.2.4.2 Test case HG 7.4-9 (added)-2 (functional) . 32
6.3 TSO 7.5: Communicate securely . 33
6.3.1 Test group HG 7.5-6 (added) . 33
6.3.1.0 Test group objective . 33
6.3.1.1 Test case HG 7.5-6 (added)-1 (conceptual) . 33
6.3.1.2 Test case HG 7.5-6 (added)-2 (functional) . 33
6.3.2 Test group HG 7.5-7 (added) . 34
6.3.2.0 Test group objective . 34
6.3.2.1 Test case HG 7.5-7 (added)-1 (conceptual) . 34
6.3.2.2 Test case HG 7.5-7 (added)-2 (functional) . 34
6.4 TSO 7.6: Minimize exposed attack surfaces . 34
6.4.1 Test group HG 7.6-1 (added) . 34
6.4.1.0 Test group objective . 34
6.4.1.1 Test case HG 7.6-1 (added)-1 (conceptual) . 35
6.4.1.2 Test case HG 7.6-1 (added)-2 (functional) . 35
6.4.2 Test group HG 7.6-2 (added) . 36
6.4.2.0 Test group objective . 36
6.4.2.1 Test case HG 7.6-2 (added)-1 (conceptual) . 36
6.4.2.2 Test case HG 7.6-2 (added)-2 (functional) . 36
6.4.3 Test group HG 7.6-3 (added) . 37
6.4.3.0 Test group objective . 37
6.4.3.1 Test case HG 7.6-3 (added)-1 (conceptual) . 37
6.4.3.2 Test case HG 7.6-3 (added)-2 (functional) . 37
6.4.4 Test group HG 7.6-4 (added) . 38
6.4.4.0 Test group objective . 38
6.4.4.1 Test case HG 7.6-4 (added)-1 (conceptual) . 38
6.4.4.2 Test case HG 7.6-4 (added)-2 (functional) . 38
6.4.5 Test group HG 7.6-9 (added) . 39
6.4.5.0 Test group objective . 39
6.4.5.1 Test case HG 7.6-9 (added)-1 (conceptual) . 39
6.4.5.2 Test case HG 7.6-9 (added)-2 (functional) . 39
6.5 TSO 7.12: Make installation and maintenance of devices easy . 40
6.5.1 Test group HG 7.12-1 (added) . 40
6.5.1.0 Test group objective . 40
6.5.1.1 Test case HG 7.12-1 (added)-1 (conceptual) . 40
6.5.1.2 Test case HG 7.12-1 (added)-2 (functional) . 40
Annex A (normative): Home Gateway Pro formas for the SO . 41
A.1 The right to copy . 41
A.2 Identification of the DUT pro forma for Home Gateway . 41
A.3 Implementation Conformance Statement (ICS) pro forma for Home Gateway . 41
A.4 Implementation eXtra Information for Testing (IXIT) pro forma for Home Gateway . 44
Annex B (informative): Matching tables for Home Gateway . 47
B.1 Overview of required IXIT entries per provision for Home Gateway . 47
B.2 Overview of required test groups per provision for Home Gateway . 48
Annex C (informative): Sample IXIT for Home Gateway . 49
Annex D (informative): Additional assessment information for Home Gateway . 55
D.1 Threat model . 55
D.2 Baseline attacker model. 55
D.3 Model for a "user with limited technical knowledge" . 55
History . 56
ETSI
---------------------- Page: 5 ----------------------
6 ETSI TS 103 928 V1.1.1 (2023-07)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee
...