Evaluation Assessment and Testing Overview

Purpose and Scope

  • EN
    18031-1 ensures devices prevent harm to network infrastructure, avoid
    disruptions, and mitigate resource misuse, including resilience against
    denial-of-service attacks and unauthorized access.
  • It’s
    applicable to a wide range of internet-connected radio equipment, from
    smart home devices and wearables to connected toys. 
  • Is
    often paired with other standards such as EN 18031-2 radio equipment
    processing data, and EN 18031-3,  internet
    connected radio equipment processing virtual money or monetary value,  to show compliance under the RED
    directive.

 

Mechanisms (requirements)

EN 18031-1    

EN 18031-2

EN 18031-3

ACM    Access
Control Mechanism            

X

X

X

AUM   
Authentication Mechanism

X

X

X

SUM    Secure
Update Mechanism

X

X

X

SSM     Secure
Storage Mechanism

X

X

X

SCM     Secure
Communication Mechanism

X

X

X

RLM    
Resilience Mechanism

X

 

 

NMM    Networking
Monitoring Mechanism

X

 

 

TCM     Traffic
Control Mechanism

X

 

 

LGM     Logging Mechanism

 

X

X

DLM     Deletion Mechanism

 

X

 

UNM     User Notification Mechanism

 

X

 

CCK     
Confidential Cryptographic Keys

X

X

X

GEC      General
Equipment Capabilities

X

X

X

CRY     
Cryptography

X

X

X

 

Key Requirements

The standard specifies measures to minimize security risks
and ensure the integrity, availability, and confidentiality of data throughout
the device’s lifecycle. Some core requirements include: 

  • Risk
    Assessment: Evaluating potential threats and vulnerabilities
    throughout the device’s lifecycle.
  • Data
    Protection: Implementing safeguards like encryption to protect
    sensitive information.
  • Access
    Controls: Utilizing mechanisms like strong passwords and role-based
    permissions.
  • Secure
    Software Updates: Ensuring updates are delivered securely and
    reliably.

 

Evaluation and Assessment

The assessment process within EN 18031-1 employs a
three-pronged approach: 

  • Conceptual
    assessment: Verifying the security concept aligns with the standard’s
    principles (security by design).
  • Functional
    completeness assessment: Ensuring all security measures defined in
    the concept are implemented and functional.
  • Functional
    sufficiency assessment: Testing the effectiveness of implemented
    security measures against potential attacks and threats. This may include techniques
    like fuzzing. 

 

Step by Step Process

1. Applicability
Check:

Determining if the
standard’s requirements apply to the specific radio equipment.  Note more than
one standard may apply

 

2. Documentation
Review:

Examining
provided documentation, including risk assessments, the software requirements
document the firmware developers use, design specifications, software bill of
materials (sbom), and security mechanisms, users manual through evaluation and
assessment. 

3. Functional
Testing:

Verifying the
implementation of security mechanisms with a specifically prepared test plan,
using hands-on testing and confirming that the device behaves as
documented. 

4. Security
Testing:

Actively
testing the equipment to assess its resilience against various threats, which
may include  techniques like fuzzing,
penetration testing, and code review. 

5. Final
Assessment:

Evaluating
the evidence gathered to determine whether the device meets the requirements of
the standard.

6. Formal
Confirmation Report:

 Summary of the evaluation and testing performed.

Manufacturers of end use equipment and products are solely

responsible for regulatory compliance under the RED directive. Do not assume
that security measures from pre- approved wireless module alone will meet these
new requirements. DLS and our cybersecurity experts can assist manufacturers in
navigating the complexities of these new regulatory requirements and ensuring
the compliant development of secure products and equipment.  Additional
information about the DLS Cybersecurity compliance costs and lead times, go the
DLS cybersecurity quote request pageEN IEC 61000-6-3 is intended to address electrical and electronic equipment for use in residential, commercial and light-industrial environments. This generic EMC emissions standard is applicable if no relevant dedicated product or product-family EMC immunity standard exists.

This standard applies to apparatus intended to be directly connected to a low-voltage public mains network or connected to a dedicated DC source which is intended to interface between the apparatus and the low-voltage public mains network. This standard applies also to apparatus which is battery operated or is powered by a non-public, but non-industrial, low voltage power distribution system if this apparatus is intended to be used in the locations described below.

The environments encompassed by this standard are residential, commercial and light industrial locations, both indoor and outdoor. It includes:

  • Residential properties e.g. houses, apartments
  • Retail outlets e.g. shops, supermarkets
  • Business premises e.g. offices, banks
  • Areas of public entertainment e.g. cinemas, public bars, dance halls
  • Outdoor locations e.g. petrol stations, car parks, amusement and sports center
  • Light-industrial locations e.g. workshops, laboratories, service centers.

Require­ments include both conducted and radiated emissions.

Conducted emis­sion require­ments for mains ports and telecom­mu­ni­ca­tion ports must be tested in fre­quency range 0 kHz- 30 MHz

Radi­ated emis­sion require­ments must be tested at the referenced fre­quency rages below:

  • 30MHz-1GHz if inter­nal oscil­la­tor fre­quency is up to 108MHz
  • 30MHz-2GHz if inter­nal oscil­la­tor fre­quency is up to 500MHz
  • 30MHz-5GHz if inter­nal oscil­la­tor fre­quency is up to 1GHz
  • 30MHz-6GHz if inter­nal oscil­la­tor fre­quency is higher than 1GHz

If the inter­nal clock fre­quency is not known the mea­sure­ments shall be car­ried out up to 6GHz.
If the inter­nal oscil­la­tor fre­quency or work­ing fre­quency is up to 9 kHz the mea­sure­ments shall be made up to 230MHz.

Immunity requirements are not covered by this standard, and would be included in EN IEC 61000-6-1.

Safety considerations are not covered by this standard as well. Equipment used in commercial, residential, or light industrial applications may fall under the requirements of the EU Low Voltage Directive 2014/35/EU or the EU Machinery directive 2006/42/EEC.

Wireless Applications

Electrical and electronic equipment that have wireless capabilities (transmitter-receiver) may have to meet wireless regulations as well as medical device and equipment regulations.  Pre-approved wireless module certification in many cases in not enough to show compliance for devices and equipment for household appliances and similar equipment. D.L.S. can assist in determining the specific requirements needed to meet all U.S., Canada, EU and international regulatory requirements for your equipment. The European Union has established requirements under law for wireless enabled products to show compliance with the Radio Equipment Directive 2014/53/EU, to show compliance with CE marking requirements.

Common Wireless Standards can be found at

https://www.dlsemc.com/wireless-devices-transmitters-receivers-test-standards-services

Contact D.L.S. today to determine the specific requirements needed to meet compliance for equipment and products used in residential, commercial and light-industrial environments.Evaluation Assessment and Testing Overview

Purpose and Scope

  • EN
    18031-1 ensures devices prevent harm to network infrastructure, avoid
    disruptions, and mitigate resource misuse, including resilience against
    denial-of-service attacks and unauthorized access.
  • It’s
    applicable to a wide range of internet-connected radio equipment, from
    smart home devices and wearables to connected toys. 
  • Is
    often paired with other standards such as EN 18031-2 radio equipment
    processing data, and EN 18031-3,  internet
    connected radio equipment processing virtual money or monetary value,  to show compliance under the RED
    directive.

 

Mechanisms (requirements)

EN 18031-1    

EN 18031-2

EN 18031-3

ACM    Access
Control Mechanism            

X

X

X

AUM   
Authentication Mechanism

X

X

X

SUM    Secure
Update Mechanism

X

X

X

SSM     Secure
Storage Mechanism

X

X

X

SCM     Secure
Communication Mechanism

X

X

X

RLM    
Resilience Mechanism

X

 

 

NMM    Networking
Monitoring Mechanism

X

 

 

TCM     Traffic
Control Mechanism

X

 

 

LGM     Logging Mechanism

 

X

X

DLM     Deletion Mechanism

 

X

 

UNM     User Notification Mechanism

 

X

 

CCK     
Confidential Cryptographic Keys

X

X

X

GEC      General
Equipment Capabilities

X

X

X

CRY     
Cryptography

X

X

X

 

Key Requirements

The standard specifies measures to minimize security risks
and ensure the integrity, availability, and confidentiality of data throughout
the device’s lifecycle. Some core requirements include: 

  • Risk
    Assessment: Evaluating potential threats and vulnerabilities
    throughout the device’s lifecycle.
  • Data
    Protection: Implementing safeguards like encryption to protect
    sensitive information.
  • Access
    Controls: Utilizing mechanisms like strong passwords and role-based
    permissions.
  • Secure
    Software Updates: Ensuring updates are delivered securely and
    reliably.

 

Evaluation and Assessment

The assessment process within EN 18031-1 employs a
three-pronged approach: 

  • Conceptual
    assessment: Verifying the security concept aligns with the standard’s
    principles (security by design).
  • Functional
    completeness assessment: Ensuring all security measures defined in
    the concept are implemented and functional.
  • Functional
    sufficiency assessment: Testing the effectiveness of implemented
    security measures against potential attacks and threats. This may include techniques
    like fuzzing. 

 

Step by Step Process

1. Applicability
Check:

Determining if the
standard’s requirements apply to the specific radio equipment.  Note more than
one standard may apply

 

2. Documentation
Review:

Examining
provided documentation, including risk assessments, the software requirements
document the firmware developers use, design specifications, software bill of
materials (sbom), and security mechanisms, users manual through evaluation and
assessment. 

3. Functional
Testing:

Verifying the
implementation of security mechanisms with a specifically prepared test plan,
using hands-on testing and confirming that the device behaves as
documented. 

4. Security
Testing:

Actively
testing the equipment to assess its resilience against various threats, which
may include  techniques like fuzzing,
penetration testing, and code review. 

5. Final
Assessment:

Evaluating
the evidence gathered to determine whether the device meets the requirements of
the standard.

6. Formal
Confirmation Report:

 

Summary of
the evaluation and testing performed.

Manufacturers of end use equipment and products are solely
responsible for regulatory compliance under the RED directive. Do not assume
that security measures from pre- approved wireless module alone will meet these
new requirements. DLS and our cybersecurity experts can assist manufacturers in
navigating the complexities of these new regulatory requirements and ensuring
the compliant development of secure products and equipment.  Additional
information about the DLS Cybersecurity compliance costs and lead times, go the
DLS cybersecurity quote request page