Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value

Common security requirements for internet connected radio equipment that equipment enables the holder or user to transfer money, monetary value or virtual currency. This document provides technical specifications for radio equipment processing virtual money or monetary value, which apply to electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

Gemeinsame Sicherheitsanforderungen für mit dem Internet verbundene Funkanlagen, die für die Datenverarbeitung im Zusammenhang mit virtuellen Währungen oder monetären Werten eingesetzt werden

The harmonised standard includes test methods or equivalent approaches and conditions to verify compliance of the radio equipment with the essential requirement set out in Article 3(3), point (f) of Directive 2014/53/EU for the categories and classes specified by Article 1(3) of Delegated Regulation (EU) 2022/.

Exigences de sécurité communes applicables aux équipements radioélectriques - Partie 3 : Équipements radioélectriques connectés à l'internet qui traitent une monnaie virtuelle ou de la valeur monétaire

Exigences de sécurité communes applicables aux équipements radioélectriques connectés à l'internet qui permettent au détenteur ou à l'utilisateur de transférer de l'argent, une valeur monétaire ou une monnaie virtuelle. Le présent document fournit des spécifications techniques pour les équipements radioélectriques qui traitent une monnaie virtuelle ou de la valeur monétaire, qui s'appliquent aux produits électriques ou électroniques capables de communiquer via l'internet, que ces produits communiquent directement ou par l'intermédiaire d'un autre équipement.

Skupne varnostne zahteve za radijsko opremo - 3. del: Z internetom povezana radijska oprema, ki obdeluje virtualni denar ali denarno vrednost

General Information

Status
Not Published
Publication Date
21-Aug-2024
Current Stage
5060 - Closure of Vote - Formal Approval
Start Date
27-Jun-2024
Due Date
04-Mar-2024
Completion Date
27-Jun-2024

Buy Standard

Draft
prEN 18031-3:2023 - BARVE
English language
127 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
oSIST prEN 18031-3:2023
01-november-2023
Skupne varnostne zahteve za radijsko opremo - 3. del: Z internetom povezana
radijska oprema, ki obdeluje virtualni denar ali denarno vrednost
Common security requirements for radio equipment - Part 3: Internet connected radio
equipment processing virtual money or monetary value
Gemeinsame Sicherheitsanforderungen für mit dem Internet verbundene Funkanlagen,
die für die Datenverarbeitung im Zusammenhang mit virtuellen Währungen oder
monetären Werten eingesetzt werden
Exigences de sécurité communes applicables aux équipements radioélectriques
connectés à linternet qui traitent une monnaie virtuelle ou de la valeur monétaire
Ta slovenski standard je istoveten z: prEN 18031-3
ICS:
33.060.01 Radijske komunikacije na Radiocommunications in
splošno general
oSIST prEN 18031-3:2023 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN 18031-3:2023
oSIST prEN 18031-3:2023
EUROPEAN STANDARD DRAFT
prEN 18031-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2023
ICS
English version
Common security requirements for radio equipment - Part
3: Internet connected radio equipment processing virtual
money or monetary value
Exigences de sécurité communes applicables aux Gemeinsame Sicherheitsanforderungen für mit dem
équipements radioélectriques connectés à l¿internet Internet verbundene Funkanlagen, die für die
qui traitent une monnaie virtuelle ou de la valeur Datenverarbeitung im Zusammenhang mit virtuellen
monétaire Währungen oder monetären Werten eingesetzt
werden
This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee
CEN/CLC/JTC 13.
If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal
Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any
alteration.
This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A
version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language
and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

oSIST prEN 18031-3:2023
prEN 18031-3:2023 (E)
16 Contents Page
18 European foreword . 4
19 Introduction . 5
20 1 Scope . 6
21 2 Normative references . 6
22 3 Terms and definitions . 6
23 4 Application of this standard . 10
24 5 Requirements . 12
25 5.1 [ACM] Access control mechanism . 12
26 5.1.1 [ACM-1] Applicability of access control mechanisms . 12
27 5.1.2 [ACM-2] Appropriate access control mechanisms . 16
28 5.2 [AUM] Authentication mechanism . 19
29 5.2.1 [AUM-1] Applicability of authentication mechanisms for external interfaces . 19
30 5.2.2 [AUM-2] Appropriate authentication mechanisms for external interfaces . 26
31 5.2.3 [AUM-3] Authenticator validation . 29
32 5.2.4 [AUM-4] Changing authenticators. 32
33 5.2.5 [AUM-5] Preventing static and default values . 35
34 5.2.6 [AUM-6] Brute force protection . 39
35 5.3 [SUM] Secure update mechanism . 43
36 5.3.1 [SUM-1] Applicability of update mechanisms. 43
37 5.3.2 [SUM-2] Secure updates . 46
38 5.3.3 [SUM-3] Automated updates . 50
39 5.4 [SSM] Secure storage Mechanism . 53
40 5.4.1 [SSM-1] Applicability of secure storage mechanisms . 53
41 5.4.2 [SSM-2] Appropriate integrity protection for secure storage mechanisms . 56
42 5.4.3 [SSM-3] Appropriate confidentiality protection for secure storage mechanisms . 59
43 5.5 [SCM] Secure communication mechanism . 62
44 5.5.1 [SCM-1] Applicability of secure communication mechanisms . 62
45 5.5.2 [SCM-2] Appropriate integrity and authenticity protection for secure communication
46 mechanisms . 66
47 5.5.3 [SCM-3] Appropriate confidentiality protection for secure communication
48 mechanisms . 69
49 5.5.4 [SCM-4] Appropriate replay protection for secure communication mechanisms . 73
50 5.6 [LGM] Logging Mechanism . 77
51 5.6.1 [LGM-1] Applicability of logging mechanisms . 77
52 5.6.2 [LGM-2] Appropriate Logging mechanisms . 80
53 5.6.3 [LGM-3] Appropriate Logging mechanisms – Minimum number of events . 84
54 5.6.4 [LGM-4] Appropriate Logging mechanisms – Time related information . 87
55 5.7 [CCK] Confidential cryptographic keys . 89
56 5.7.1 [CCK-1] Appropriate Confidential cryptographic keys (CCKs) . 89
57 5.7.2 [CCK-2] Confidential cryptographic key generation mechanisms . 92
58 5.7.3 [CCK-3] No hard-coded confidential cryptographic keys . 95
59 5.7.4 [CCK-4] Preventing static default values for confidential cryptographic keys. 97
60 5.8 [GEC] General equipment capabilities . 100
oSIST prEN 18031-3:2023
prEN 18031-3:2023 (E)
61 5.8.1 [GEC-1] Up-to-date software and hardware with no publicly known exploitable
62 vulnerabilities . 100
63 5.8.2 [GEC-2] Limit exposure of services via related network interfaces . 103
64 5.8.3 [GEC-3] Configuration of optional services and the related exposed network
65 interfaces . 105
66 5.8.4 [GEC-4] Documentation of exposed services via network interfaces . 108
67 5.8.5 [GEC-5] No unnecessary external interfaces . 109
68 5.8.6 [GEC-7] Input validation . 112
69 5.9 [CRY] Cryptography . 116
70 5.9.1 [CRY-1] Best practice Cryptography . 116
71 Annex A (informative) Rationale . 121
72 A.1 General . 121
73 A.2 Rationale . 121
74 A.2.1 Family of standards . 121
75 A.2.2 Security by design . 121
76 A.2.3 Assets . 121
77 A.2.4 Mechanisms . 122
78 A.2.5 Assessment criteria . 122
79 A.2.5.1 Decision trees . 123
80 A.2.5.2 Technical documentation . 123
81 A.2.5.3 Security testing . 125
82 A.2.6 Security parameters . 125
83 Annex ZA [D][E][F] (informative). 126
84 Table ZA.1 — Correspondence between this European Standard and Directive 2014/53/EU
85 [OJ L 153] . 126
86 Bibliography . 127
oSIST prEN 18031-3:2023
prEN 18031-3:2023 (E)
90 European foreword
91 This document (prEN 18031-3:2023) has been prepared by Technical Committee CEN/CENELEC JTC
92 13/WG 8 “Special Working Group RED Standardization Request”, the secretariat of which is held by NEN.
93 This document is currently submitted to the CEN Enquiry.
94 This document has been prepared under a mandate given to CEN/CENELEC by the European Commission
95 and the European Free Trade Association and supports essential requirements of EU Directive(s) /
96 Regulation(s).
97 For relationship with EU Directive(s) / Regulation(s), see informative Annex ZA, which is an integral part
98 of this document.
oSIST prEN 18031-3:2023
prEN 18031-3:2023 (E)
99 Introduction
100 It is important to note that in order to achieve the overall cybersecurity of radio equipment, defence in
101 depth best practices will be needed. In particular, no one single measure will suffice to achieve the given
102 objectives, indeed achieving even a single security objective will usually require a suite of mechanisms
103 and measures. Throughout this document, the guidance material includes lists of examples. These lists
104 must be read only as indicative possibilities: there are other possibilities that are not listed, and even
105 using the examples given will not be sufficient unless the mechanisms and measures chosen are
106 implemented in a coordinated fashion.
oSIST prEN 18031-3:2023
prEN 18031-3:2023 (E)
107 1 Scope
108 Common security requirements for internet connected radio equipment that equipment enables the
109 holder or user to transfer money, monetary value or virtual currency. This document pro
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.