SIST EN 18031-3:2024
(Main)Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value
Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value
Common security requirements for internet connected radio equipment that equipment enables the holder or user to transfer money, monetary value or virtual currency. This document provides technical specifications for radio equipment processing virtual money or monetary value, which apply to electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.
Gemeinsame Sicherheitsanforderungen für mit dem Internet verbundene Funkanlagen, die für die Datenverarbeitung im Zusammenhang mit virtuellen Währungen oder monetären Werten eingesetzt werden
The harmonised standard includes test methods or equivalent approaches and conditions to verify compliance of the radio equipment with the essential requirement set out in Article 3(3), point (f) of Directive 2014/53/EU for the categories and classes specified by Article 1(3) of Delegated Regulation (EU) 2022/.
Exigences de sécurité communes applicables aux équipements radioélectriques connectés à linternet qui traitent une monnaie virtuelle ou de la valeur monétaire
Exigences de sécurité communes applicables aux équipements radioélectriques connectés à l'internet qui permettent au détenteur ou à l'utilisateur de transférer de l'argent, une valeur monétaire ou une monnaie virtuelle. Le présent document fournit des spécifications techniques pour les équipements radioélectriques qui traitent une monnaie virtuelle ou de la valeur monétaire, qui s'appliquent aux produits électriques ou électroniques capables de communiquer via l'internet, que ces produits communiquent directement ou par l'intermédiaire d'un autre équipement.
Skupne varnostne zahteve za radijsko opremo - 3. del: Z internetom povezana radijska oprema, ki obdeluje virtualni denar ali denarno vrednost
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-oktober-2024
Skupne varnostne zahteve za radijsko opremo - 3. del: Z internetom povezana
radijska oprema, ki obdeluje virtualni denar ali denarno vrednost
Common security requirements for radio equipment - Part 3: Internet connected radio
equipment processing virtual money or monetary value
Gemeinsame Sicherheitsanforderungen für mit dem Internet verbundene Funkanlagen,
die für die Datenverarbeitung im Zusammenhang mit virtuellen Währungen oder
monetären Werten eingesetzt werden
Exigences de sécurité communes applicables aux équipements radioélectriques
connectés à linternet qui traitent une monnaie virtuelle ou de la valeur monétaire
Ta slovenski standard je istoveten z: EN 18031-3:2024
ICS:
33.060.01 Radijske komunikacije na Radiocommunications in
splošno general
35.030 Informacijska varnost IT Security
35.240.40 Uporabniške rešitve IT v IT applications in banking
bančništvu
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN 18031-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
August 2024
ICS 33.060.20
English version
Common security requirements for radio equipment - Part
3: Internet connected radio equipment processing virtual
money or monetary value
Exigences de sécurité communes applicables aux Gemeinsame Sicherheitsanforderungen für mit dem
équipements radioélectriques - Partie 3 : Équipements Internet verbundene Funkanlagen, die für die
radioélectriques connectés à l'internet qui traitent une Datenverarbeitung im Zusammenhang mit virtuellen
monnaie virtuelle ou de la valeur monétaire Währungen oder monetären Werten eingesetzt
werden
This European Standard was approved by CEN on 1 August 2024.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 18031-3:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 5
Introduction . 6
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Abbreviations . 12
5 Application of this document. 13
6 Requirements . 16
6.1 [ACM] Access control mechanism . 16
6.1.1 [ACM-1] Applicability of access control mechanisms . 16
6.1.2 [ACM-2] Appropriate access control mechanisms . 21
6.2 [AUM] Authentication mechanism . 25
6.2.1 [AUM-1] Applicability of authentication mechanisms . 25
6.2.2 [AUM-2] Appropriate authentication mechanisms . 36
6.2.3 [AUM-3] Authenticator validation . 42
6.2.4 [AUM-4] Changing authenticators. 46
6.2.5 [AUM-5] Password strength . 49
6.2.6 [AUM-6] Brute force protection . 57
6.3 [SUM] Secure update mechanism . 61
6.3.1 [SUM-1] Applicability of update mechanisms. 61
6.3.2 [SUM-2] Secure updates . 64
6.3.3 [SUM-3] Automated updates . 68
6.4 [SSM] Secure storage mechanism . 72
6.4.1 [SSM-1] Applicability of secure storage mechanisms . 72
6.4.2 [SSM-2] Appropriate integrity protection for secure storage mechanisms . 76
6.4.3 [SSM-3] Appropriate confidentiality protection for secure storage mechanisms . 81
6.5 [SCM] Secure communication mechanism . 86
6.5.1 [SCM-1] Applicability of secure communication mechanisms . 86
6.5.2 [SCM-2] Appropriate integrity and authenticity protection for secure communication
mechanisms . 91
6.5.3 [SCM-3] Appropriate confidentiality protection for secure communication
mechanisms . 97
6.5.4 [SCM-4] Appropriate replay protection for secure communication mechanisms . 102
6.6 [LGM] Logging Mechanism . 107
6.6.1 [LGM-1] Applicability of logging mechanisms . 107
6.6.2 [LGM-2] Persistent storage of log data . 110
6.6.3 [LGM-3] Minimum number of persistently stored events . 113
6.6.4 [LGM-4] Time-related information of persistently stored dog data. 116
6.7 [CCK] Confidential cryptographic keys . 119
6.7.1 [CCK-1] Appropriate CCKs . 119
6.7.2 [CCK-2] CCK generation mechanisms . 123
6.7.3 [CCK-3] Preventing static default values for preinstalled CCKs . 127
6.8 [GEC] General equipment capabilities . 131
6.8.1 [GEC-1] Up-to-date software and hardware with no publicly known exploitable
vulnerabilities . 131
6.8.2 [GEC-2] Limit exposure of services via related network interfaces . 135
6.8.3 [GEC-3] Configuration of optional services and the related exposed network
interfaces . 139
6.8.4 [GEC-4] Documentation of exposed network interfaces and exposed services via
network interfaces . 143
6.8.5 [GEC-5] No unnecessary external interfaces . 146
6.8.6 [GEC-6] Input validation . 148
6.8.7 [GEC-7] . 153
6.8.8 [GEC-8] Equipment Integrity . 153
6.9 [CRY] Cryptography . 157
6.9.1 [CRY-1] Best practice cryptography . 157
Annex A (informative) Rationale . 162
A.1 General . 162
A.2 Rationale . 162
A.2.1 Family of standards . 162
A.2.2 Security by design . 162
A.2.3 Threat modelling and security risk assessment . 163
A.2.4 Functional sufficiency assessment . 164
A.2.5 Implementation categories . 164
A.2.6 Assets . 165
A.2.7 Mechanisms . 167
A.2.8 Assessment criteria . 167
A.2.8.1 Decision trees . 167
A.2.8.2 Technical documentation . 168
A.2.8.3 Security testing . 169
A.2.9 Interfaces . 169
A.2.9.1 Example: Laptop with a built-in keyboard . 170
A.2.9.2 Example: Equipment with a USB-keyboard . 170
A.2.9.3 Example: User interface over a network . 171
A.2.9.4 Example: USB-printer. 171
A.2.9.5 Example: Network printer . 172
Annex B (informative) Mapping with EN IEC 62443-4-2:2019 . 173
B.1 General . 173
B.2 Mapping . 173
Annex C (informative) Mapping with ETSI EN 303 645 (Cyber Security for Consumer Internet
of Things: Baseline Requirements) . 176
C.1 General . 176
C.2 Mapping . 176
Annex D (informative) Mapping with Se
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.