In WP2 DOSS has collected 6 best-practice documents, 2 standards, 5 regulations, and 3 private documents from organizations such as ENISA, ECSI, NIST, EC, IETF, and ETSI. We have analysed the documents, identified the requirements and best practices, and also proposed recommendations for potential improvements. Based on the findings the project elaborated the end-to-end "Supply Trust Chain" and have verified the final concept with external stakeholders taking into account their comments and recommendations. The Supply Trust Chain realizes the end-to-end security monitoring of the supply chain by integrating testing and validation modules as well as protection devices at the operating environment.
Beyond the model concept also the underlying technologies of the overall system have been defined and the design and implementation work of the modules have started. (See: D2.1 D2.2)
Based on this analytical work we have specified the new combined device security descriptor the "Device Security Passport" (DSP), which supports security, compliance, and risk management across different IoT environments. DSP integrates multiple security descriptors, ensuring a comprehensive security overview throughout a device’s lifecycle. This machine-readable document integrates existing descriptors such as SBOM, HBOM, MUD and VEX. We also defined additional content based on the requirements of the CRA as well as for security enhancement the ThreatMUD file. (See: D2.3)
The integrated DSP files will be stored in the DSP Platform which serves as a central data repository. The platform manages version control and maintains an audit trail, tracking changes to DSP versions and ensuring accountability and transparency. The platform design is in progress with a mock up having been built as well to verify the security concept of the architecture. (See: D2.2)
In WP3 the DOSS Component Tester (CT) has been designed. The Component Tester was created to assess software components using a variety of security validation methodologies, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Interactive Application Security Testing (IAST). Furthermore, the Component Tester is used to validate the information contained in the SBOM part of the DSP. (See: D3.1)
Also in this WP work related to the automated Onboarding Platform of DOSS has been performed. After through research the FDO concept has been selected which has been gaining significant traction. . For secure configuration, we have taken the NIST onboarding approach as basis, using the DSP, primarily its Manufacturer Usage Description (MUD) files, as the main source of information to perform a secure deployment of the IoT. Implementation of the platform just started.
In WP4 the Digital Cybersecurity Twin (DCT) has been designed and implementation is in progress. The DCT validates the security exposure of IoT architectures already at the design phase and thus realizes the security-by-design concept. The DCT will perform the following steps fully automatically:
• checks the consistency of the inputs received from the system developer/integrator;
• identifies system components and retrieves their DSPs;
• performs error propagation analysis on the system and determines impactful attack goals;
• generates attack trees for those attack goals;
• generates executable test cases and a test plan from the attack trees;
• augments the IaC representation of the digital twin by appropriate testing and observational tools;
• launches the digital twin in a virtualized execution environment;
• executes vulnerability scanning and penetration testing;
• identifies security weaknesses provides recommendations about how to fixing them.
(See: D4.1)
In WP5 the Architecture Security Validator (ASV) has been designed and implementation is well underway, with some of the modules already being completed. The ASV is an automated platform that verifies and pre-certifies IoT architectures against security standards and regulations. It provides continuous compliance assessment by transforming security standards into machine-readable formats, developing automated validation methodologies, and implementing a platform for structured security verification. (See: D5.1)
In WP6, which is the pilot work package, only one task has started which is the design and implementation of the security environment of the pilot operations. The modules - attack detection, access control, honeypot, malware detection and the reporting platform - are all ready for the deployment.
