Introduction to Infocom Security for Embedded Software on Smartphone Systems (ESS) Certification and Verification System
In light of the fact that most mobile device cyber security regulations proposed by international and regional organizations, and advanced countries in Europe and North America are guidelines and risk assessments, and that mobile devices are not required to pass cyber security tests prior to being sold, in order to prevent any technical obstacles to trade, smartphone cyber security testing mechanisms in Taiwan are implemented in line with these international methods under which phone manufacturers actively submit phones or commission for phones to be submitted for testing.
With the aim of promoting cyber security testing of the embedded software of smartphone systems, the National Communications Commission (NCC), referring to cyber security suggestions for connected devices proposed by international, regional organizations (such as the OWASP and ENISA), and European countries and the US (such as NIST, FCC, and Ofcom), announced the "Infocom Security Technical Inspection Guidelines of Embedded Software on Smartphone Systems" on March 3, 2017 as a basis for cyber security laboratory testing to be undertaken in Taiwan. Working with the Chinese Cryptology and Information Security Association (CCISA), the NCC implements the Smartphone System Embedded Software Security (ESS) Certification System.
The ESS Certification System includes the certification organization, the Taiwan Accreditation Foundation (TAF), TAF-approved cyber security testing laboratories, and the CCISA, which serves as a certification organization. Under the joint efforts of various sectors, the ESS testing and certification service was officially launched on April 20, 2017. As of the end of August 2022, five TAF-approved cyber security testing laboratories had been established (details on the ESS testing website).
In order to expand effectiveness and to encourage mobile phone cyber security to be implemented in the design process, the NCC began working with the Taiwan Association of Information and Communication Standards (TAICS) in 2019. The NCC provides bills to the TAICS, according to which the TAICS promotes industry and national standards for suppliers and the government to follow when making purchases. The TAICS announced the "Infocom Security Standards for Embedded Software on Smartphone Systems" on July 10, 2020 (details) and the "Infocom Security Test Specifications for Embedded Software on Smartphone Systems" on January 28, 2021 (details) with the objective of establishing effective certification mechanisms. Additionally, considering the "Infocom Security Test Specifications for Embedded Software on Smartphone Systems" announced by the TAICS is based on the NCC’s "Infocom Security Test Technical Specifications for Embedded Software on Smartphone Systems" and includes the latest cyber security issues, following the establishment of the TAICS certification system, standards for smartphone system embedded software cyber security testing were switched to those detailed in the "Infocom Security Test Specifications for Embedded Software on Smartphone Systems."
Subsequently, the NCC took into consideration that the cyber security testing regulations announced by the TAICS in 2020 includes several new tests that respond against evolving methods of hacking, as compared to technical specification regulations announced by the NCC in 2017, which were non-mandatory guidance and inadequate for mobile phone cyber security. Furthermore, the Taiwan Testing and Certification Center (ETC), the only organization to which the NCC regulations applied, had switched to follow TAICS cyber security testing regulations beginning on October 14, 2021, in order to unify testing standards for the industry. Consequently, the NCC announced on February 23, 2022 that the 2017 technical specifications would cease to apply.