Fuzzing for Assurance and Certification – Lessons from Smart Meters (B22a)
For over seven years, fuzzing has played a pivotal role in the cybersecurity certification of smart metering devices in the UK. This extensive experience has yielded invaluable insights into the utilization of fuzzing for generating assurance, elucidating both successful and less effective approaches. This talk transcends mere discussions about the application of fuzz testing and delves into the specifications of fuzzing requirements, result analysis, and the reporting of conclusions. The wealth of knowledge accumulated over the years has enabled the identification of effective techniques and has shed light on the challenges that arise from fuzzing constrained devices. This technique emerges as a highly efficient method for generating assurance, making it a vital component for demonstrably implementing requirements such as those stipulated in the Cyber Resilience Act (CRA), which mandates manufacturers to conduct effective security tests and reviews.