"External interfaces" are among the most critical concepts to understand when preparing for compliance with the RED Delegated Act (RED DA) using the EN 18031 standards. Identifying these external interfaces is essential not only for your Technical Documentation—particularly for requirements GEC-2 to GEC-6—but also serves as an effective entry point into the EN 18031 standards.

The thought process you employ to identify external interfaces will enable you to uncover other EN 18031 relevant information, such as assets, software components and security mechanisms, all of which must be documented later in your Technical Documentation.

Therefore, having a solid understanding of external interfaces is key to successfully achieving compliance with the essential requirements of the RED DA. In this article, we will cover the five types of external interfaces as defined by the standards. Each interface will be discussed with concrete examples to enhance your understanding.

By the end of this article, you will learn:

• Five types of external interfaces
• The official definitions of each external interface
• Our interpretation of each external interfaceto provide a clearer understanding of what they truly encompass
• The thought process to adopt in identifying each external interface
• 41 real-life examples of external interfaces

Before Getting Started: The official standards for the RED DA, EN 18031 standards, have been harmonized! This means that "EN 18031" is now officially referred to as "hEN 18031." EU harmonized standards are designated with the prefix "hEN." In this article, we will use "EN 18031" and "hEN 18031" interchangeably.

5 Types of External Interfaces

According to the hEN 18031 standards, there are five types of external interfaces:

• Network interfaces
• User interfaces
• Machine interfaces
• Physical external interfaces
• Non-network external interfaces (only relevant for EN 18031-2)

Below is a graphical representation of these external interfaces and how their definitions may overlap with one another. Let's explore each interface to learn what they are and what constitutes them.

1. Network Interfaces

Official Definition of Network Interfaces

The EN 18031 series of standards provide the following definitions:

• Network interface: "External interface enabling the equipment to have or provide access to a network."
• External interface: "Interface of an equipment that is accessible from outside the equipment."

Our Interpretation of Network Interfaces

To provide more clarity on what needs to be documented, let’s elaborate on the following key terms from the official definition:

• External interface: This can refer to a physical port (e.g., Ethernet port or Small Form-factor Pluggable (SFP) port) or an antenna (e.g., Wi-Fi or Bluetooth). Antennas are considered external even when they are located inside the device casing since they enable communication with the equipment within a certain range.
• Have access to a network: The network interface can enable the equipment to connect to an existing network (such as a LAN or WAN) to utilize network resources (e.g., accessing a network service provided by another device on the network).
• Provide access to a network: The network interface can enable the equipment to serve as an access point or a gateway for other devices to connect to a network. Typical examples comprise network equipment such as a router whose network interfaces allow other devices to connect to the LAN and have access to the Internet.

The standards do not focus only on specific network communication protocols when referring to network interfaces. For instance, they do not mention that only IP-based networks should be considered. Moreover, even in the context of radio equipment (i.e. wireless), wired and optical network interfaces will have to be documented. For each network interface, information to document comprises physical/logical characteristics, communication protocols used, default configuration (e.g., see the Required Information of the requirement SCM-1).

How To Identify Network Interfaces

It is essential to declare all network interfaces present on the equipment. These are commonly documented in the user manual or data sheet of the equipment. Keep in mind that all network interfaces must be declared, regardless of whether they are enabled or disabled by default (this information will also be documented). This is particularly important for the requirements GEC-3, GEC-3 and GEC-4 which focus on network interfaces exposed in the factory default state.

To identify the network interfaces to document, it can be useful to consider the network protocol stack(s) or protocol implementation(s) available in the equipment's software and identify on which interface(s) they are implemented. In other words: From a software perspective, what enables the equipment to have or provide access to a network?

💡Tip: The protocol implementation and libraries required to provide access to a network will be declared as "network functions." For more information about network functions (hint: they are considered network assets), you can read our article on what network assets are.

Examples of Network Interfaces

EN 18031 provides the following example of a network interface:

• "LAN port (wired) or a wireless network interface enabling WLAN or short-range wireless communication, e.g., using a 2.4 GHz antenna."

In line with this examples, the following are considered network interfaces:

• Wi-Fi
• Bluetooth
• Zigbee
• LTE/5G modules

2. User Interfaces

Official Definition of User Interfaces

The EN 18031 series of standards provide the following definitions:

• User interface: "External interface between the equipment and a user".
• External interface: "Interface of an equipment that is accessible from outside the equipment".

Our Interpretation of User Interfaces

A user interface enables users to interact with the equipment to perform different tasks, including initializing, managing and using the device according to its intended functionalities. Moreover, it can provide the users with a means to access certain assets within the scope of the standards (i.e., network, security, privacy and financial assets).

User interfaces can take various forms depending on the use cases to be fulfilled by the device. For instance, a user interface can be a graphical user interface, voice user interface or a touch interface.

When documenting a user interface, it is important to declare whether it can receive inputs or not. This information will determine the applicability of GEC-6 "Input validation", which focuses solely on the input validation of machine interfaces.

Examples of User Interfaces

In the context of consumer IoT device, the standard ETSI EN 303 645 v3.1.3 provides these examples below (see green box on the left). These examples also apply to non-consumer IoT devices.

• Web interface
• Camera
• Buttons
• Built-in keyboard
• PIN pad
• Screen/touchscreen
• Fingerprint reader

3. Machine Interfaces

Official Definition of Machine Interfaces

The EN 18031 series of standards provide the following definitions:

• Machine interface: "External interface between the equipment and a service or device."
• External interface: "Interface of an equipment that is accessible from outside the equipment."
• Device: "Product external to the equipment."

Our Interpretation of Machine Interfaces

The term machine interface refers to the means by which the equipment can communicate and interact with other devices (e.g., a printer) or services (e.g., application server). Such interfaces are typically used by devices to send and receive data and/or commands. Examples of use cases leveraging machine interfaces include communication with cloud backend, checking for new updates available, and sending sensors reading to a central monitoring system.

When documenting a machine interface, it is important to declare whether it can receive inputs. This information will determine the applicability of GEC-6 "Input validation", which focuses solely on the input validation of machine interfaces.

Examples of Machine Interfaces

• Application Programming Interface (API)
• OCP UA
• MQTT
• CoAP
• SOAP

4. Physical External Interfaces

Official Definition of Physical External Interfaces

While EN 18031 series do not define specifically the term "physical external interface", the following definitions and explanations are useful:

• External interface: "Interface of an equipment that is accessible from outside the equipment."
• "Physical external interfaces might include external interfaces that are intentionally used for internal system communication as well as user interfaces and machine interfaces."

Our Interpretation of Physical External Interfaces

According to the categorization of interfaces provided in the standards (see table below), physical external interfaces can be any external interfaces (i.e., user, machine, or network interfaces) that are physically accessible from outside the equipment.

Physical external interfaces include, for instance, ports (e.g. Ethernet, USB), slots for cards, touchscreen, and antennas. Even antennas located inside the equipment can be considered physically accessible since the radio communication can be reached externally (i.e. outside the equipment).

Physical external interfaces are covered by the requirement GEC-5 "No unnecessary external interfaces," which states that only the interfaces necessary for the equipment's intended functionality shall be exposed.

This requirement is similar to Provision 5.6-3 from ETSI EN 303 645. It is useful to refer to this provision in ETSI EN 303 645 v3.1.3 and to its conformance assessment described in ETSI TS 103 701 v1.1.1 (see Section 5.6.3 Test Group 5.6-3).

Examples of Physical External Interfaces

While the EN 18031 standards do not provide examples explicitly, some hints can be found in the assessment unit of GEC-5, where the tester is instructed to "examine the equipment for which physical external interfaces are present on the equipment such as

• microphones,
• screens,
• buttons,
• slots for extension cards."

Regarding the required information for GEC-5, they provide as an example of interface type:

• USB-C

It can be useful to consider the depiction of interfaces from ETSI EN 303 645 v3.1.3 (see the illustration above). Physical external interfaces to be documented in the context of EN 18031 can include those on the left and the right side:

• Buttons
• PIN pad
• Screen/touchpad
• Wi-Fi antenna
• Ethernet port
• JTAG or other debug interfaces (only if physically exposed)
• USB port
• NFC antenna

Other examples include:

• Bluetooth antenna
• Zigbee antenna
• GPS antenna
• SD card
• PCMCIA

SD cards and PCMCIA do not fit into the categories of network, user, or machine interfaces. However, they should be categorized as "physical external interfaces" as specified in the GEC-5 Functional Completeness Assessment. In this assessment, the tester is required to "examine which physical external interfaces are present on the equipment such as microphones, screens, buttons or slots for extension cards."

5. Non-Network External Interfaces

Official Definition of Non-Network External Interfaces

No definitions are provided in the standards.

Our Interpretation of Non-Network External Interfaces

Non-network external interfaces are discussed in the requirement GEC-7, "Documentation of external sensing capabilities," which mandates that to document all "non-network external interfaces" that have sensing capabilities which can impact the user's privacy.

This requirement is similar to Provision 5.8-3 of ETSI EN 303 645, which states that "All external sensing capabilities of the consumer IoT device shall be documented in an accessible way that is clear and transparent for the user." ETSI TS 103 701 describes such capabilities as "any capabilities of a DUT (Device Under Test) to sense information about its surroundings, such as optic, acoustic, biometric or location sensors".

In the context of EN 18031-2, we translate this term as "external sensor." Therefore, you can think of external sensors when discussing "non-network external interfaces."

Moreover, the term "non-network" indicates that these external interfaces should fall under either user interfaces and machine interfaces. However, given that that these interfaces have sensing capabilities, they should not be categorized as machine interfaces. Thus, our interpretation is to classify non-network external interfaces as a subset of user interfaces that possess sensing capabilities.

Furthermore, non-network external interfaces should also be considered a subset of physical external interfaces. Real-life examples of physical external interfaces with sensing capabilities include microphones, cameras, and buttons. These interfaces are accessible from outside the equipment, aligning them with the definition of physical external interfaces.

Examples of Non-Network External Interfaces

Given the above interpretation, examples of non-network external interfaces are:

• Microphones
• Camera
• Buttons
• Built-in keyboard
• PIN pad
• Screen/touch screen
• Fingerprint reader

Summary of External Interfaces with Examples

We have explored five types of external interfaces defined by the hEN 18031 standards: network interfaces, user interfaces, machine interfaces, physical external interfaces, and non-network external interfaces.

Below is the representation of these external interfaces along with their examples.

Are there any additional examples on your device? Let us konw if you have any questions or comments.

Ready To Start Your RED DA Compliance?

You can download our free and open-source Technical Documentation templates from our GitHub repository. If you have questions about its usage, simply shoot us a line!

You will find all you need to conduct a self-assessment, all for free:

• EN 18031-1, -2 and -3 Technical Documentation template
• EN 18031-1, -2 and -3 Test plan template

Author of This Article ✏️

Dr. Guillaume Dupont is a co-founder of Zealience. He holds a PhD in IoT cybersecurity. As a former Senior Security Expert at UL Solutions, he helped IoT manufacturers prepare for the RED DA by performing evaluations against product security standards such as ETSI EN 303 645 and IEC 62443-4-2. He has contributed to the drafting of EN 18031 and also trained a Notified Body for RED DA assessments. He previously worked at Forescout on automotive security and developed intrusion detection systems for in-vehicle networks. He is also a seasoned IoT vulnerability researcher and disclosed CVEs found in medical devices to Siemens Healthineers. His research on IoT security led him to obtain a US patent: He invented a novel approach to enhance the accuracy of IoT device classification leveraging machine learning algorithms (US20220353153).