Presentation is loading. Please wait.

Presentation is loading. Please wait.

EU R&D in cybersecurity's certification

Published byBarrie Cook Modified over 5 years ago

Similar presentations

Presentation on theme: "EU R&D in cybersecurity's certification"— Presentation transcript:

1 EU R&D in cybersecurity's certification
EESC public hearing of Jean-Pierre Nordvik (HoU) and Gianmarco Baldini Space, Security and Migration Directorate Head of the Cyber and Digital Citizens’ Security Unit

2 Security Certification - Definition
Certification: “A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system” from NIST SP 12 November 2018

3 Certification Process (simplified, abstracted)
Specific domain (e.g. IoT, IACS, C-ITS, Smart Grid …) Security Requirement Analysis Security Evaluation Certification Security Profile / Target Documentary compliance verification Testing activities (e.g. penetration tests) Evaluation of the product development Process … for a given environment Risk Analysis and Assurance level definition Compliance vs. existing standards Definition of Protection Profiles Product or Service Label 12 November 2018

4 State of play on security evaluation/certification standards (not exhaustive list)
Body Domain Common Criteria CCRA/SOG-IS members Generic IT products CSPN French ANSSI BSI-Standard IT Grundschutz German BSI UL Cyber security Assurance Program USA ISA/IEC 62433 International ICS GSMA Network Equipment Security GSMA/3GPP Telecom/Media FIPS 140-2 Cryptographic Modules 12 November 2018

5 Challenges/Issues on Security Evaluation Certification
Point in time security certification. The security certification evaluates a particular version of the product in a certain configuration. Significant changes may invalidate the certification. Comparison and transparency to the user. Security certification documents are quite technical and sometimes not comparable among categories of products. Lack of well defined metrics makes difficult the assessment of the cost–benefit ratio for performing a security evaluation. Fragmentation across domains. CCRA and SOG-IS are good examples of efforts to mitigate fragmentation but there are still divergent activities. In many cases, security evaluation may be a costly and time consuming effort, which may not be appropriate for some categories of products. 12 November 2018

6 Main R&D areas Definition of adequate security metrics and benchmarks to support a quantitative evaluation of products Cost and time effective testing tools and processes based on formal or semi formal models (e.g., Model Based Testing) Improved re-evaluation and re-certification processes to address software updates (e.g., patching) Formal relationships between risks, vulnerabilities and security properties. 12 November 2018

7 Main R&D areas: model based testing
Functional tests Manual execution & scripts for automation Test Repository (TTCN-3, Java…) Security needs & requirements Security Modeling for test generation Automatic test generation Risk Analysis Test Patterns Security Test Objectives MBT Tool 12 November 2018

8 European Cybersecurity certification schemes
From (COM(2017) 477 Final, Proposal… on Information and Communication Technology cyber security certification (“Cybersecurity Act”): “The proposal does not introduce directly operational certification schemes for specific ICT products/services, but rather create a system (framework) for the establishment of specific certification schemes for specific ICT products and services (the “European cyber security certification schemes”)…” Meta framework (organizations, roles and processes) IACS Security evaluation and certification scheme IoT Security evaluation and certification scheme Road Transportation Security evaluation and certification scheme New Scheme Proposal for a new scheme

9 IACS Case Study (ICCF) 12 November 2018

10 A proposal for Labelling the products
IACS Case Study (ICCF) A proposal for Labelling the products ICCF / ICCS-C1 Self Declaration of compliance The vendor hereby declares that they positively assessed this product against the IACS Common Cybersecurity Assessment Requirements selected in a Security Profile that can be consulted online on the IACS C&C EU Register. ICCS-C2 Independent Compliance Assessment Label ICCS-B Product Cyber Resilience Certificate ICCS-A Full Cyber Resilience Certificate 12 November 2018

11 IoT Case Study From Horizon 2020 ARMOUR project 12 November 2018

12 IoT Case Study Dealing with the IoT device lifecycle
From Horizon 2020 ARMOUR project 12 November 2018

13 Other issues Security vs. Privacy. How to combine security and privacy requirements in the same certification process Liability. Does the new framework support distribution of liability in a fair way ? SME/Innovation. The new framework wishes to foster innovation in cyber security and support SME as well. How to deal with certification costs for SME ? Re-use of existing expertise and efforts done at national level. 12 November 2018

14 Stay in touch jean.pierre.nordvik@ec.europa.eu and
JRC Science Hub: ec.europa.eu/jrc Facebook: EU Science Hub - Joint Research Centre LinkedIn: Joint Research Centre YouTube: EU Science Hub

15 Thank you for your attention.
Joint Research Centre (JRC) Web:

Download ppt "EU R&D in cybersecurity's certification"

Similar presentations

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Geneva, Switzerland, 15-16 September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.

Geneva, Switzerland, September 2014 ENISA role in ICT standardization Sławomir Górniak, ENISA ITU Workshop on “ICT.
National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.

National Information Assurance Partnership NIAP 2000 Building More Secure Systems for the New Millenium sm.
Www.enisa.europa.eu European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.

European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
RETHINKING THE ELECTRICITY GRID RETHINKING THE ELECTRICITY GRID 14 May 2012 Presented by: PATRICIA DE SUZZONI ADVISOR TO THE CHAIR OF CRE (French Energy.

RETHINKING THE ELECTRICITY GRID RETHINKING THE ELECTRICITY GRID 14 May 2012 Presented by: PATRICIA DE SUZZONI ADVISOR TO THE CHAIR OF CRE (French Energy.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
EOSC Generic Application Security Framework

EOSC Generic Application Security Framework
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Test Organization and Management

Test Organization and Management
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;

The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
TM8104 IT Security EvaluationAutumn 20091 CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.

TM8104 IT Security EvaluationAutumn CC – Common Criteria (for IT Security Evaluation) The CC permits comparability between the results of independent.
ISPE Cyber Security S99 Update December 08, 2009.

ISPE Cyber Security S99 Update December 08, 2009.
Nairobi, Kenya, 30 – 31 July 2010 Measuring Interoparability: From Theory to Practice Dr. Ulrich Sandl, Head of Division Federal Ministry of Economics.

Nairobi, Kenya, 30 – 31 July 2010 Measuring Interoparability: From Theory to Practice Dr. Ulrich Sandl, Head of Division Federal Ministry of Economics.
1. Contents Context for Strategy Development What We Did Progress and Next Steps 2.

1. Contents Context for Strategy Development What We Did Progress and Next Steps 2.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:

SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.

Privacy Audit and Privacy Seal Barbara Körffer & Dr. Thomas Probst Independent Centre for Privacy Protection Independent Centre for Privacy ProtectionSchleswig-Holstein.

Similar presentations

Ads by Google