EU R&D in cybersecurity's certification EESC public hearing of 09.01.2018 Jean-Pierre Nordvik (HoU) and Gianmarco Baldini Space, Security and Migration Directorate Head of the Cyber and Digital Citizens’ Security Unit

Security Certification - Definition Certification: “A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system” from NIST SP 800-37 12 November 2018

Certification Process (simplified, abstracted) Specific domain (e.g. IoT, IACS, C-ITS, Smart Grid …) Security Requirement Analysis Security Evaluation Certification Security Profile / Target Documentary compliance verification Testing activities (e.g. penetration tests) Evaluation of the product development Process … for a given environment Risk Analysis and Assurance level definition Compliance vs. existing standards Definition of Protection Profiles Product or Service Label 12 November 2018

State of play on security evaluation/certification standards (not exhaustive list) Body Domain Common Criteria CCRA/SOG-IS members Generic IT products CSPN French ANSSI BSI-Standard 100-2 IT Grundschutz German BSI UL Cyber security Assurance Program USA ISA/IEC 62433 International ICS GSMA Network Equipment Security GSMA/3GPP Telecom/Media FIPS 140-2 Cryptographic Modules 12 November 2018

Challenges/Issues on Security Evaluation Certification Point in time security certification. The security certification evaluates a particular version of the product in a certain configuration. Significant changes may invalidate the certification. Comparison and transparency to the user. Security certification documents are quite technical and sometimes not comparable among categories of products. Lack of well defined metrics makes difficult the assessment of the cost–benefit ratio for performing a security evaluation. Fragmentation across domains. CCRA and SOG-IS are good examples of efforts to mitigate fragmentation but there are still divergent activities. In many cases, security evaluation may be a costly and time consuming effort, which may not be appropriate for some categories of products. 12 November 2018

Main R&D areas Definition of adequate security metrics and benchmarks to support a quantitative evaluation of products Cost and time effective testing tools and processes based on formal or semi formal models (e.g., Model Based Testing) Improved re-evaluation and re-certification processes to address software updates (e.g., patching) Formal relationships between risks, vulnerabilities and security properties. 12 November 2018

Main R&D areas: model based testing Functional tests Manual execution & scripts for automation Test Repository (TTCN-3, Java…) Security needs & requirements Security Modeling for test generation Automatic test generation Risk Analysis Test Patterns Security Test Objectives MBT Tool 12 November 2018

European Cybersecurity certification schemes From (COM(2017) 477 Final, Proposal… on Information and Communication Technology cyber security certification (“Cybersecurity Act”): “The proposal does not introduce directly operational certification schemes for specific ICT products/services, but rather create a system (framework) for the establishment of specific certification schemes for specific ICT products and services (the “European cyber security certification schemes”)…” Meta framework (organizations, roles and processes) IACS Security evaluation and certification scheme IoT Security evaluation and certification scheme Road Transportation Security evaluation and certification scheme New Scheme Proposal for a new scheme

IACS Case Study (ICCF) 12 November 2018

A proposal for Labelling the products IACS Case Study (ICCF) A proposal for Labelling the products ICCF / ICCS-C1 Self Declaration of compliance The vendor hereby declares that they positively assessed this product against the IACS Common Cybersecurity Assessment Requirements selected in a Security Profile that can be consulted online on the IACS C&C EU Register. ICCS-C2 Independent Compliance Assessment Label ICCS-B Product Cyber Resilience Certificate ICCS-A Full Cyber Resilience Certificate 12 November 2018

IoT Case Study From Horizon 2020 ARMOUR project 12 November 2018

IoT Case Study Dealing with the IoT device lifecycle From Horizon 2020 ARMOUR project 12 November 2018

Other issues Security vs. Privacy. How to combine security and privacy requirements in the same certification process Liability. Does the new framework support distribution of liability in a fair way ? SME/Innovation. The new framework wishes to foster innovation in cyber security and support SME as well. How to deal with certification costs for SME ? Re-use of existing expertise and efforts done at national level. 12 November 2018

Stay in touch jean.pierre.nordvik@ec.europa.eu and gianmarco.Baldini@ec.europa.eu JRC Science Hub: ec.europa.eu/jrc Twitter: @EU_ScienceHub Facebook: EU Science Hub - Joint Research Centre LinkedIn: Joint Research Centre YouTube: EU Science Hub

Thank you for your attention. Joint Research Centre (JRC) Web: www.jrc.ec.europa.eu