Candidate schemes that will be influential within the next years.
The area of cybersecurity has grown exponentially in Europe in recent years, largely due to the several cyberattacks suffered daily by companies, administrations and individuals. Protecting and creating a secure product is today a very important factor for the credibility of any company or administration. For this reason, Europe is promoting the creation of cybersecurity schemes that are adapted to the needs of different economic sectors.
In order to define priorities, it would be interesting to have a table with the relevant factors to take the decision: market size, current cybersecurity certification adoption, preparative works, available standards, market demand, etc. Unfortunately we do not have that table but we do have some intuitions that are based on our experience about where things can go. Cybersecurity certifications will advance in all sectors, but there are areas, such as the industrial sector, the 5G networks, or everything related to the autonomous vehicles, which will require special attention in the coming months.
In the industrial field, we have being working as editor and co-leaders of the recommendations report to create a certification scheme for Industrial Automation and Control Systems IACS. The industrial market has its own standards (e.g. IEC62443) and considers that the horizontal standards (e.g. Common Criteria) do not meet their needs. Moreover, the adoption of the NIS directive could be fostered with the creation of a scheme for industrial components..
In the automotive sector the United Nations has adopted a regulation (UNECE WP.29) providing a global baseline for vehicle cybersecurity following the security-by-design principle and recommends following security standards like ISO 21434. This is clearly aligned with the Cybersecurity Act vision and will be easy to create new certification schemes.
There is also a clear lack of a cryptographic module or cryptographic algorithm validation scheme like the North American FIPS 140-2.
The most important national cybersecurity certification schemes in Europe.
The procurement needs of the different governments across Europe has pushed the creation of national cybersecurity certifications. This is the case of BSZ (Germany), CSPN (France), BSPA (Netherlands) and LINCE (Spain).. All of them are agile lightweight certifications,focused on vulnerability analysis and penetration testing and with limited effort and duration.
The development of all these methodologies and their certification correspond directly to the Certification Body of each country. This is creating a little fragmentation in the market that demands a lightweight scheme at European level so they do not need to certify their products under each country. Indeed, CEN/CENELEC JTC13 WG3 is already working intensively to have a first version of a common evaluation methodology by the end of 2020. This will clearly ease the creation of a new horizontal scheme under the CSA umbrella.
Having a product that has passed certification at European level means a wide range of possible sales in Europe without having to carry out certification at national level in each country, as we discussed before, thus considerably reducing the effort in terms of both time and money.
Cybersecurity certifications in the EU market. Mandatory versus voluntary certification.
It is a fact that any cybersecurity certification always ensures that the product has passed some minimum requirements and that it is, a priori, more cybersecure than those that have not passed any certification, whether their certificate is mandatory or not.
For both companies and administrations, it is becoming increasingly important, when purchasing a product that has obtained a cybersecurity certificate. Although, it is true that some years ago, having a cybersecurity certificate was "only" recommended, today it is becoming ‘de facto’ mandatory to have the corresponding certification to work with the public administration. In addition, more and more big companies are using national cybersecurity catalogues as a reference for procurement. However, while this approach may work fine for governments and big companies where an adequate risk analysis has being done, it does not work at all for SMEs or consumers, who usually have a false sense of security. That is why, whenever possible, cybersecurity certification shall be mandatory to reduce the risk of cyberattacks. Incidents like the well-known Mirai botnet where hundreds of thousands of low-cost IoT devices launched Distributed Denial of Service Attacks could be mitigated by mandatory cybersecurity certification of consumer devices. Moreover, when human-lives are at risk (vehicles, medical devices, products or services used in environments affected by the NIS directive, etc.), there shall be no doubt that cybersecurity certification must be mandatory. At jtsec, we are pretty sure that the consumer will not pay more for a more secure device in the near term.
Impacts cybersecurity certification schemes will have for companies from third countries
One of the greatest international challenges is recognition agreements between several countries. Of course, mandatory certification could mean a risk for third countries and somehow break the market. This is something that we have already predicted from the EUCC AdHoc WG. It is not acceptable to force vendors to certify their products in Europe if they already hold an equivalent Cybersecurity Certification. Europe shall establish recognition agreements with third countries to avoid this problem.
These recognition agreements shall be done without undermining the security of the certified products/services/processes, so there shall be rules to transpose a certificate emitted by a third country to an European scheme, and these rules may include additional requirements for vendors, like, for example regarding vulnerability handling and disclosure. We will have more experience on this during the next years, when the EUCC scheme is put into effect.
Europe, a worldwide referent in terms of cybersecurity.
Europe has been, and still is, a referent in terms of cybersecurity. Nevertheless, it is always good to look at what is being done by Standards Development Organizations at an international level, to serve as a basis for the creation of new schemes. This approach is in the heart of the CSA itself that prefers using internationally recognized standards whenever possible unless those standards are ineffective or inappropriate to fulfil the Union’s legitimate objectives in that regard.
The aim is always to try that the certifications are valid in as many countries as possible. At the end, we are in a globalized market and the intention of any product developer is that it can be sold in as many countries as possible. However, this may affect the agility to make changes to the standards, because achieving international consensus is always difficult.
On this matter, ENISA strives to do just that, to smooth out the working groups and, with it, the implementation of the schemes, bringing together experts from all over the continent and leading the development of the standards without reinventing the wheel.
A good sample is the adoption of the Common Criteria Patch Management extension that is being developed in the context of ISO SC 27 WG3 while it is still in a draft status. This is what you expect from a leader, to bring things forward.
