IACS Components Cybersecurity Certification Scheme (ICCS)

Blog

7
- Sept
2020
Posted by: José Ruiz
[Cybersecurity research]
IACS Components Cybersecurity Certification Scheme (ICCS)

The industrial sector has been demanding, for some time, a specific cybersecurity scheme to anticipate and prepare its infrastructures, knowing that these are critical and potential targets for cyber-attacks.

For this reason, ERNCIP, a thematic group based on "Case Studies for the Cyber-Security of IACS" was established in 2016 and proposed a roadmap for the establishment of a cybersecurity compliance and certification scheme for IACS components in Europe.

ERNCIP has published recently a report on Recommendations for the Implementation of a European IACS Components Cybersecurity Certification Scheme (ICCS) produced with a close and consistent reference and relevance to the EU CyberSecurity Act (CSA).

This report aims to be the most solid basis for a future European Cybersecurity Certification Scheme dedicated to Industrial Automation & Control Systems Components.

A new scheme for the Industrial Sector

Below, ICCS scheme recommendations main aspects are summarized:

  • Focus on Product certification. The scope of the scheme will not cover system or services.

  • 3 Assurance Levels have been defined with a direct mapping to the CSA.

  • Fully compliant with CSA (Annex A includes a mapping).

  • Evaluation activities are defined in agnostic manner and the terminology used is not biased by a standard. It will be the responsibility of the ad hoc group to define the standard or set of standards that may be used to meet the requirement of the ICCS. References to different standards are provided such as: Common Criteria, IEC 62443, LINCE, CSPN but the recommendations contemplate the possibility of the co-existence of different certification paths.

    ICCS involves three levels of security certification (basic, substantial and high), depending on the level at which you want to certify your product. All of the certifications need an accredited third party, not so for the Statement of Conformity, which is enough with a self-assessment:

    Depending of which level the vendor wants to get the product certified, the elements necessary for the evaluation vary:

    Each level of certification requires different evaluation activities as we can see below:

    More information related to the ICCS recommendations may be found in the IACS Components Cybersecurity Certification Scheme website or in the report.

    How can jtsec helps with your ICCS?

    José Ruiz, our CTO, has been the Co-Coordinator and Editor at the thematical group being highly involved in the project development. jtsec is here for helping and answer any questions you may have, so please, if you want more information, do not hesitate to ask us for information.

    • tags
    José Ruiz/CTO

    Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

    In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    Jan 17, 2025
    jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
    jtsec & Applus+ Laboratories at ICCC24
    Nov 14, 2024
    jtsec & Applus+ Laboratories at ICCC24
    How to use the CCN product catalog to improve your company's security
    Oct 14, 2024
    How to use the CCN product catalog to improve your company's security
    Common Criteria Statistics 2023
    June 17, 2024
    Common Criteria Statistics 2023
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    CATEGORIES