NXP Semiconductors welcomes the proposal of the European Commission on a European Cybersecurity Act as an important step towards a secure and trusted Internet of Things (IoT).
The proposed development of an EU Cybersecurity Certification Framework can be a key instrument to enhance public trust in digital products and services and increase efficiency of existing security certification schemes.
The need for security and privacy is no longer limited to specific payment or governmental applications. In a digitized world with ubiquitous connectivity, security and privacy is becoming a key concern for both, businesses and citizens. Industry organizations and citizens with no specific technical knowledge need to be able to quickly assess if a product provides security and privacy features. Certification of IoT products, as a tool to demonstrate conformity with a security claim, can help to increase transparency and provide information to the user. To gain maximum trust, the following steps are required:
- Definition of security requirements and standards for products and services
- Selection of the appropriate security evaluation and certification scheme to demonstrate compliance with those standards, run by accredited independent third parties
- Enforcement of compliance with the requirements and standards (e.g. need to hold a certificate)
Today, a broad set of security evaluation and certification schemes for products, systems, solutions, services and organizations do exist, but there is no unified or combined approach in place that covers the entire eco-system in an integral way. For organizations, schemes like ISO/IEC 27001 are established, defining and describing information management systems. For industrial systems, ISA/IEC 62443 is commonly applied. For secure components, ISO/IEC 15408 (Common Criteria, CC) is a broadly used certification scheme.
The EU Cybersecurity Act is a great chance to define a common set of cybersecurity requirements and develop an efficient certification landscape, by building on the profound expertise of national and EU cybersecurity experts and taking lessons learned from existing initiatives, such as SOG-IS[1], into account.
EU Cybersecurity Certification Framework
The proposal of the European Commission on the development of EU Certification Schemes offers the opportunity to not “re-invent” the wheel but use what has been successfully established in the past, while improving and harmonizing processes and filling existing gaps at the same time.
Dedicated Expert Groups[2] need to be established that can define the security requirements and standards (Protection Profiles) for the specific horizontals (e.g. components, processes, companies) or verticals (e.g. automotive, industry, smart home) and select the appropriate types of certification schemes. For complex use cases, diverse schemes may be complementary.
Certification needs to be agile, efficient and modular so that components (HW and SW) can be plugged together with least certification efforts. Focus must be on the “required” security rather than on “absolute” security. It needs to be ensured that the approach is pragmatic and bureaucracy is kept minimal to reduce costs and time to market. This can be achieved by having the right experts involved who have profound knowledge about the use case, the associated threats, risks and attacks.
Besides efficiency and a strong focus on “required” security, future-proof certification needs to be able to handle ongoing product changes. Such changes might have several root causes, such as adding or changing features or performing modifications due to identified vulnerabilities. Updates shall therefore be considered as a standard process in the certification flow either by having a certain degree of freedom within the certified scope or by having the update process certified itself.
A precondition for the development of EU Certification Schemes must be the definition of security requirements and standards horizontally and vertically. There must be a common understanding against which security principles products and services need to be evaluated and tested. These requirements need to be developed from a system perspective. EU Certification Schemes would then need to prove the derived security claim in an efficient manner.
In Article 46, the proposed Cybersecurity Act foresees three assurance levels (basic, substantial and/or high) for ICT products and services issued under EU Certification Schemes. For products, the following schemes could be used: The basic to mid-level could refer to approaches like CSPN[3] which has been developed by the French information security agency ANSSI. Similar approaches are available in UK (CPA[4]), Netherlands and Germany. To achieve a harmonized view, these approaches should be consolidated at EU-level. Substantial, mid and high assurance levels could use Common Criteria (CC), ideally improved and “smartened up” process- and cost-wise. Commercial entities should carry out the evaluation and certification work to ensure high efficiency. As there is no equivalent scheme in place yet, an EU scheme could act as a global blueprint.
A New Governance Structure
The EU Cybersecurity Act proposal is putting the European Union Agency for Network and Information Security (ENISA) at the center of developing EU Certification Schemes. In addition, Article 51 of the Cybersecurity Acts foresees that Conformity Assessment Bodies (CABs), composed of private companies, shall be installed per country to perform the evaluations. This is a change to the current SOG-IS governance structure.
It will be crucial to ensure that bureaucracy is minimal, i.e. certification is cost-efficient and time-to-market is short. At the same time, security quality must not be put at risk. Adequate balance between both elements (time to market and security quality) must be the key objective of ENISA when proposing schemes. CABs could help to reduce time to market by performing the evaluation work and then directly issuing a certificate, but it must be ensured that all CABs are operating on a consistent and mutually accepted quality level. A “race to the bottom” needs to be prevented. CABs (as usually being private) have the financial power to launch huge scalable evaluation and certification programs in terms of equipment and human resources. That way, certification would also become affordable for small companies. Article 51 suggest that CABs should be accredited by national accreditation bodies. To ensure that all CABs in Europe operate in a harmonized way, especially regarding security expertise (like in the SOG-IS), we strongly recommend establishing only one central European group (e.g. operated by ENISA), composed of national security experts (e.g. from BSI or ANSSI) who carry out the accreditation and supervision of CABs. It is key to have one central European group rather than multiple groups on national level which would have to monitor each other. Having one group will ensure real harmonization of efficiency and security quality.
Article 53 of the proposal lays down that a European Cybersecurity Certification Group (the Group), composed of national certification supervisory authorities, should be established. To ensure that sector-specific security requirements, evaluation and certification procedures are optimized, also dedicated Expert Groups, which consist of, but are not limited to, representatives from industry, security experts, national security agencies, regulators, evaluation and certification bodies (public or private) should be set up. It must be guaranteed that the Expert Group for a sector is operating towards a certain level of quality. The new governance must also avoid “silo-structures” to enable a maximum re-use of certified items across sectors, meaning that a central body (e.g. ENISA or European Commission) needs to have an overview about sector activities.
Monitoring the attack landscape and adaption of standards and evaluation procedures where needed must also be part of the governance. Threats and attacks need to be communicated and properly handled across all sectors.
Depending on the use case, compliance with security requirements and standards should be enforced, either by industry agreements or specific regulation.
[1] https://www.sogis.org/
[2] representatives from industry, security experts, national security agencies, regulators, evaluation and certification bodies (public or private ones)
[3] https://www.ssi.gouv.fr/administration/produits-certifies/cspn/
[4] https://www.ncsc.gov.uk/scheme/commercial-product-assurance-cpa
