ENISA Cybersecurity Certification Conference

On 18 December, ENISA organised a one-day event on cybersecurity certification. High-level speakers discussed on the current developments (SOG-IS and cloud schemes) but also on future candidate schemes. IoT and 5G were mentioned.

Gisela Meister, Senior Consultant for Eurosmart, presented ETSI’s technical specification on cybersecurity assessment for consumer IoT products. Her presentation received positive feedback from the audience.

Please find below a briefing on these key presentations from the conference.

Panel on the EU Cybersecurity Certification Framework:

Juhan Lepassaar, Executive Director of ENISA, explained that certification is important not only for devices but also for services. For the past 12 months, the major focus of ENISA has been on the SOG-IS and the cloud schemes. There is a lot of work to be done to build up the cybersecurity certification ecosystem as well. The involvement of the Member States (via the ECCG) is key -as the schemes need to be endorsed by the Member States. The first Union Rolling Work Programme for cybersecurity certification is expected for Q1 2021.

Lorena Boix Alonso, Director at DG CNECT for Cybersecurity, presented the new Cybersecurity Strategy. The strategy mentions the use of certification for IoT. In addition, the European Commission will soon make a request to ENISA to prepare a 5G cybersecurity scheme. The 5G toolbox already includes certification among the measures to consider.

Lorena Boix Alonso added that there is always an elephant in the room when talking about certification: cost. The European Commission needs to strike the right balance. There is also a need for coherence among horizontal and vertical requirements. Security-by-design and life cycle are essential principles.

Andreas Könen, from the German presidency, underlined that products should already be as secure as possible when they leave the factory. The Council considers cybersecurity requirements for connected devices, at least those directly connected to the internet. The Cybersecurity Act is a way to apply these requirements. However, they do not want to certify all connected devices. Common horizontal rules for devices must be consistent across all sectors.

In Andreas Könen's views, it is essential to have a bridge between the New Legislative Framework and the Cybersecurity Act, to avoid duplication of efforts. On this point, you can refer to the DIN presentation below.

Panel on ETSI standards on consumer IoT security:

Jasper Pandza, UK’s Department for Digital (DCMS), presented ETSI’s standard EN 303 645. This standard is about raising the security bar for all consumer IoT devices from near-zero to a good level. It is not about achieving a very high level of security. However, it covers every major attack that has happened in the past few years (e.g. Satori, Mirai). This standard provides the relevant foundation for the basic level of consumer IoT assurance.

It is a standard which is accessible, even to relatively newcomer to cybersecurity. It is also freely accessible as it is an ETSI standard.

Gisela Meister, Senior Consultant at Eurosmart, presented ETSI TS 103 701 named “Cybersecurity assessment for consumer IoT products”. This technical specification is about conformance assessment against EN 303 645. It covers self-assessment, in-house testing and independent evaluators.

A first version was published, and an updated (and final) version is expected for Q1 2021.

Please find below the full Powerpoint presentation of Jasper and Gisela.

Panel on the experience from AHWGS and TGS

Gábor Hornyák, CTO of CCLab, gave details on the work of the Thematic group No5 of the ahWG1, Continuity assurance and handling of vulnerabilities, concentrating on the topics of the vulnerability handling and patch management approaches of the new EUCC scheme. The vulnerability handling is based on the ISO/IEC 30111 and the ISO/IEC 29147standards.

For the Patch management, there are two possible approaches, the ISO SC27 WG3 Technical Report “Extension for Patch Management for 15408 and 18045” or the ISCI WG1 Proposal for new SAR components and Packages in CC for Patch Management. With both approaches there are 4 applicable patch levels, 3 of which are new. There is the possibility of Critical update flow process for example, which also introduces the concept of asynchronicity.

A key success factor will be the industry adoption. We can only hope that the ad-hoc working group correctly interpreted the industry’s needs.

Please find below Gábor’s full presentation.

Panel on National Authorities´ Implementation of EU Cybersecurity Certification Rules and Schemes:

For Dag Ströman, Head of Swedish Certification Body for IT-Security and ECCG representative, continuity of operations is a priority.

Johan van den Bosch, Project leader CSA, Dutch Ministry for Economy, explained that his team will communicate to the labs when the EUCC scheme will take over the national schemes. Early 2022 would be the first prior approvals (of CABs).

In his views, the challenge is the CCRA, i.e. continuing the international recognition of the Dutch certificates.

Johan van den Bosch underlined that there are a lot of challenges for the cloud scheme. It must be discussed further before it can be adopted.

Matthias Intemann, Head of Branch Certification Procedures, BSI, stressed that the CSA involves additional obligations and big changes for the BSI. The most challenging/interesting aspect is that -in parallel- BSI is building a new Unit in Saxony in charge of oversight (market supervision). It is crucial for BSI to have a migration. This includes cooperation with national accreditation bodies.

For each scheme, BSI needs to decide if they engage into certification themselves or if they want to pass on to other entities. For now, BSI is not planning on delegating the tasks to private entities.

BSI is in regular exchange with labs and vendors. BSI educates about the upcoming European changes and the status of implementation. BSI hopes that the CC users will not be too affected by the changes. Most of the changes will affect labs.

According to Matthias Intemann, the number of certificates will not change a lot for level high. The biggest change concerns the substantial level. The BSI expert expects the market for substantial certification to be expanding, which will be a challenge.

Franck Sadmi, NCCA team leader, ANSSI, explains that ANSSI needs to manage the authorisation of CABs, monitor the manufacturers, manage penalties and complaints. Some of these activities were already managed but many are new. It is a big challenge. ANSSI strongly supports the CSA. ANSSI needs to stay agile. For some schemes, ANSSI might have to work with other national authorities and maybe with CABs (depends on the scheme). ANSSI already knows how to work with CABs and check their skills.

The second challenge is to get the legal bases. It is linked to the market surveillance. In the past, ANSSI had agreements with CABs and could do audits. Now ANSSI has to deal with sampling and selection of manufacturers’ products. This is very strongly regulated in France. ANSSI needs to get the right legal bases to perform this market surveillance.

CABs need to be ready for level substantial and basic. If industries want to choose the basic level, it is crucial to ensure that rules are understood the same way.

If you have any questions on these issues, do not hesitate to contact Camille Dornier, Policy Manager: camille.dornier@eurosmart.com