|
Executive summary
The EU Cybersecurity Act (CSA) has made a dramatic change in the domain of cybersecurity evaluation by creating a single framework federating different evaluation schemes to harmonize Cybersecurity evaluation across the EU and therefore create a single European Cybersecurity Market.
The EU Cybersecurity Certification Framework makes it easier for ICT manufacturers and developers to serve the EU market. A unified certification framework across all of EU reduces the effects a fragmented market has on the economy. To support the creation of certification schemes under this framework the role of standardisation bodies is very important.
The SDOs (Standardisation Developing Organisations) will provide the necessary standards to support the framework to be defined by ENISA under request from the European Commission. There is a significant risk of creating inconsistent standards focused on vertical domains, despite the fact that cybersecurity is highly transversal. There is a strong necessity to create horizontal standards with a potential international coverage. The role of ENISA and its involvement in Standardisation tasks is essential, creating a harmonized frame to develop such standards.
Europe aims to be leading the cybersecurity certification and standardisation area for ICT products, processes and services. The EU Cybersecurity Act is an opportunity to have a harmonized market for cybersecurity. It brings a whole field of work, putting the consumers and the citizens in the centre of businesses’ reflections and aims to improve EU cyber resilience and response by building upon existing instruments provided by SDOs keeping networks and information systems secure.
In this document, we present how valuable the cybersecurity standardisation efforts could be for certification, what are the roles and responsibilities of SDOs in this context, and how standardisation can support efficiently the process of certification schemes creation by following a step by step methodology.
The methodology described in this study could be used as guidelines for new certification scheme or standards authors. It will help setting up KPIs, useful for all stakeholders involved in the preparation or operational phase of a certification scheme. The qualification system proposed can be used also to define more precisely the requirements associated with the different assurance levels mentioned in article 52 of the Cybersecurity Act. “Assurance levels of European cybersecurity certification schemes”.
With regard to standardisation activities, we propose a set of recommendations for the Standards Developing Organisations and the prospective authors of certification schemes:
-The EU Union Rolling Work Program for standardisation should be aligned with the Union Working Programme for certification, in order for the SDOs to provide appropriate standards for the certification schemes
-Horizontal standards (multi sectorial) for cybersecurity must be privileged in cybersecurity evaluation but also in other domains as described in 3.1.
-It is very important to avoid competition between SDOs. In the EU ESO’s cannot develop overlapping EN (European Norms). A coordinated joint approach between CEN, CENELEC and ETSI must be strongly encouraged and supported by the European Commission through adequate standardisation requests.
-When an international standard exists in a specific area and covers at least partially a targeted domain, it must be the preferred choice for usage.
-The competition and overlaps have to be carefully managed. The EU rolling plan can be an appropriate coordination tool to synchronize cybersecurity evaluation framework and associated standards.
-The ISO/IEC JTC1/SC27 should be considered as the first reference for cybersecurity standardization.
-It is important to improve the cooperation between CEN CENELEC JTC13 and ETSI TC Cyber and ensure that the majority of Cybersecurity standards and in particular in cybersecurity evaluation will be developed in joint working groups. This will guarantee that all relevant standardisation requests will be taken into account jointly.
-The ISO/IEC 15408/18045 Common criteria and evaluation methods, IEC 62443-4-2 Security for industrial automation and control systems Part 4-2: Technical security requirements for IACS components, EN 303-645 cybersecurity for consumer IOT can constitute the basis for all cybersecurity evaluation. They do not overlap, nor compete with each other, but can be seen as complementary. An introductory guide to the usage should be developed for the creators of certification schemes.
The Standard Developing Organisations (especially European ones – CEN, CENELEC and ETSI) have to interact in order to avoid overlapping contradictions or incompatibilities between standards and certification schemes. ENISA should participate in the relevant committees (CEN CENELEC JTC13 and ETSI TC CYBER as first priority), and encourage joint work between CEN CENELEC and ETSI, especially for topics related to the EU Cybersecurity Act implementation. To this aim, an interface mechanism between the Agency and the SDOs should be created, allowing for quick access to information concerning the standards in the certification areas under consideration.
For any questions on this issue, do not hesitate to contact Camille Dornier: camille.dornier@eurosmart.com |
