As we all know, Europe is one of the leading players in the world in terms of cybersecurity certification. The main European countries issuing certifications, such as France, the Netherlands, Germany and Spain, have created their own lightweight/Fixed-time methodologies (CPSN, BSPA, BSZ and LINCE). All of them with many similarities, but also with quite a few national differences within them. This panel discussion will open the discussion among the relevant stakeholders for European recognition of these schemes. The panel will also discuss on the future European fixed-time methodology lead by JTC13 WG3, called FITCEM, which aims to unify all European schemes into a single one. The panel will discuss the potential impact that FITCEM will have both technically and in terms of the European market to the different stakeholders (manufacturers, laboratories, certification bodies, institutional agencies, etc.).
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
EUCA22 Panel Discussion: Differences between lightweight certification schemes
1.
2. Panelists
ISO/IEC
19896
José Ruiz (Moderator)
Co-founder and CTO, jtsec Beyond IT Security, Spain
Helge Kreutzmann
Senior Expert Bundesamt für Sicherheit in der Informationstechnik, Germany
Philippe Magnabosco
Policy Advisor for External Standards, ANSSI, France
Maria Christofi
ITSEF COO, Oppida, France
Pablo Franco
Head of Certification Body, CCN, Spain
Petr Kazil
Security Consultant, NLNCSA, Netherlands
3. ❑ CSPN –Certification de Sécurité de Premier Niveau
❑ BSPA –Baseline Security Product Assessment
❑ LINCE –National Essential Security Evaluation
❑ BSZ –Beschleunigte Sicherheitszertifizierung
❑ and possibly more …
❑ … and then came the “Cybersecurity Act” with 3
assurance levels.
❑ … and possible verticals using them (e.g. IACS).
The fixed-time cybersecurity certification landscape in Europe
*Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION
METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021
4. ❑ Flexible application:
❑ All CSA evaluation assurance levels, including self-assessment
❑ Horizontals and verticals
❑ Adaptable by parameters where possible
❑ Bare minimum required by CSA shall be possible
❑ Existing methodologies (LINCE, CSPN, …) should be reproducible
❑ The workload on the developer shall be reduced where possible
❑ This might imply higher work load for evaluators
❑ Evaluator competence is important
❑ This is not a “lightweight” CEM (ISO/IEC 18045)
Design principles of EN 17640 (extract)
*Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION
METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021
EN 17640
5. ❑ Completeness check
❑ Protection Profile / Security Target evaluation /
Review of security functionalities
❑ Development documentation
❑ Evaluation of the TOE installation
❑ Conformance testing
❑ Vulnerability review
❑ Vulnerability testing
❑ Penetration testing
❑ (Basic) crypto analysis
❑ Extended crypto analysis
Evaluation Tasks
*Information taken from the presentation INTRODUCING FITCEM (FIXED-TIME CYBERSECURITY EVALUATION
METHODOLOGY FOR ICT PRODUCTS) by Dr. Helge Kreutzmann at EUCA 2021