Transcription
The IACS CybersecurityCertification Framework (ICCF)Lessons from the 2017study of the state of theartP. THERON,A. LAZARI,April 2018The research leading to these results has received funding from the European Union as part of theEuropean Reference Network for Critical InfrastructureEUR 29237 EN
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the artIACS Cybersecurity CertificationFramework (ICCF). Lessons fromthe 2017 study of the state of theartEuropean Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the artThis publication is a technical report by the Joint Research Centre (JRC), the European Commission’s scienceand knowledge service. It aims to provide evidence-based scientific support to the European policymakingprocess. The scientific output expressed does not imply a policy position of the European Commission. Neitherthe European Commission nor any person acting on behalf of the Commission is responsible for the use thatmight be made of this publication.JRC Science Hubhttps://ec.europa.eu/jrcJRC111611EUR 29237 ENISBN 978-92-79-85968-7 , ISSN 1831-9424, doi:10.2760/856808Luxembourg: Publications Office of the European Union, 2018 European Union, 2018The reuse of the document is authorised, provided the source is acknowledged and the original meaning ormessage of the texts is not distorted. The European Commission shall not be held liable for any consequencesstemming from the reuse.How to cite this report:Theron, P. and Lazari, A., The IACS Cybersecurity Certification Framework (ICCF). Lessons from the 2017study of the state of the art., EUR 29237 EN, Publications Office of the European Union, Luxembourg, 2018,ISBN 978-92-79-85968-7, doi:10.2760/856808, JRC111611All images European Union 2018.European Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the artContentsAbstract . 91Executive summary .102Introduction .112.1The history and work of the ERNCIP IACS Thematic Group . 112.2Methodology of the exercises . 122.3Contents of the report . 132.4The ICCF and support to the European Commission’s roadmap towardsEuropean cybersecurity certification . 132.5Contributions . 183List of abbreviations .204NETs’ undertakings and analysis .214.1French NET. 214.1.1Tests performed by the NET . 214.1.2Documents delivered by the French NET . 214.1.3Analysis of French practices. 214.1.4Overall process of the CSPN methodology. . 274.1.5Model of a protection profile . 284.1.6Table of contents of a CSPN protection profile. 284.1.7Table of contents of a CSPN security profile (named security target) . 294.1.8Relation between the evaluation process and the certification process . 294.2Polish NET . 304.2.1Tests performed by the NET . 304.2.2Documents delivered by the Polish NET. 304.2.3Protection profiles elaborated by NET-PL . 344.2.4Certification process model. 354.2.5Further details provided by Polish NET . 374.3Spanish NET . 374.3.1Tests performed by the NET . 374.3.2Documents delivered by the Spanish NET. 374.3.3Further details supplied by the Spanish NET . 425Synthesis of NETs’ outcomes: list of recommendations for phase 4 .436Collective findings of the NETs .467Conclusion: proposed 2018-2019 programme of action .477.1Main goals . 477.2Further studies are required . 47European Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/7
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the art7.3Focused projects should be launched . 477.4NETs and partners to involve in phase 4. 477.5ICCF phase 4 governance . 477.6Setting goals for every stakeholder . 487.7Coordination of ICCF phase 4 projects . 498List of tables and illustrations .519References .52ANNEX I – FRENCH National Exercise TeamANNEX II – POLISH National Exercise TeamANNEX III – SPANISH National Exercise TeamEuropean Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/8
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the artAbstractThe principal goal of this report is to present the experiments of the industrial automation andcontrol systems (IACS) component Cybersecurity Certification Framework (ICCF) performed in 2017by the national exercise teams (NETs) of several Member States, namely France, Poland and Spain.Based on real-life cases of use and simulations of ICCF activities, this report documents the currentpractices of these countries and NET members’ views in relation to IACS products’ cybersecuritycertification. These studies have led to a series of findings that will be useful for the future of theICCF in the context of the European Cybersecurity Certification Framework. In conclusion, a plan ofaction is proposed for the 2018-2019 period.European Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/9
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the art1 Executive summaryThe ERNCIP IACS Cybersecurity Certification Thematic Group has worked towards fostering IACScybersecurity certification in Europe. To that end, the thematic group has elaborated the IACScomponent Cybersecurity Certification Framework (ICCF). The ICCF has inspired the EuropeanCybersecurity Certification Framework (ECCF).The ICCF: proposes four IACS cybersecurity certification schemes (ICCS):o ICCS-C1 (self-declaration of compliance);o ICCS-C2 (independent compliance assessment);o ICCS-B (product cyber resilience certification);o ICCS-A (full cyber resilience certification); that involve up to three evaluation activities:o compliance assessment (in all four ICCS);o cyber resilience testing (ICCS-B and A);o development process evaluation (ICCS-A). that require the guidelines and resources of three pillars:o IACS Common Cybersecurity Assessment Requirements (ICCAR);o IACS Components Cybersecurity Protection Profiles (ICCPRO);o The IACS Cybersecurity Certification Process (ICCP). and involves a fourth pillar for fostering and disseminating the ICCF:o the IACS Cybersecurity Certification EU Register (ICCEUR).First, the present report documents existing practices in several EU Member States in relation to theICCF’s evaluation activities and pillars.Next, the findings from those studies are presented. They are expected to help to improve the ICCFand foster its use in the context of the ECCF.Finally, the report draws, from the previous elements, a plan of action that could be implemented inthe 2018-2019 period in order to turn the ICCF into a fully usable scheme in the context of the ECCF.Feedback and inquiries should be communicated to:Joint Research CentreERNCIP Officejrc-erncip-office@ec.europa.euEuropean Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/10
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the art2 Introduction2.1 The history and work of the ERNCIP IACS Thematic GroupIn 2013, partner directorates-general of the European Commission and the Joint Research Centre(JRC) mandated the ERNCIP IACS Thematic Group to undertake a preliminary feasibility study of anIACS cybersecurity certification framework.The ERNCIP IACS thematic group has gone through three successive phases. 2014 aimed at taking stock of the context, needs and requirements and outlining theprinciples of a European IACS cybersecurity certification framework.2015 was an intermediate time of reflection, communication with stakeholders andplanning.2016 saw the second phase of our thematic group, with a goal to deliver practicalrecommendations to the industrial systems community at large. This second phase deliveredthe IACS components Cybersecurity Certification Framework (ICCF).2017 marked the third phase of the ERNCIP IACS Thematic Group. During this phase, severalMember States took part in an experiment aimed at documenting the current practices inrelation to IACS cybersecurity certification.In 2017, each participating Member State created a national exercise team (NET) that involved: its national cybersecurity agency;an IACS vendor;a certification authority;a cybersecurity evaluation laboratory (often called information technology securityevaluation facility (ITSEF);possibly industry representatives, academics or experts.Six NETs were expected to take part in the ICCF phase 3 work plan.Figure 1: Planned ICCF phase 3 NETs Germany, Spain, France, the Netherlands and Poland, and the CEN-Cenelec Cyber SecurityCoordination Group (CSCG).European Reference Network for Critical Infrastructure Protection (ERNCIP Project)https://erncip-project.jrc.ec.europa.eu/11
ERNCIP Thematic Group: European IACS Cybersecurity CertificationIACS Cybersecurity Certification Framework (ICCF): Lessons from the 2017 study of the state of the artHowever, only France, Poland and Spain could complete the exercise assigned to their NETs.Each NET was due to explore the ICCF activities through the following choice of exercises: E1 — elaboration of a protection profile (PP) and a security profile and reporting on theeasiness/difficulty of this activity;E2 — simulation of a product compliance assessment, and reporting on theeasiness/difficulty of this activity;E3 — simulation of testing a product’s cyber resilience, and reporting on theeasiness/difficulty of this activity;E4 — simulation of the evaluation of a product’s development process, and reporting on theeasiness/difficulty of this activity;E5 — abandoned, not defined;E6 — study of ICCF governance bodies and E1 E2 E3USE CASEICCFgovernancebodies andprocessesVendorproductGermany Netherlands PolandE1 E3E3E1 E3(based wallSpainE1 E2 pecified)CompumaticaMikronikaSecure Networks RTU (v1 andBVv2)Polon —MagiCtwin Diode Alfa CIEfor for firedetectionand alarmSiemensSIMATICRTU3030Cremoteterminalunit (RTU)NB: Only French, Polish and Spanish NETs’ results are taken into account in this report.2.2 Methodology of the exercisesEach NET had to perform the following tasks: 1Select a use case (NB: the Polish NET relied on three use cases), i.e. an IACS component thatwould serve as the material basis of the exercise.Establish its composition under the direction of the country’s national c
European Reference Network for Critical Infrastructure Protection (ERNCIP Project) https://erncip-project.jrc.ec.europa.eu/ However, only France, Poland and Spain could complete the exercise assigned to their NETs. Each NET was due to explore the ICCF activities through the following choice of exercises: E1 — elaboration of a protection profile (PP) and a security profile and reporting .
