Skip to main content

Europe moves towards cybersecurity certification for industrial systems

Today’s closely interconnected industrial systems are highly exposed to cyberthreats, with potentially serious consequences not only for the economy but also for people and the environment. The European Commission set up a working group coordinated by Thales to look at how a European certification scheme could improve the cybersecurity of such systems.

The working group's report — compiled for the European Commission’s DG JRC (Joint Research Centre) between March and November 2014 — identified ways to define and implement a European system to certify industrial system components by 2020.

The working group, with representatives of government agencies (France, Germany, Spain and the United Kingdom), suppliers (Schneider and Siemens), industry (RTE, ADP and Transgaz) and consultants and representatives of the DG JRC [1], accomplished this task in three stages.

First, 13 case studies looked at how industry players perceive cyberthreats to their production systems (automation and control, supervisory control and data acquisition (SCADA) systems, etc.).

The case studies confirmed a clear preference for certified components, and on this basis four levels of compliance and certification were then proposed:

  • Level 1 is a self-assessment by the supplier to analyse compliance against a baseline of engineering best practices.
  • Level 2 is a compliance analysis of a component by a third party (a certifying body or specialist laboratory, for example).
  • Level 3 is intended to certify the product and involves additional security testing (penetration, vulnerabilities, etc.). This level of certification meets the most common requirements.
  • Level 4 certifies both the product and manufacturing processes. This level meets the very stringent requirements of critical sectors like defence and space.

Lastly, the working group submitted a plan entailing seven actions over five years (2015-2020) to implement this European certification scheme:

  1. Engage all players (government agencies, contractors, suppliers, etc.) in the project and establish a detailed framework and schedule for all subsequent actions
  2. Set up a register of certified industrial products
  3. Draw up a European baseline compatible with existing baselines[2]
  4. Define cybersecurity profiles for each product type (e.g. automation and control servers, communication antennas, remote terminal units (RTU), etc.)
  5. Define certification processes (how to perform a self-assessment, who to contact to get products certified, etc.)
  6. Draw up a transition plan to implement the European certification process (priorities, methods, cost, training, accreditation of certifying bodies, etc.)
  7. Launch and implement (communication, events, brochures, support, etc.)

With the backing of the European Commission, the DG JRC is already working to implement this action plan. Paul Théron (Thales), the working group’s coordinator, presented the report’s main conclusions and recommendations at the European Reference Network for Critical Infrastructure Protection (ERNCIP) conference in Brussels.

More information:

Download the report: Proposals from the ERNCIP Thematic Group, “Case Studies for the Cyber-security of Industrial Automation and Control Systems”, for a European IACS Components Cyber-security Compliance and Certification Scheme, November 2014

 

[1] The full list of contributors is on page 8 of the report, which can be downloaded from the ERNCIP website at https://erncip-project.jrc.ec.europa.eu/networks/tgs/ics-use-cases

[2] Shared criteria, standard IEC 62443, NIST (National Institute of Standards and Technology, USA), MITRE (USA), ENISA (European Agency for Network and Information Security), government IT security agencies (France, Germany, Spain, UK)