Cyber security certification challenges by ENISA. A critical vision

ENISA has poblished in December 2016 the report "Challenges of Security Certification in emerging ICT environmets" [PDF] in which they analyze certification scenario in five sectors: energy, water transport and rail transport, ICT and health care.

The objectie of this post is comment on some of the conclusions of that report:

"...without an EU approved standrd, harmonised testing and corresponding certification..."

It is clear that the possibility of a certification issued in one Member State can be used in another one should exist. Nevertheless, the approach that we should use is not that all Europeans speak esperanto, but considering that many languages are going to coexist in Europe, we are able to translate French into English, this into Spanish and, then into Italian.

In this way, instead of trying to reach a global agreement -which is going to be really difficult, we "only" have to develop mechanisms to translate between certification systems.

The key finding is that every sector has its own functional and security challenges which makes the target of a common certification framework a challenge.

We completely agree: It is obvious that every sector, moreover, every organization face a specific risk scenario and, each one, have its own risk appetite, which drives, unfailingly, to each sector and each organization having its own security standard and, for the same reason, it is not a challenge to have a common certification framewrok. It is impossible.

For this reason, an approach based on levels, as LEET Security is proposing, provides the right framework to "reach an agreement" between those different security standards from every sector.

Standalone certified devices are considere trustworthy. However, after integration in a real computing environment this might be not the case.

... it is observed that a small part of the security will be supported by the components or devices that compose the systems while the larger part of the security will depend on the processes and procedures that are in place.

Both conclusions (that are equal for all the five sectors) what are telling us is that components certification is a necessary condition, but not suficient. As much a component is certified, if it is not correctly operated, de secure design is useless. Again, this conclusion confirms that the approach LEET Security is taking, based on assessment of security controls implemented in service operation is appropiate approach.

Outsourcing of specific taks or functions increases the risk of being vulnerable to cyber-attacks.

Both vendors and asset owners should take a holistic view when it comes to security certification and not merely focus on the functional element of the devices they use. Only after verification of a system in its entirely, including procedures for operation and maintenance, it can be considered cyber secure.

If there is something that LEET Security is focusing on is value chain security (as shows our collaboration with INCIBE to publish C4V framework). Our rating methodology is being integrated with procurement processes in relevant companies in different sectors because labels exhbited after rating processes, provides them with the information they need about security controls implmented by service providers.

But, in any case, we can consider, as much security verifications services has faced, that services are cyber secure, because absolute security never exists. So, we think is much appropriate to evaluate the robustness of security measures implemented and express an opinion in a scale (for example from 1 to 5 or from D to A+) of that robustness.

This is a cross-sector threat where devices connected to complex and critical systems are mostly unmonitored.

This a crucial issue, because in the analysis of ratings issued in 2016, we have concluded that monitorization is the security control that shows the worst general rating.

Cyber security service providers are recommended to implement an IT service management framework in their organizations as a proff that their services meet customers' needs.

Furthermore, they [customers] should seek for security service providers with an IT service management system which is based on international and widely known standards e.g. ITIL , ISO/IEC 20000, etc.

Clearly, all grain makes barn and if providers implements an IT service management framework they will provider further warranties that it they do not implement, but considering that we are talking about security, it seems to us that this recommedation is quite soft, and confusing: Implementing a management system does not imply that services are provided with any minimum level of security. If ENISA whishes an useful recommendation in this field, we think ENISA should recommend that customers should use methods for knowing the effective security level implemented in the services they are using (and, labelling of security level does not have competence in providing that information).