Abstract
This paper documents the approach to define cybersecurity certification schemes as candidate methods for sector cybersecurity product certification as part of the EU Cybersecurity Certification Framework being prepared by ENISA. Indeed, it is a very recent area of research within the EU landscape. Our work was undertaken within H2020 ECHO project (www.echonetwork.eu) and it is reported in detail in its deliverables. This document is completing the research reported in our previous publication, which had complete references to the existing state of the art about the certification topic in EU. Our work started with the identification of the sector-specific needs to be addressed for specific critical sectors. The mandatory Key Elements of a certification scheme, as described in the EU Cybersecurity Act, have been customized and the sector specific analysis allowed to define a Security Problem Definition baseline to be used to quickly draft a Protection Profile of an asset category of the considered sectors. Security needs have been identified using also the sectoral risk assessment guidelines provided by ENISA for certification purposes. It has also been developed an inter sector risk scenario to highlight the most important security needs to mitigate cross-sector security failures. Finally, Cyber Range technologies have been leveraged for the Conformity Assessment activities of two Maritime and a Healthcare product prototypes, for which the substantial assurance level certification has been simulated for the sake of validation of our approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Proposal for a Regulation of the European Parliament and of the Council on ENISA (the EU Cybersecurity Agency) and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’), the European Parliament and the Council. Accessed 13 Sept 2017
Cybersecurity Certification: EUCC Candidate Scheme. European Union Agency for Cybersecurity (ENISA). Accessed 02 July 2020
Hovhannisyan, K., Bogacki, P., Colabuono, C.A., Lofù, D., Marabello, M.V., Maxwell, B.E.: Towards a healthcare cybersecurity certification scheme. In: Cyber Security (2021)
Methodology for Sectoral Cybersecurity Assessments. European Union Agency for Cybersecurity (ENISA). Accessed 13 Sept 2021
Common Criteria for Information Technology Security Evaluation: Part 1 - Introduction and general model
Common Criteria for Information Technology Security Evaluation: Part 2 - Security functional components
Common Criteria for Information Technology Security Evaluation: Part 3 - Security assurance components
D2.9 ECHO Cybersecurity Certification Scheme. European Network of Cybersecurity Centres and Competence Hub for Innovation and Operations (2021)
D2.14 Update - ECHO Cybersecurity Certification Scheme. European Network of Cybersecurity Centres and Competence Hub for Innovation and Operations (2022)
ISO/IEC 27002 - Information technology—Security techniques—Code of practice for information security controls
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
ISA-62443-3-3 Security for Industrial automation and Control systems Part 3–3: System security requirements and security levels
ISO/IEC 27701:2019 Security techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management—Requirements and guidelines
The Directive on security of network and information systems (NIS Directive), the European Parliament and the Council. Accessed 06 July 2016
The Guidelines on Cyber Security onboard Ships. IMO
Good practices for the maritime sector. ENISA
Procurement guidelines for Cybersecurity in Hospitals. ENISA
Smart Hospitals - Security and Resilience for Smart Health Service and Infrastructures. ENISA
Regulation (EU) 2020/561 for Medical Devices Requirements (MDR)
ISO 27799:2008 Health informatics, information security management in health using ISO/IEC 27002
Medical Device Directive (MDD)
DICOM (Digital Imaging and COmmunications in Medicine)
ISO/IEC 27019:2013 Information technology—Security techniques—Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry
Port cybersecurity. ENISA
Appropriate security measures for Smart Grids. ENISA
Smart Grid Threat Landscape and Good Practice Guide. ENISA
NIST SP 800–82 Guide to Industrial Control Systems Security
ISO/IEC TR 27019 Information security for process control in the energy industry
IACS Recommendation on cyber resilience (Rec. 166)
SOTA - STATE OF THE ART SYLLABUS Overview of existing Cybersecurity standards and certification schemes
Security Measures for Operators of Essential Services
Mapping of OES Security Requirements to Specific Sectors. NIS Cooperation Group
Guidelines on notification of Operators of Essential Services incidents (formats and procedures). NIS Cooperation Group
Guidelines on notification of Digital Service Providers incidents (formats and procedures). NIS Cooperation Group
Recommendations for the Implementation of the Industrial Automation & Control Systems Components Cybersecurity Certification Scheme (ICCS)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Colabuono, C. et al. (2022). Approach to Sector-Specific Cybersecurity Schemes: Key Elements and Security Problem Definition. In: Dziech, A., Mees, W., Niemiec, M. (eds) Multimedia Communications, Services and Security. MCSS 2022. Communications in Computer and Information Science, vol 1689. Springer, Cham. https://doi.org/10.1007/978-3-031-20215-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-20215-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20214-8
Online ISBN: 978-3-031-20215-5
eBook Packages: Computer ScienceComputer Science (R0)