Certification schemes for products and services &

advanced Technical Communities (aTC)

May 2016 Eurosmart PSSC / Francois Guerin

PSSC

The Product and System Security Committee gathers a body of

experts with a combined knowledge of the major players of the

secure element industry, SE software developers, SE personalisers.

Most of them are also members of ISCI-WG1 and JHAS groups.

Cybersecurity contractual Public-Private

Partnership (cPPP)

Cybersecurity Products & Services

Verticaldomains

Industry Energy Transport Finance eGov Health(…)

Infrastructures OS Appli

Mobile IoT Network Web services

Cloud

Product&Services

Data Mgt Appli Mgt

Id Mgt Config Mgt

DeviceMgt

Network Mgt

Security activities

Evaluation Siteaudit

Certification Risk Mgt Training Awareness

Security Evaluation / Certification

means to reach objective : Confidence

Sponsor

Risk

acceptance

Uses

Decision

To take

System or

Product

To deploy

Environment

Countermeasures

To implement

To protect

Risk

Management

process

Level of

confidence

Imposes

requires

Security evaluation

May require

Confidence comes from evaluation / certification driven by :

Assurance x Resistance x Expertise x Independency

Hierarchy and type of requirements

According risk assessment for each business case, level of confidence

to reach for each type of requirements should be adapted.

Objective Type of Requirements Type of Evaluation

Correctness

of Product

Security Functional Requirements

Security Assurance Requirements

Review of Evidences +

SecurityTests

Correctness

of Process

Security Assurance Requirements Review of Evidences +

Audit

Correctness

of Environment

Security Assurance Requirements Review of Evidences +

Audit

Correctness

of Guidance

Security Assurance Requirements Review of Evidences

Robustness

of Product

Security Functional Requirements Vulnerability assessment

+ Penetration Tests

Robustness

of Environment

Security Assurance Requirements

(Minimum Site Security Requirements)

Review of Evidences +

Audit

Return from experience: Common Criteria

• National schemes driven by Certification authorities (CB)

• Using several labs accredited for dedicated technical

domains (or not)

• Requirements explicitly refined in CC, CEM and supporting

documents.

• CC provides several types of recognition

– Recognition at CCRA level between worldwide CBs (27)

– Recognition at SOG-IS level between EU CBs (10)

– Recognition by private issuers on case by case

Genericity of CC requirements allows usage for

most of types of products

CC and EAL scale

What Higher EAL means

More constraints on documentation,

testing and environment security

Better reliability on security features

implementation

Better confidence (EAL) that

product complies to its security

specifications,

Higher resistance (AVA_VAN) to

attack potential

MIN MAX

Common Criteria eco system

CCRA and iTC

• International Technical Community concept (iTC) has been

recently created* to maintain level for CCRA recognition to

(EAL4/AVA_VAN.3) using Collaborative Protection Profile (cPP)

• iTC regroups CB, Labs, Vendors and any entity interested to

contribute to define requirements for a Technical Domain

• iTC provides collaborative protection profile to evaluate

product

• Limitations are targeted level :

* for Correctness [EAL1 to 4]

* for Robustness [AVA_VAN.1 to 3]

(*) Note: iTC idea comes from success of ISCI working groups

managed by Eurosmart and dedicated to Secure Element

Return from experience: private schemes

Most of private schemes focused on

• a technical domain with local or global organizations

(Finance: EMVCo, PCI, Mobile : GSMA) or

• per Issuer (Entertainment: payTv, Transportation: ticketing)

• with security requirements often linked to a business case

and often not fully defined in supporting documents

• Given recognition limited to organization

– Recognition only by given private certification authority

– Recognition by Private issuers on case by case

Efficient for a product but usually few reuse for

other technical domain

Proposal for larger scale recognition and use

Definition of advanced Technical Communities (aTC)

to extend concept of iTC to obtain recognition between

scheme among EU (and even more) of High level of

assurance, and

to combine or select advantages of Standard (CC) and

Private schemes

• Allowing sharing of common methodology, expertise, tools

and specialize only when needed.

• Build on existing sharing solution that works to achieve high

level of confidence in Correctness (up to EAL7) and

Robustness (up to AVA_VAN.5) when required.

aTC mapping in cPPP

EUROPEAN COMMISSION

WG

Standardisation

Certification /

EU Label

WG Sectoral

demand

(market

applications)

WG Support

SME, East EU,

…

WG Value

Chain

Management

ECYSA - Board of Directors (management of the ECYSA Association:

policy / market actions)

European Cybersecurity

Council

(High Level Advisory Group:

EC, MEP, MS, CEOs, …)

WG

Market

development

/ Financing

Export

WG SRIA

Technical

areas

Products

Services

areas

WG Education,

training,

awareness,

exercises

Coordination / Strategy Committee

INDUST.

POLICYR&I

Our targeted WG as anchor of aTC(s)

ECYS - Cybersecurity cPPP

aTC as input for schemes

WG

Standardisation

Certification /

EU Label

aTC - SE

aTC - Automotive

aTC - Smart Energy

aTC - Mobile

aTC - Health

cPPP

WG deliverables

aTCdeliverables

Used in(public / private)

Certification schemes

driven by CA

aTC organization

Governance Group (at least 2 Certification Authorities)

• To manage application of aTC rules

Chairman and Vice Chairman for aTC management

• To manage aTC objectives and activities

Members

• National Certification Authorities [for CC]

• Private Certification Authorities [when required]

• Laboratories involved in CC and/or private schemes

• Vendors

• Product Issuer / Service Provider

Liaison with Standardization organization (ETSI, CEN)

aTC a cornerstone for new schemes

• Any security schemes need explicit rules and

recognised expertise to perform accurate and

repeatable evaluations.

• aTC will provide them by creating communities

between vendors, laboratories, certification

authorities working with such objectives.

– Labs will provide expertise for methodology definition

– CBs are required to create conditions for recognition and

independency vs vendor.

– Vendors will be involved for accuracy of definition of

security needs and evaluation work

Expected results from WG

o Manage a working group

o Facilitate collaboration between aTC(s)

o Defining objectives and roadmap for WG

o Follow action plan for generic activities

o Provide generic supporting documents

o generic Term of Reference (TOR)

o ITSEF expertise requirements & validation procedure

o Specific template to define rules for evaluation methodology

o Vulnerability assessment & Attack Quotation methodology

Expected results from aTC(s)

o Setup and maintain methodology

o Specific Term of Reference (TOR)

o Essential Security Requirements type of products

o Protection Profile per type of products

o Attack Path Dictionnary

o Attack Method (tools and techniques & rating)

o Laboraotry expertise requirements & qualification procedure

Expected Planning

23

Now Step1

Lobby

Founding members

By laws

Structure setup

Step2

Communication with CA

Member recruitment

ATC Kickoff

ATC documentation

aTC SE Live

Go / NOGO

aTC running

20172016

aTC template

www.eurosmart.com

THANK YOU FOR YOUR ATTENTION

francois.guerin@gemalto.com Eurosmart