IACS Components Cybersecurity Certification Scheme (ICCS)

Blog

- Sept

2020

Posted by: José Ruiz

IACS Components Cybersecurity Certification Scheme (ICCS)

The industrial sector has been demanding, for some time, a specific cybersecurity scheme to anticipate and prepare its infrastructures, knowing that these are critical and potential targets for cyber-attacks.

For this reason, ERNCIP, a thematic group based on "Case Studies for the Cyber-Security of IACS" was established in 2016 and proposed a roadmap for the establishment of a cybersecurity compliance and certification scheme for IACS components in Europe.

ERNCIP has published recently a report on Recommendations for the Implementation of a European IACS Components Cybersecurity Certification Scheme (ICCS) produced with a close and consistent reference and relevance to the EU CyberSecurity Act (CSA).

This report aims to be the most solid basis for a future European Cybersecurity Certification Scheme dedicated to Industrial Automation & Control Systems Components.

A new scheme for the Industrial Sector

Below, ICCS scheme recommendations main aspects are summarized:

Focus on Product certification. The scope of the scheme will not cover system or services.

3 Assurance Levels have been defined with a direct mapping to the CSA.

Fully compliant with CSA (Annex A includes a mapping).

Evaluation activities are defined in agnostic manner and the terminology used is not biased by a standard. It will be the responsibility of the ad hoc group to define the standard or set of standards that may be used to meet the requirement of the ICCS. References to different standards are provided such as: Common Criteria, IEC 62443, LINCE, CSPN but the recommendations contemplate the possibility of the co-existence of different certification paths.

ICCS involves three levels of security certification (basic, substantial and high), depending on the level at which you want to certify your product. All of the certifications need an accredited third party, not so for the Statement of Conformity, which is enough with a self-assessment:

Depending of which level the vendor wants to get the product certified, the elements necessary for the evaluation vary:

Each level of certification requires different evaluation activities as we can see below:

More information related to the ICCS recommendations may be found in the IACS Components Cybersecurity Certification Scheme website or in the report.

How can jtsec helps with your ICCS?

José Ruiz, our CTO, has been the Co-Coordinator and Editor at the thematical group being highly involved in the project development. jtsec is here for helping and answer any questions you may have, so please, if you want more information, do not hesitate to ask us for information.

tags

José Ruiz/CTO

Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.