Duyurular

ENISA : METHODOLOGY FOR SECTORAL CYBERSECURITY ASSESSMENTS HAS BEEN PUBLISHED!

European Union Agency for Cybersecurity (ENISA) has recently released the Methodology for Sectoral Cybersecurity Assessments Report. As known, the European Union Cybersecurity Act (“CSA”) aims to strengthen trust and security for European consumers and enterprises, as well as contribute to the creation of a true digital single market.

This requires that all relevant levels of the ICT market, from sectoral ICT services and systems via ICT infrastructures to ICT products and ICT processes, will be addressed and that the related cybersecurity certification schemes are well accepted by the market. The CSA stipulates specific requirements, which target efficiency and coherence between schemes of the CSA’s cybersecurity certification framework. These requirements include:

  • The security and assurance requirements for ICT services, processes, and products should be determined by the risk associated with their intended usage.
  • Levels of assurance should be applied uniformly across schemes.
  • Support for security-by-design.

The Methodology for Sectoral Cybersecurity Sssessments described in this document (hereinafter called SCSA Methodology) addresses these objectives in the context of drafting sectoral cybersecurity certification schemes, which address ICT services in individual market sectors. It is outlined to be utilized as a preliminary step for the definition of a candidate conspire including sectoral stakeholders.

A fundamental guideline of the proposed technique is to establish a sound understanding of the sectoral ICT administrations and framework as an establishment for all other capacities.

  • A cybersecurity assessment at the sectoral level will provide information about the objectives of the sectoral stakeholders and will identify the primary assets and related risks. As an enhancement of the typical risk assessment procedure, a ‘deep dive’ to gain detailed information about the intended use of relevant subsystems, products or services will be conducted. In addition, cyber threat intelligence (“CTI”) will be employed to provide information on potential attackers, their motivation and capabilities. This adds an important parameter to the risk analysis and contributes to the information needed to assign security and assurance requirements to ICT subsystems, ICT products or ICT services based on risk.
  • The SCSA Methodology provides the option to integrate sectoral, product, process and potentially also ISMS-based cybersecurity certification schemes. It offers a concept of internal risk, security and assurance reference levels. If these are commonly used, they will support consistency in the definition of risk, security and assurance across schemes. The SCSA Methodology is designed to address a wide range of certification schemes, beyond Common Criteria or other ISO/IEC 15408-based schemes. Optionally other types of certification schemes can be integrated to establish consistency across the various types of schemes that support the proposed methodology.
  • A link between the ISO/IEC 270xx series of standards and ISO/IEC 15408 is needed to allow information to be exchanged between the outcome of risk assessment and the specification of security and assurance of products. The expert team has developed a mapping approach that addresses existing divergences of terminology between these standards and allows the transfer of the information that is required.
  • The introduction of a common, scalable approach to risk-based security and assurance supports the definition of scaled controls. These controls are associated with clear security levels which are defined in accordance with their ability to treat risk and protect against known attack potentials. The expert team has drafted a sample list of scaled controls and has described how these controls can be used in a coordinated way.

Based on these properties and functions, the SCSA Methodology has the potential to fully support the aforementioned requirements stipulated by the CSA and to promote the market acceptance of cybersecurity certification in the following ways:

  • The SCSA Methodology supports the identification of risk associated with the intended use of ICT systems, ICT services and ICT processes at any level of the sectoral architecture. In applying the methodology, relevant stakeholders will be responsible for the identification of risks and they will be involved in the definition of security and assurance requirements. This will allow them to balance their view of risks against the investment needed to mitigate these risks by introducing appropriate levels of security and assurance. It can be expected that this transparent, cooperative approach will contribute significantly to the market acceptance of schemes under the CSA.
  • As required by the CSA, consistency in the implementation of assurance levels can be achieved across schemes. This will allow the re-use of certificates issued by one scheme in other schemes, thus providing an important benefit both to the business interests of product and infrastructure service providers and to their customers. At the same time, the methodology’s approach to consistency is also flexible enough to support the integration of new types of cybersecurity certification schemes, which may emerge as a result of specific requirements from different markets.
  • Introducing a common concept for security levels facilitates the definition of controls which can be commonly used across participating schemes. This provides a sound basis for the introduction of libraries of such controls. The availability of those could significantly promote the introduction of security-by-design, as well as the implementation of defined security levels in ICT products, ICT processes and also in ICT systems.

Applying the SCSA Methodology will generate sound information about the sectoral system and defined relationships between the stakeholders involved, which may enable additional tangible benefits, including:

  • Product and service providers will benefit from reliable information about the intended use of their products and services, as well as sectoral security and assurance requirements. This will allow them to optimize their products and their market reach.
  • The defined relationships between risk, security and assurance proposed by this methodology support the definition of horizontal products and services, which can serve various sectors.
  • A sound understanding of the ICT system, the defined roles of the relevant parts and stakeholders, and the availability of controls with defined properties concerning risk and attack potential open new options, especially for sectors that have, for example, to deal with cost pressures and attackers with an elevated potential at the same time. Based on this methodology, the deployment of controls may be coordinated and firmly agreed upon between stakeholders. For example a basic-level control in an IoT device and a medium-level control in the sectoral back-office may be concatenated and coordinated in such a way that they jointly reach a security level that also protects against elevated attack potentials.

The version of the methodology described in this document is sufficiently mature to allow a first practical use in drafting sectoral cybersecurity certification schemes. Experience gained from this first deployment should be used to improve and consolidate the methodology.

In summary, the proposed methodology not only supports the workflow of drafting the CSA cybersecurity scheme but also offers a potential for broader use by sectors and providers of infrastructure.

You can find the full text of the ENISA Report here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr