Security Certification

Security Certification supports the adoption of complex technologies, products and services by increasing trust among end-users. Given that validating the claims of a vendor requires a comparable level of technological skills, it is infeasible for most customers to do it by themselves. Instead, they trust that certification bodies have worked with the vendor to ensure that the product satisfies the joint requirements. Two schemes currently play the most significant role at the international level: the Common Criteria (CC) and FIPS 140- 2/3. Recognizing its importance, requirements for certifications are being set in new areas (e.g., supply chain certification based on the SolarWinds attacks). Security certification goes beyond just the specific devices connected in IoT systems, but also considers the organisational structures that produces these devices and the software that runs on them. At the same time, obtaining certifications becomes more difficult, and the related analyses are stricter (in the light of new attacks).

One of the main challenges associated with security certification is the harmonisation of the wide variety of security certification schemes that coexist together. The current heterogeneity makes it difficult to compare different solutions and processes, especially when a product is evaluated under different certification schemes at national levels. Another challenge is related to standardisation of new and emerging cyber-security technologies using agile and flexible certification process. Despite the limitations of the current approaches, a cyber-security certification scheme should adopt the main concepts, terms and operational aspects from existing standard approaches.

Strategic priorities

• Develop lightweight and automated (re)certification processes to ensure scalability.
• Explain vulnerabilities in certified devices by structuring certification documents that could be easily (deterministically) processed in an automated fashion to enable linkage of certification data to new knowledge regarding vulnerabilities within certified devices (CVEs, etc.).
• Develop methods of cyber-security certification and deployment that ensure all layers and threats are correctly weighted. Cross-referencing certified items to vulnerability databases, like common vulnerabilities and exposures (CVEs).
• Develop security certification labels for devices, software and organisations that provide a simple and unambiguous depiction of the level(s) of the security being certified.

Pilot Research

• Enriching certification report analysis with other open-source intelligence.
• Testing and improving a method for evaluating organisations’ information security.