This paper documents the approach to define cybersecurity certification schemes as candidate methods for sector cybersecurity product certification as part of the EU Cybersecurity Certification Framework being prepared by ENISA. Indeed, it is a very recent area of research within the EU landscape. Our work was undertaken within H2020 ECHO project (www.echonetwork.eu ) and it is reported in detail in its deliverables. This document is completing the research reported in our previous publication, which had complete references to the existing state of the art about the certification topic in EU. Our work started with the identification of the sector-specific needs to be addressed for specific critical sectors. The mandatory Key Elements of a certification scheme, as described in the EU Cybersecurity Act, have been customized and the sector specific analysis allowed to define a Security Problem Definition baseline to be used to quickly draft a Protection Profile of an asset category of the considered sectors. Security needs have been identified using also the sectoral risk assessment guidelines provided by ENISA for certification purposes. It has also been developed an inter sector risk scenario to highlight the most important security needs to mitigate cross-sector security failures. Finally, Cyber Range technologies have been leveraged for the Conformity Assessment activities of two Maritime and a Healthcare product prototypes, for which the substantial assurance level certification has been simulated for the sake of validation of our approach.
Approach to Sector-Specific Cybersecurity Schemes: Key Elements and Security Problem Definition / Colabuono, C.; Wiemer, D.; Marabello, M. V.; Lofù, D.; Pappalardo, M.; Bogacki, P.; Dziech, A.; Derkacz, J.; Sanchez, L. A. G.; Konieczna, E.; Bojilova, M.; Chechile, G.; Feletto, R.; Dri, M.; Zamagni, M.; Sansebastiano, E.; Depaix, G.; Ceresola, C.; Opic, B.; Ravenna, M.; Quartullo, M.; Guarino, A.; Modica, P.; Rapone, R.; Tarquini, M.; Armenia, S.. - 1689:(2022), pp. 104-117. (Intervento presentato al convegno 11th International Conference on Multimedia Communications, Services and Security, MCSS 2022 tenutosi a pol nel 2022) [10.1007/978-3-031-20215-5_9].
Approach to Sector-Specific Cybersecurity Schemes: Key Elements and Security Problem Definition
Lofù D.;
2022-01-01
Abstract
This paper documents the approach to define cybersecurity certification schemes as candidate methods for sector cybersecurity product certification as part of the EU Cybersecurity Certification Framework being prepared by ENISA. Indeed, it is a very recent area of research within the EU landscape. Our work was undertaken within H2020 ECHO project (www.echonetwork.eu ) and it is reported in detail in its deliverables. This document is completing the research reported in our previous publication, which had complete references to the existing state of the art about the certification topic in EU. Our work started with the identification of the sector-specific needs to be addressed for specific critical sectors. The mandatory Key Elements of a certification scheme, as described in the EU Cybersecurity Act, have been customized and the sector specific analysis allowed to define a Security Problem Definition baseline to be used to quickly draft a Protection Profile of an asset category of the considered sectors. Security needs have been identified using also the sectoral risk assessment guidelines provided by ENISA for certification purposes. It has also been developed an inter sector risk scenario to highlight the most important security needs to mitigate cross-sector security failures. Finally, Cyber Range technologies have been leveraged for the Conformity Assessment activities of two Maritime and a Healthcare product prototypes, for which the substantial assurance level certification has been simulated for the sake of validation of our approach.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.