Challenges of security certification in emerging ICT environments

Security certification is very limited in industrial environments despite the growing cyber attacks to what is considered EU Member State Critical Information Infrastructure (CII). There are "good" reasons for this situation, however, the community questions around the contribution of certification to the cyber security of the industrial CII production line remain unanswered. Today, without an EU approved standard, harmonised testing and corresponding certification, answering these questions is complicated and unclear. This is a major issue given the desire and policy agenda towards a more integrated and global digital infrastructure, which is needed to support the internal European market. This study aims to provide a thorough description of the cyber security certification status concerning the most critical equipment in different critical business sectors. More specifically, five sectors have been selected to investigate in more detail and to consider a broad spectrum of different requirements and cases that could lead to certification drivers concerning these devices. The five sectors are energy, ICT, health care, rail transport and water transport. The key finding is that every sector has its own functional and security challenges which makes the target of a common certification framework a challenge. The energy sector, for example, largely depends on real-time interfaces on process automation level to provide a stable and reliable electrical power supply. The need for more real-time data exchange is increasing due to the decentralization of the power grid, increasing penetration of renewables and further integration of markets. On the other hand, the health care sector largely depends on informational systems and interfaces, like centralized patient databases that are used by companies that provide healthcare. Automation takes place on small scale, for example at hospitals to provide health monitoring. Transportation is mostly about logistics and safety. Finally, trains on a track need to be able to communicate with the generic infrastructure, while for the water transportation a vessel contains automation systems from office automation to process automation concerning electric power supply and vessel control. At the same time, ICT becomes the common processing platform which supports all these different functional and security requirements. This underlines the (increasing) need for a common approach on standards and frameworks for certification.