ECSO State of the Art Syllabus V1 ABOUT ECSO
Total Page:16
File Type:pdf, Size:1020Kb
STATE OF THE ART SYLLABUS Overview of existing Cybersecurity standards and certification schemes WG1 I Standardisation, certification, labelling and supply chain management JUNE 2017 ECSO State of the Art Syllabus v1 ABOUT ECSO The European Cyber Security Organisation (ECSO) ASBL is a fully self-financed non-for-profit organisation under the Belgian law, established in June 2016. ECSO represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP). ECSO members include a wide variety of stakeholders across EU Member States, EEA / EFTA Countries and H2020 associated countries, such as large companies, SMEs and Start-ups, research centres, universities, end-users, operators, clusters and association as well as European Member State’s local, regional and national administrations. More information about ECSO and its work can be found at www.ecs-org.eu. Contact For queries in relation to this document, please use [email protected]. For media enquiries about this document, please use [email protected]. Disclaimer The document was intended for reference purposes by ECSO WG1 and was allowed to be distributed outside ECSO. Despite the authors’ best efforts, no guarantee is given that the information in this document is complete and accurate. Readers of this document are encouraged to send any missing information or corrections to the ECSO WG1, please use [email protected]. This document integrates the contributions received from ECSO members until April 2017. Cybersecurity is a very dynamic field. As a result, standards and schemes for assessing Cybersecurity are being developed and updated frequently. To take these developments into account, this document may be updated on a regularly basis, each 6 months, based on received contributions. Third-party sources are quoted as appropriate. ECSO is not responsible for the content of the external sources including external websites referenced in this publication. The use of the information contained in this document is at your own risk, and no relationship is created between ECSO and any person accessing or otherwise using the document or any part of it. ECSO is not liable for actions of any nature arising from any use of the document or part of it. Neither ECSO nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Cyber Security Organisation (ECSO), 2017 Reproduction is authorised provided the source is acknowledged. European Cyber Security Organisation (ECSO) • www.ecs-org.eu Rue Montoyer, 10, 1000 Brussels Belgium i ECSO State of the Art Syllabus v1 TABLE OF CONTENTS 1 INTRODUCTION ............................................................................... 1 2 Overview ........................................................................................... 5 2.1 Cybersecurity standards and schemes for products and components (SWG 1.1) 5 2.1.1 Standards and schemes for generic IT products ............................................... 5 2.1.2 Standards and schemes for products used in Industry 4.0 and ICS (SWG3.1) .. 6 2.1.3 Standards and schemes for products used in energy networks and smart grids (SWG3.2) ....................................................................................................................... 6 2.1.4 Standards and schemes for products used in telecom, media and content (SWG3.8) ....................................................................................................................... 7 2.1.5 Standards and schemes for products used in the payment industry .................. 7 2.1.6 Standards and schemes for cryptographic modules .......................................... 8 2.1.7 Standards and schemes for web applications ................................................... 8 2.1.8 Standards and schemes for IoT products .......................................................... 8 2.1.9 Standards and schemes for other IT products ................................................... 9 2.2 Standards and schemes for cloud service providers (SWG 1.2) .................... 9 2.3 Standards and schemes for service providers and organisations (SWG 1.3) 10 2.3.1 Standards and schemes for generic organisations .......................................... 10 2.3.2 Standards and schemes for Industry 4.0 and ICS (SWG 3.1) .......................... 13 2.3.3 Standards for energy networks and smart grids (SWG 3.2) ............................. 14 2.3.4 Standards and schemes for transportation (road, rail, air, sea) (SWG 3.3) ...... 15 2.3.5 Standards and schemes for financial services and insurance (SWG3.4) ......... 15 2.3.6 Standards and schemes for public services / eGovernment / Digital Citizenship (SWG 3.5) .................................................................................................................... 16 2.3.7 Standards and schemes for healthcare (SWG 3.6) ......................................... 17 2.3.8 Standards and schemes for smart cities and smart buildings (SWG3.7) ......... 17 2.3.9 Standards and schemes for telecom, media and content (SWG 3.8) ............... 18 2.3.10 Standards and schemes for critical infrastructures .......................................... 18 2.3.11 Standards and schemes for general secure software development ................. 19 2.3.12 Standards and schemes for cybersecurity service providers ........................... 20 2.3.13 Standards and schemes for the payment industry ........................................... 20 2.3.14 Standards and schemes for IoT device vendors .............................................. 21 2.4 Standards and schemes for security professionals ...................................... 22 3 Cybersecurity standards and schemes for products and components ......................................................................................... 23 3.1 Standards and schemes for generic IT products .......................................... 23 3.1.1 Certification de Sécurité de Premier Niveau (CSPN) ....................................... 23 European Cyber Security Organisation (ECSO) • www.ecs-org.eu Rue Montoyer, 10, 1000 Brussels Belgium ii ECSO State of the Art Syllabus v1 3.1.2 Commercial Product Assurance (CPA) ........................................................... 25 3.1.3 Common Criteria (CC)..................................................................................... 27 3.1.4 European Privacy Seal .................................................................................... 31 3.1.5 National IT Evaluation Scheme (NITES) ......................................................... 33 3.1.6 Software Improvement Group (SIG) Software Quality Model for Security ........ 34 3.1.7 UL Cybersecurity Assurance Program (UL 2900-1 / 2) .................................... 35 3.1.8 ULD Datenschutz-Gütesiegel .......................................................................... 37 3.2 Standards and schemes for products used in Industry 4.0 and ICS (SWG 3.1) 39 3.2.1 ISA/IEC 62443 (Security for Industrial Automation and Control Systems) ....... 39 3.2.2 IACS Cybersecurity Certification Framework ................................................... 40 3.3 Standards and schemes for products used in energy networks and smart grids (SWG 3.2) ..................................................................................................... 42 3.3.1 IEEE 1686 (Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities) .................................................................................................................. 42 3.3.2 IEEE C37.240 (Cybersecurity Requirements for Substation Automation, Protection, and Control Systems) ................................................................................. 43 3.4 Standards and schemes for products used in the telecom industry (SWG3.8) 44 3.4.1 GSMA Network Equipment Security Assurance Scheme ................................ 44 3.5 Standards and schemes for products used in the payment industry ............ 46 3.5.1 EMVCo Security Evaluation ............................................................................ 46 3.5.2 PCI PTS HSM Security Requirements ............................................................ 48 3.5.3 PCI Payment Application Data Security Standard (PCI PA-DSS) .................... 49 3.5.4 PCI PIN Transaction Security Point of Interaction Security (PCI PTS POI)...... 50 3.6 Standards and schemes for cryptographic modules .................................... 52 3.6.1 ASD Cryptographic Evaluation ........................................................................ 52 3.6.2 CESG Assisted Products Scheme (CAPS) ...................................................... 53 3.6.3 FIPS 140-2 ...................................................................................................... 54 3.6.4 ISO/IEC 19790 (Security requirements for cryptographic modules) ................. 56 3.7 Standards and schemes for web applications .............................................. 58 3.7.1 OWASP Application Security Verification Standard (incl. OWASP Top 10) ..... 58 3.7.2 OWASP Testing Guide .................................................................................... 59 3.8 Standards and schemes for IoT products .................................................... 60 3.8.1 ICSA Labs IoT Security Testing Framework ...................................................