STANDARDS SUPPORTING CERTIFICATION Analysis of Standards in Areas Relevant to the Potential EU Candidate Cybersecurity Certification Schemes DECEMBER 2019 0 STANDARDS SUPPORTING CERTIFICATION December 2019 ABOUT ENISA The mission of the European Union Agency for Cybersecurity (ENISA) is to achieve a high common level of cybersecurity across the Union, by actively supporting Member States, Union institutions, bodies, offices and agencies in improving cybersecurity. We contribute to policy development and implementation, support capacity building and preparedness, facilitate operational cooperation at Union level, enhance the trustworthiness of ICT products, services and processes by rolling out cybersecurity certification schemes, enable knowledge sharing, research, innovation and awareness building, whilst developing cross-border communities. Our goal is to strengthen trust in the connected economy, boost resilience of the Union’s infrastructure and services and keep our society cyber secure. More information about ENISA and its work can be found at www.enisa.europa.eu. CONTACT For contacting the authors please use [email protected]. For media enquiries about this paper please use [email protected]. EDITORS Ioannis Agrafiotis, Dorin Bugneac, Slawomir Gorniak AUTHORS Inigo Barreira, Hendrik Dettmer, Massimiliano Masi, Leire Orue Echevarria, Andreas Sfakianakis LEGAL NOTICE Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 2019/881. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. COPYRIGHT NOTICE © European Union Agency for Cybersecurity (ENISA), 2019 Reproduction is authorised provided the source is acknowledged. Copyright for the image on the cover and on the internal pages: © Shutterstock For any use or reproduction of photos or other material that is not under the ENISA copyright, permission must be sought directly from the copyright holders. ISBN 978-92-9204-329-2, DOI 10.2824/40722 1 STANDARDS SUPPORTING CERTIFICATION December 2019 TABLE OF CONTENTS 1. INTRODUCTION 5 2. CYBERSECURITY ACT 6 3. INTERNET OF THINGS (IOT) 8 3.1 IOT LANDSCAPE 9 3.1.1 Eurosmart cybersecurity certification scheme for IoT 9 3.1.2 ETSI 303 645 12 3.1.3 Other relevant frameworks and suggestions 13 3.2 POTENTIAL CANDIDATE FOR A EUROPEAN IOT CYBERSECURITY CERTIFICATION SCHEME 14 4. ANALYSIS OF THE STANDARDS LANDSCAPE FOR CLOUD SERVICES 16 4.1 OVERVIEW OF LANDSCAPES 16 4.2 POTENTIAL CANDIDATE FOR AN EU CYBERSECURITY CERTIFICATION SCHEME FOR CLOUD 19 5. ANALYSIS OF THE STANDARDS LANDSCAPE FOR THREAT INTELLIGENCE-BASED FRAMEWORK 26 5.1 OVERVIEW OF THE TIBER-EU FRAMEWORK 26 5.1.1 History of Threat Intelligence-led Red Teaming Frameworks 26 5.1.2 Overview of TIBER-EU Framework 27 5.2 POTENTIAL CANDIDATE EUROPEAN CYBERSECURITY CERTIFICATION SCHEME 28 5.2.1 Gaps and opportunities for certification schemes 28 5.2.2 Security objectives of European cybersecurity certification scheme for TIBER-EU 29 5.2.3 Assurance levels of European cybersecurity certification scheme for TIBER-EU 30 5.2.4 Security requirements for the cybersecurity certification scheme for TIBER-EU 31 5.2.5 TIBER-EU certifications for individuals 34 6. ANALYSIS OF THE STANDARDS LANDSCAPE ON E- HEALTH RECORDS 36 6.1 OVERVIEW OF LANDSCAPE FOR EHR 36 6.2 POTENTIAL CANDIDATE CYBERSECURITY CERTIFICATION SCHEME FOR SHARING EHRS 38 2 STANDARDS SUPPORTING CERTIFICATION December 2019 6.2.1 Potential product/service or process that can be evolved to a cybersecurity certification scheme. 38 6.2.2 Assurance levels based on risk assessment 38 6.2.3 Potential rules/standards for the schemes 39 7. ANALYSIS OF THE STANDARDS LANDSCAPE IN RELATION TO QUALIFIED TRUST SERVICE PROVIDERS 42 7.1 OVERVIEW OF EIDAS REGULATION ON QUALIFIED TSP AND TRUST SERVICES 42 7.1.1 Initiation and supervision 43 7.1.2 TSP supervisory scheme 44 7.2 OVERVIEW OF STANDARDS’ LANDSCAPE 44 7.2.1 eIDAS Regulation requirements 44 7.2.2 ETSI certification scheme 45 7.2.3 WebTrust for CAs assurance audit 45 7.2.4 Cab Forum, CAs and browsers 45 7.2.5 ISO/IEC 27000 series 46 7.2.6 Identification of gaps in current practice to acquire a qualified status. 47 7.3 POTENTIAL CANDIDATE FOR A CYBERSECURITY CERTIFICATION SCHEME 48 7.3.1 Potential product/service or process that can be evolved to a cybersecurity certification scheme. 48 7.3.2 Identification of potential rules/standards for the schemes 48 8. CONCLUSIONS 50 REFERENCES 51 3 STANDARDS SUPPORTING CERTIFICATION December 2019 EXECUTIVE SUMMARY In September 2017, the European Commission presented a proposal for a Regulation, dubbed the Cybersecurity Act, with a view to harmonise the current cybersecurity certification activities and policies across the Member States. ENISA has a pivotal role in this new EU cybersecurity certification framework, since it is tasked to prepare candidate schemes. This report explores five distinct areas, which have frameworks, schemes or standards that can potentially be evolved to EU candidate cybersecurity certification schemes. These five areas are the Internet of Things (IoT), cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in the healthcare and qualified trust services. This report reflects on standards currently available on these five areas of interest (i.e., Eurosmart IoT Certification scheme, SESIP, TIBER EU Framework) to identify gaps. It further proposes reasonable recommendations based on Articles 51, 52 and 54 of the CSA on how these gaps can be addressed and how the available standards could potentially be adapted to form the basis of future candidate EU cybersecurity certification schemes. A key finding of this exercise is that for a potential EU candidate scheme to be successful, the levels of assurance should reflect the market needs. There are technical rules in standards that can provide the guiding principles for assurance levels in all five areas. Further investigation is required on how these rules will be allocated to different levels, specifically for technical metrics which are present in all three levels with variant objectives (e.g., time to perform patch management). In all five areas there are opportunities for products (smart home devices for Internet of Things area, test-beds for validating interoperability in the electronic heath records domain), processes (accreditation schemes to harmonise the process of providing a qualified status to Trust Service Providers) and services (penetration testing for the financial sector and cloud services such as Platform as a Service). 4 STANDARDS SUPPORTING CERTIFICATION December 2019 1. INTRODUCTION In September 2017, the European Commission presented a proposal for a Regulation, dubbed the Cybersecurity Act (hereinafter CSA)1, with a view to harmonise the current cybersecurity certification activities and policies across the Member States. The CSA was published on 7th of June 20192 in the official EU journal and entered into force on the 27th of June 2019. The CSA follows on an array of legal instruments that compose the legal framework of the Digital Single Market. It further benefits from the framework on standardisation laid out by means of Regulation 1025/2012 and standardisation and provisions on conformity assessment laid out in Regulation 765/2008. The CSA is a multi-layered Regulation that on the one hand addresses the updated ENISA mandate and on the other it lays out the EU cybersecurity certification framework. With regard to the latter, ENISA has been tasked with new competences, being to prepare candidate cybersecurity certification schemes. Furthermore, ENISA will assist the Commission in carrying out certain roles (e.g. in the European Cybersecurity Certification Group (ECCG), co-chair with the Commission the Stakeholders Cybersecurity Certification Group (SCCG)) that contribute to the overall process of designing European cybersecurity certification schemes. This report provides an analysis of the landscape of standards in five distinct key areas, followed by recommendations on how these standards can be evolved to potential European cybersecurity certification schemes by reflecting on three articles of the CSA. The five key areas are the Internet of Things (IoT), cloud infrastructure and services, threat intelligence in the financial sector, electronic health records in the healthcare and qualified trust services. This report reflects on standards currently available in these five areas of interest (i.e., Eurosmart IoT Certification scheme3, SESIP, TIBER EU Framework4 with emphasis on identifying gaps and proposing reasonable recommendations based on Articles 51, 52 and 54 of CSA on how these standards could potentially be adapted to form the basis of future candidate cybersecurity certification schemes. 1 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity)