Towards a Cybersecurity Certification of ICT Products, Services and Processes in the EU: Impact for the Smart Grid

Towards a Cybersecurity Certification of ICT Products, Services and Processes in the EU: Impact for the Smart Grid

The electricity sector has benefited immensely from the advances in information and communication technologies (ICTs). This is easily appreciated within the smart grid where these technologies have enabled a bi-directional flow of electricity and data, self-healing, and much more, resulting not only in a more efficient way of analysing, reacting to and optimizing electricity demands but also allowing electricity consumer to actively participate in the power supply system (prosumers). Within the grid ecosystem, several ICT-enabled components are deployed in the power plants and substations, enabling better performance and advance capabilities through the Internet of Things (IoT), advanced metering infrastructure, industrial automation and control systems, networking systems, etc. These components embed security functions, due to the critical roles they perform in the grid, and it is important that these security features are trustworthy and function as purported. However, it is not always the case; in many instances, it is difficult to assess if the security controls in these components and system are implemented correctly or will operate as intended to meet the security challenges before they are deployed. Over the years, a complex system of certification has emerged globally, which aims to attest these security functionalities, yet in many cases, vulnerabilities from these components have exposed and caused the systems in which they are deployed to be compromised.

Consumers and users do not always have a reliable way to verify these security claims, as they are replete with technical complexities and details. Within the EU, certification schemes have also evolved in a fragmented manner at the national level. In most cases, recognition of these schemes across member states has also been daunting and complex. The adoption of the EU Cybersecurity Act (CSA) in 2019 represents an effort to bridge this gap. The Act introduces certification schemes for ICT products, services and processes that incorporate security functionality, with the aim of establishing a common framework to validate and verify security products. Since its adoption, several developments have occurred towards rolling out the various schemes as envisaged in the CSA.

In general, the CSA permits two approaches to assessing ICT products, services, and processes: a self-assessment and a third-party assessment. It also provides for three security assurance levels: basic, substantial, and high assurance levels. On the one hand, the manufacturer of an ICT product, service or process may perform a self-assessment. Here, the manufacturer evaluates the product against the criteria associated with security assurance level basic and issues an EU statement of conformity that the product, service, or process conforms to requirements stated therein. On the other hand, a third-party assessment is performed by an accredited independent conformity assessment body (CAB) which evaluates the product against a defined set of criteria. When fully established, a manufacturer or service provider who wishes to obtain the certification shall apply to the appropriate conformity assessment body and provide evidence supporting the security assurance level it seeks to confirm. The CAB shall then review this evidence and conduct applicable conformity assessment activities (design review, source code review, security functional testing, penetration testing, etc.) and generate an evaluation report indicating if the certification is to be granted or not.

To implement the CSA, ENISA, which is the EU’s agency dedicated to achieving a high common level of cybersecurity across Europe, is tasked with monitoring, and developing the cybersecurity certifications schemes, including drafting the candidate cybersecurity schemes which shall specify criteria and specific requirements for conformity assessments. So far, ENISA has developed Common Criteria based European candidate cybersecurity certification scheme (EUCC) for the certification of ICT products, services or processes that meet the substantial and high assurance levels. It recently published a Methodology for a Sectoral Cybersecurity Assessment, and efforts are proceeding rapidly towards establishing sector-specific schemes such as for cloud services, and 5G networks.

It is important to note that there will be a post-certification duty on the holder of a European cybersecurity certificate. Such entity shall inform the competent authority or conformity assessment body of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, service or process that may affect its compliance with the requirements related to the certification. That authority or body shall forward that information without undue delay to the national cybersecurity certification authority concerned.

Undoubtedly, cybersecurity certification is particularly important to the energy sector as one of the critical infrastructures under the Network and Information Security (NIS) Directive. As a sector that thrives by employing different technologies and services from diverse areas, ranging from ICT systems that are part of the internal information security management system (ISMS) to ICT products, infrastructure and services by external vendors, the existence of a common framework for verifying the security of relevant products also helps to achieve security by design and default, which are key for data protection and security compliance. For the smart grid, certifications schemes that target smart meters, network equipment, industrial and automation control systems, IoT, Cryptography, supply chain security, etc., will be relevant to secure the grid. For example, industrial and automation control systems deployed in sub-stations would benefit from secure components and products that do not form weak links to compromise the substations. Electrical grids are highly sensor-intensive operations, and the IoT technologies that regulate these sensors should not create security vulnerabilities. Similarly, the communication and network technologies used to send and receive data, for example, from the smart meters should securely perform this function, protecting the confidentiality, integrity, and availability of relevant data. Other examples abound, all suggesting an immense benefit from certification schemes that target products and services deployed in the grid.

Once these certification schemes are established in coherent and interoperable manner, smart grid stakeholders could leverage the framework to assess the products they deploy based on the risk associated with their intended use. This will not only support their security by design approach but also serve as an avenue to ensuring regulatory compliance where they only purchase and integrate products and services with the required assurance level. Although the certification framework is a voluntary scheme, it presents a huge opportunity for stakeholders in the energy sector to increase trust and security for European consumers and businesses. This will invariably assist in developing the digital single market, making it competitive globally. Broadly, through certification schemes, manufacturers, users, and service providers will find a less complex way of assessing the security assurance level associated with products, services, and processes offered in the market. The SPEAR project has contributed to this ecosystem by developing security functional tools: an integrated platform of methods, processes, and tools for timely detecting evolved security attacks using big data analytics, advanced visual-aided anomaly detection tools, and smart node trust management schemes. In the future, when the cybersecurity certification schemes are fully set up, adopters of these tools can benefit from appropriate schemes, such as security incident detection and response services certification where they choose to go for such certifications.