The first event in the series of webinars that Cyber 4.0, in collaboration with ACN, is devoting to delving into some of the important aspects of the National Cybersecurity Strategy was held on Wednesday, July 6.

The seminar was devoted to the topics of technology scrutiny and security certification, a topic of strong interest and relevance to the national cybersecurity expert community, as evidenced by the active involvement of about 90 participants (and more than 100 registrants).

In addition to the opening remarks by the National Cybersecurity Agency, experts from the private sector with decades of experience in the field of security certification spoke, sharing case studies, experiences accumulated over the years, critical issues and opportunities in the current scenario, and proposals for reflections to be developed in the near future.

These were the main insights that emerged during the seminar:

  • The context of security certification has an important history at the national level, which starts – for systems handling classified information – as early as 1995, and – for all ICT systems and products inherent to PA – in 2003 with the establishment at MISE of the Information Security Certification Body (OCSI)
  • With the goal of achieving national technological autonomy, the Cybersecurity Strategy envisions the strengthening of national capabilities for technological scrutiny and certification, including through close collaboration of the relevant structures in ACN with private industry and academia.
  • On July 1, 2022 at the National Cybersecurity Agency, the CVCN (established in 2019) was activated, and the completion of the regulatory framework on security certification and establishment of National Accredited Testing Laboratories is expected to be imminent with the soon-to-be-published DPCM 4. The decree on the operational start of the CVCN also formalizes the transfer of responsibilities of the OCSI from MISE to ACN.
  • In addition to being responsible for the CVCN and OCSI, the Agency is also the National Cybersecurity Certification Authority for contributing to the definition and application of European certification schemes, and is the Supervisory Body for inspection and sanctioning activities of LAPs (PSNC scope) and LVSs (Security Assessment Laboratories, OCSI scope) required by current regulations (Perimeter, NIS).
  • The implementation of the Cybersecurity National Perimeter (PSNC) is expected to have a cascading effect on organizations and operators outside the Perimeter as well. In particular, certification of products and/or systems will be required for all those entities, often SMEs, that are part of the supply chain of essential operators, if the assets supplied are included in the categories to be scrutinized by the CVCN.
  • The certification schemes currently adopted refer to the Common Criteria model, which is considered to be supplemented/supplemented/replaced by other schemes in order to handle the foreseeable increase in technologies to be certified that the changing regulatory environment will require to be addressed at the national level.
  • New schemes have been defined at the European Union level by the European Cybersecurity Agency-ENISA: European Union Cybersecurity Certification Scheme based on Common Criteria (EUCC); European Cybersecurity Certification Scheme for Cloud Services (EUCS); 5G Cybersecurity Certification Scheme.
  • Additional schemes are being studied, with reference to IACS (Industrial Automation and Control Systems), IoT and Cryptography.
  • The EUCC aims to apply the Common Criteria standard in a more flexible and agile manner, and therefore would better suit the numbers and timing expected in the changing landscape of national security certifications.
  • These schemes, while technically defined, are not yet officially adopted and it is expected that it may be a few more years before they are usable at the community level. In the meantime, it may be considered to use them as a reference for the design of national schemes that are in line with them.
  • The EUCC also addresses some issues that are currently highlighted as limitations in the security certification landscape: (i) the maintenance of certification in the event of documentable changes to already certified solutions (e.g., installation of security patches); (ii) the definition of competency standards for certification lab operators.
  • Regarding this last point, one item on which it is considered appropriate to open a discussion is the possibility of establishing a professional register for the figure of a certification laboratory operator, which is currently absent.
  • Still on the subject, it would be worth considering the possibility for Laboratories to use existing and internationally recognized certifications in the field of security (e.g., CEH, SSCP, CISSP, CISM, GICSP,..) for the accreditation of resources.
  • Other problems encountered on current certification processes refer to cost, timing, lack of know-how of the actors in a certification process, lack of schemes for system certification, and maintenance of the certificate
  • Looking forward, it would be worthwhile to also consider working on process safety certifications and supplier production environments
  • It would also be very useful to establish structured databases of assessment documents within the certification scheme with common access
  • An issue of fundamental relevance to the success of the new safety certification framework will be that of a structured organization of the training of those involved in the Assessment process

In a future that is currently only imaginable, there should be not only the introduction of the concept of security-by-design, but also certification-by-design.

Webinar presentations are available:

A recording of the event is also available by clicking here