Cross Standard and Scheme Composition—A Needed Cornerstone for the European Cybersecurity Certification Framework (B12a)
The proliferation of new cybersecurity standards/schemes shows the interest of all the stakeholders to require cybersecurity for ICT products. On the other hand, a need for harmonization/recognition between standards/schemes is needed. Otherwise, there could be too many standards that become non-cost-effective for developers certifying their products.
For instance, almost every IoT vertical has its own set of cybersecurity standards. But IoT devices and it’s supply chain is not limited within a single vertical. In fact the contrary holds, that building blocks of an IoT device find appliance in a couple of other verticals. Assuming that these building blocks demonstrated cybersecurity compliance of some form, say for a particular vertical, it will be key for the economy to not repeat those proofs of compliance but instead accept across standards and schemes where applicable.
This talk will highlight the importance of the acceptance of certification and standard compliance results across different schemes or security standards. We will show examples (e.g., smart metering in France with de-facto acceptance of underlying CC results, SESIP to IEC62443-4-2) where this has been applied successfully, but will also look at existing standards or schemes where this would be possible (e.g. EUCC, FITCEM, etc…) or proposals on how to apply this for Industrial IoT (IACS ERNCIP recommendations to the EU commission).
The talk will be given from the developer perspective (Georg Stütz from NXP) and lab perspective (Jose Ruiz from jtsec)