IACS Components Cybersecurity Certification Scheme

IACS Components Cybersecurity Certification Scheme



Industrial Automation & Control Systems (IACS) are essential part of most critical infrastructures and critical services. The term IACS refers to all the components (PLCs, SCADA, HMI, etc.) that are integrated into critical infrastructures and industrial production establishments. Health, power, water, transportation, just to name a few, all depend to a great extent on Industrial Automation & Control Systems for delivering such services. Furthermore, all industrial plants and sectors are employing Industrial Automation & Control Systems. The transformation process towards Industry 4.0 will lead to an even higher dependency on such systems. Past experience has shown that their cyber vulnerabilities can be exploited by adversaries and create huge impact on infrastructures and subsequent impact on the economy and human lives. Practically, cyberattacks against critical infrastructures are in fact cyberattacks against their Industrial Automation & Control Systems. Thus, it is of paramount importance to apply all possible measures in order to increase the level of cybersecurity of IACS.

Nevertheless, for building cybersecure IACS (i.e. whole systems/subsystems) one needs to procure and assemble adequately cybersecure IACS Components, either hardware or software. Hence, it is crucial to focus on the certification/conformance of the separate Components of the IACS, in order to ensure that each one of these Components, as a building element of the whole IACS, satisfies the foreseen cybersecurity requirements. Moreover, by approaching the certification/compliance on per Component basis, it is possible to determine different security requirements and assurance levels for different elements of the overall IACS, depending on the system design, the intended use and operational environment, and the identified system-level security measures.

Focus of Work

In this respect, the ENRICP IACS Components Cybersecurity Certification Thematic Group (i.e. IACS TG for simplicity of reference) focuses on the cybersecurity certification of Components of Industrial Automation & Control Systems. To this end, the IACS TG has undergone four phases since its establishment back in 2014, where the three first phases have laid down the groundworks for the development of the TG’s eventual outcome, i.e. a European Industrial Automation & Control Systems Components Cybersecurity Certification Scheme (ICCS):

In parallel, the Cybersecurity Act (CSA) that was published on 17 April 2019 introduces for the first time an EU-wide cybersecurity certification framework for ICT products, services and processes. Companies doing business in the EU will benefit from having to certify their ICT products, processes and services only once and see their certificates recognised across the European Union. Building upon all the work that had been carried out during its aforementioned first three phases, the IACS TG managed to quickly pick up the requirements of the CSA and to successfully proceed to its fourth phase where it developed a coherent report describing in great detail all the elements that are necessary in order to establish an EU Cybersecurity Certification Scheme for IACS Components:

As a result, this last report on Recommendations for the Implementation of a European IACS Components Cybersecurity Certification Scheme (ICCS) has been produced with a close and consistent reference and relevance to the EU CyberSecurity Act, following a rationale that allows it to constitute the most solid basis for a future European Cybersecurity Certification Scheme dedicated to the subject of Industrial Automation & Control Systems Components. To this end, given its high quality and the completeness of its technical content, this report can be considered to be included in the Union Rolling Work Programme so as to be thereafter further developed by ENISA as a candidate European Cybersecurity Certification Scheme in the respective area.

Management and Membership

The ERNCIP IACS Thematic Group is managed and led, as well as the overall ERNCIP project, by the EC DG JRC. The members of the ERNCIP IACS Thematic Group are highly reputable experts in the relevant scientific and technical fields, coming from all over the European Union and working for organisations that covering the whole spectrum of the ICCS stakeholders, e.g. national cybersecurity agencies, IACS (Components) manufacturers, cybersecurity industries, cybersecurity evaluation laboratories, cybersecurity certification authorities, and academia.

Deliverables List