This report concerns the certification of devices, materials and systems which are, or clearly could be, used for protection of critical infrastructure.
Within Europe, there is a very high level of knowledge and experience in product and facility certification necessary or useful for CIP. The European Union New Legislative Framework has helped to drive the development of the sector, because of the important role given to “notified bodies”: organisations selected by the Member States to carry out assessments of conformity with harmonized standards. There are many highly-competent certification bodies, including some world-leaders, and accreditation is well-organised through the national accreditation organisations, coordinated by the European cooperation for Accreditation. At the moment, most of this expertise is directed to general security and safety, and business continuity. Relatively little is focused on CIP.
For terrorist threats, the best developed sectors are aviation security and radiation detection. For the former, the Commission is working with ECAC to address the limitations of its current Common Evaluation Process and integrate fully with European aviation security legislation. For the latter, ITRAP+10, a collaborative project with the USA, will present its conclusions shortly. For alarm systems, a basic certification system exists and is under further development.
The IT sector has a well-developed framework for security certification based around ISO standards and European legislation. Although certification to the ISO 27000 series is widely carried out, in the most economically and technologically developed Member States other standards are used as well. Specific ISO and IEC standards exist for industrial control systems and networks. The situation for certification of personnel in IT security is confused, with a number of overlapping and competing standards.
One group of certification bodies with strong and highly-relevant expertise are the classification societies, who have expanded beyond their historic ship-classification role into sectors such as offshore installations, transport infrastructure and information and communication technology. Audit companies have also started to offer certification services in information security and business continuity. Payments systems are a critical part of the financial infrastructure for which a regulatory regime exists, under the leadership by the Bank for International Settlements. The establishment of a certification process appears to be the natural next step for these systems.