Cybersecurity regulation: cybersecurity certification of operational technologies

Authors

DOI:

https://doi.org/10.15587/2706-5448.2021.225271

Keywords:

cybersecurity system, conformity assessment system, hierarchical model, cybersecurity certification scheme

Abstract

The object of research is the system and schemes of conformity assessment (certification) of cybersecurity of operational technologies (OT), as a set of rules and procedures that describe the objects of certification, determine the specified requirements and provide a methodology for certification. The terminological base and conceptual apparatus of the study of cybersecurity certification of operational technologies are based on the international standard ISO 17000:2020 Conformity assessment – Vocabulary and general principles. Cybersecurity certification systems and schemes are based on assessment standards, the choice and application of which is not unambiguous and historically has many interpretations and application mechanisms. These standards consist of tools, policies, security concepts, security assurances, guidelines, risk management approaches, best practices, safeguards, and technologies. But they have, to one degree or another, a significant drawback – the complexity of transforming the results of information security assessment according to these standards into security guarantees with any wide international recognition. In the context of globalization, this significantly degrades the cybersecurity quality.

The main hypothesis of research is that the cybersecurity quality can be improved by converging towards a common methodology that is based on agreed international standards and international best practice for certification. The question of the key role of cybersecurity for operational technologies, which become the basis for Economy 4.0 and are now considered as a new frontier of cybersecurity, is considered. The need to create a system and schemes for certification of OT cybersecurity based on international and European certification principles is shown. A hierarchical model of cybersecurity certification system assessment standards and a hierarchical model of agreements on mutual recognition of cybersecurity certificates have been developed, which will allow a systematic approach to the creation of a system and schemes for OT cybersecurity certification. This provides an opportunity for developers of systems and certification schemes to form OT cybersecurity certification systems based on the principles of wide cross-border recognition of OT cybersecurity certificates.

Author Biography

Olena Tsvilii, O. S. Popov Odesa National Academy of Telecommunications

Senior Lecturer

Department of Telecommunications

References

  1. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6.07.2016 concerning measures for a high common level of security of network and information systems across the Union (2016). Available at: https://eur-lex.europa.eu/eli/dir/2016/1148/oj
  2. The IACS Cybersecurity Certification Framework (ICCF) (2018). Available at: https://erncip-project.jrc.ec.europa.eu/documents/iacs-cybersecurity-certification-framework-iccf
  3. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17.04.2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (2019). Available at: https://eur-lex.europa.eu/eli/reg/2019/881/oj
  4. Matheu-García, S. N., Hernández-Ramos, J. L., Skarmeta, A. F., Baldini, G. (2019). Risk-based automated assessment and testing for the cybersecurity certification and labelling of IoT devices. Computer Standards & Interfaces, 62, 64–83. doi: http://doi.org/10.1016/j.csi.2018.08.003
  5. Markopoulou, D., Papakonstantinou, V., de Hert, P. (2019). The new EU cybersecurity framework: The NIS Directive, ENISA's role and the General Data Protection Regulation. Computer Law & Security Review, 35 (6), 105336. doi: http://doi.org/10.1016/j.clsr.2019.06.007
  6. Pro osnovni zasady zabezpechennia kiberbezpeky Ukrainy (2017). Zakon Ukrainy No. 2163-VIII. 05.10.2017. Available at: https://zakon.rada.gov.ua/laws/show/2163-19#Text
  7. Pro rishennia Rady natsionalnoi bezpeky i oborony Ukrainy vid 27 sichnia 2016 roku "Pro Stratehiiu kiberbezpeky Ukrainy" (2016). Ukaz Prezydenta Ukrainy; Stratehiia No. 96/2016. 15.03.2016. Available at: https://www.president.gov.ua/documents/2422016-20141
  8. ISO/IEC 17000:2020 Conformity assessment – Vocabulary and general principles (2020). Committee on conformity assessment, 23. Available at: https://www.iso.org/standard/73029.html
  9. Pro tekhnichni rehlamenty ta otsinku vidpovidnosti (2015). Zakon Ukrainy No. 124-VIII. 15.01.2015. Available at: https://zakon.rada.gov.ua/laws/show/3164-15#Text
  10. International Accreditation Forum. Available at: https://www.iaf.nu/
  11. International Laboratory Accreditation Cooperation. Available at: https://ilac.org/
  12. Pro akredytatsiiu orhaniv z otsinky vidpovidnosti (2001). Zakon Ukrainy No. 2407-III. 17.05.2001. Available at: https://zakon.rada.gov.ua/laws/show/2407-14#Text
  13. ISO/IEC 17067:2013 Conformity assessment – Fundamentals of product certification and guidelines for product certification schemes (2013). Committee on conformity assessment, 13. Available at: https://www.iso.org/standard/55087.html

Published

2021-02-28

How to Cite

Tsvilii, O. (2021). Cybersecurity regulation: cybersecurity certification of operational technologies. Technology Audit and Production Reserves, 1(2(57), 54–60. https://doi.org/10.15587/2706-5448.2021.225271

Issue

Section

Systems and Control Processes: Reports on Research Projects