Consuelo Colabuono, Douglas Wiemer, Maria Vittoria Marabello, Piotr Bogacki, Andrzej Dziech, Giuseppe Chechile, Riccardo Feletto, Marco Dri, Grégory Depaix, Massimo Ravenna, Marco Quartullo, Paolo Modica, Massimiliano Tarquini
Dziech, A., Mees, W., Niemiec, M. (eds) Multimedia Communications, Services and Security. MCSS 2022. Communications in Computer and Information Science, vol 1689. Springer, Cham.
certification scheme, security problem definition, sectoral risk assessment, protection profile, cyber range, assurance level, maritime, healthcare, energy,
This paper documents the approach to define cybersecurity certification schemes as candidate methods for sector cybersecurity product certification as part of the EU Cybersecurity Certification Framework being prepared by ENISA. Indeed, it is a very recent area of research within the EU landscape. Our work was undertaken within H2020 ECHO project (www.echonetwork.eu) and it is reported in detail in its deliverables. This document is completing the research reported in our previous publication, which had complete references to the existing state of the art about the certification topic in EU. Our work started with the identification of the sector-specific needs to be addressed for specific critical sectors. The mandatory Key Elements of a certification scheme, as described in the EU Cybersecurity Act, have been customized and the sector specific analysis allowed to define a Security Problem Definition baseline to be used to quickly draft a Protection Profile of an asset category of the considered sectors. Security needs have been identified using also the sectoral risk assessment guidelines provided by ENISA for certification purposes. It has also been developed an inter sector risk scenario to highlight the most important security needs to mitigate cross-sector security failures. Finally, Cyber Range technologies have been leveraged for the Conformity Assessment activities of two Maritime and a Healthcare product prototypes, for which the substantial assurance level certification has been simulated for the sake of validation of our approach.