Understanding Cybersecurity Certification

Overview

Virtually any discussion about securing operations and automation systems comes to the question of how to affirm the performance and effectiveness of the cybersecurity program. Independent certification of product or system capability and expertise is a valuable tool for the end user as they determine how to best secure their systems. However, it is not a panacea, or even fully adequate for the task. A complete response to this question must address the three major elements of any such program, generally described as people, process, and technology.

Lack of applicable guidance is generally no longer the issue. On the contrary, many stakeholders are most challenged by the need to choose from several possible sources. In addition, standards are intended to be used as references, supported by associated guidance and practical examples. These examples can take the form of representative case studies or use cases that allow the reader to interpret and extrapolate successful examples to their situation.

This Insight provides guidance on cybersecurity certification and addresses several common misconceptions. The intended audience for this guidance includes end users responsible for the security of cyber-physical systems in critical infrastructure sectors. Suppliers and system integrators may also find value in an improved understanding of these concepts.

The State of Operations Cybersecurity

Operations cybersecurity has been a subject of considerable focus and attention for several years, leading to the creation of a considerable body of knowledge, consisting of standards, practices, and associated guidance of various types. Considerable effort has gone into the development of frameworks, standards, and recommended practices. These may be sector specific, or more generally focused to enable broader application. While essential for setting minimum expectations, these are often not sufficient to fully address the needs associated with securing operations systems.

Also, standards employ very precise language that makes it easier to assess conformance. They are intended to be used as references, with practical guidance available in the form of representative case studies and use cases that allow the reader to interpret and extrapolate successful examples to their situation.

Fortunately, lack of such guidance is generally no longer the issue. A large amount of information has been developed by a variety of sources over the past several years. It comes in the form of frameworks and guidelines that focus on specific aspects of the process (e.g., patch management). Often the biggest challenge is choosing from several possible sources. In situations where a choice must be made there is a need for clear and unambiguous criteria that can be used for making such a selection.

When combined, available standards and associated guidance describe the capabilities and performance levels necessary for effective cybersecurity. However, they do not prescribe how to accomplish the needed results, or the specific products and systems to be used. People with specific skills and experience must use products and technologies that meet minimum functional requirements. End users may not have the necessary expertise on staff, so they will require some sort of independent assurances that contracted resources, processes used, and the products and technologies meet a specific minimum level of performance.

Principal Roles

It is also important to understand that the cybersecurity response includes contribution from several principal roles, such as system supplier, system integrator, end user, and service provider. Each of these roles have specific responsibilities and expectations within various phases of the system life cycle, as described in the following paragraphs.

It is common for suppliers to want to show that their products have been reviewed using objective and independent criteria and determined to meet a specific set of requirements, such as those described in established and accepted industry standards. This provides prospective customers with assurances beyond the assertions of the supplier. Ideally, the standards cited should not be specific to an industry or sector as this would require additional effort for products targeted across multiple sectors.

System integrators are responsible for taking products and technologies from several sources and combining them to create a comprehensive solution for a specific situation with particular requirements. To do this successfully they must know the extent to which these components can meet security related requirements. Product certification can make this easier. It is also desirable for the integrator to hold certificates that confirm that they have a firm grasp of the subject.

End users benefit from certificates and certifications because they make it easier to define expectations and requirements. They must determine the level of security required for their systems based on assessed risk. While this can be accomplished through a thorough analysis leading to the identification of a set of detailed requirements, it is possible to simplify and shorten the processes somewhat using certifications. Certification of a product or system against a conformance specification has the potential to not only shorten the process but may also improve the quality and consistency of the result. Many end users see the benefit of having conformance specifications that have been developed by an independent third party.

In some industries regulators also have a role to play in that they specify the minimum requirements for compliance. They may choose to base their regulations wholly or partially on established industry standards. In such cases conformance to the standard as indicated by certification is equivalent to compliance to the regulation.

Terms and Concepts

End users and other stakeholders must be able to make meaningful choices, but to do so they must have a firm grasp of certain basic terms and concepts. Some of these are often confused or poorly understood.

Conformance or Compliance

While these terms are often used interchangeably, they are quite different. Conformance is voluntary adherence to a standard, rule, specification, requirement, design, process, or practice. Compliance is forced adherence to a law, regulation, rule, process, or practice. A Certificate of Conformance is a document certified by a competent authority that the supplied good or service meets the required specifications, but does not typically include specific test conditions, parameters, or specifications.

ARC Advisory Group clients can view the complete report at   ARC Client Portal

If you would like to buy this report or obtain information about how to become a client, please  Contact Us

Keywords: Assurance, Certification, Certificate, Compliance, Conformance, Risk, ARC Advisory Group.