security certification - critical review

Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Security Certification –

A Critical Review

Dr. Ragnar Schierholz

Kevin McGrath

ABB Corporate Research

Copyright 2010 ISA. All Rights Reserved.

Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org

2

Presenter


• Research Area Coordinator for

Secure Remote Service

Infrastructure in ABB’s Industrial

Software Systems research

program

• Voting member of ISA 99

committee representing ABB

Kevin McGrath

• Technical lead for security in

ABB’s Industrial Communication

research program

• R&D project manager for

technology development

projects



Outline

• Background

• Security certification explained

– Economic fundamentals

– History of certification

– (Current approaches in industrial automation)

• Analysis

– Learn from the past

• Conclusions

3



Background

• Security standardization

– Setting a minimum level of acceptable security

– Enabling technical interoperability

• Information asymmetry & market failure

– «Market actors having imperfect, asymmetric information»

is one condition which can lead to market failure

– Hidden characteristics

– Hidden action/information

– Hidden intention

– Security properties of a product are difficult to

assess for a customer (hidden characteristics)

4



Security certification explained

Economics

Transaction cost economics

• Allocate different costs to

different stages of a market

transaction

5

Stage Examples for associated activities and costs

Initiation identification of transaction partners, e.g. marketing (on the

vendor’s side) and product/supplier search and comparison

(on consumers’ side)

Negotiation consulting and administrative costs for contract closure,

coordination costs in specification, delivery planning, etc.

Settlement costs for product delivery, management of the exchange of

products and payments, validation of delivery and payment

Monitoring monitoring of quality and timeliness of transaction execution

Adjustment modification of contracts according to changes in

requirements

Principal-Agent theory

• Explains effects of con-

flicting interests under

asymmetric information

and suggests governance

models

– Conflicts:

– Moral hazard

– Adverse selection

– Hold-up

– Governance models

– Signalling/Screening

– Self selection

– Institutional hierarchy




History of certification

Certification of cyber security properties of software

products has been attempted in other industries

– Trusted Computer System Evaluation Criteria (TCSEC or

Orange Book)

– US Government initiative for systems used by government agencies

– Characteristics

– Direct interaction between government (NSA) and product vendor

– Test of systems in their context of use (incl. security organization)

– NSA tested against different sets of defined requirements

(higher level of certification means more comprehensive or stronger

requirements)

– Expensive, long testing procedures

6







– Information Technology Security Evaluation Criteria (ITSEC) /

IEC 15408 (Common Criteria)

– EU driven initiative, now internationally standardized, generic

certification of software product security

– Characteristics

– Tests against profiles selected/defined by product vendor

(Protection Profile, Security Target, Security Function

Requirements, Security Assurance Requirements)

– Tested by independent certification labs, accredited for certification

(Commercial Licensed Evaluation Facility - CLEF)

– Certification levels (EALs) depend on rigor of test procedure – not

on different product requirements

– Cost of certification depends on certification lab’s procedures

7







– ISO/IEC 27000 series

– International standard for certification of generic system security

– Characteristics

– Test of systems in their context of use (incl. security organization)

– Guidelines of testing / auditing defined in standard

– Cost of certification depends on auditor’s procedures

– No certification levels, pass/fail certification

8




Current approaches in industrial automation

• Several certification approaches exist or are being

developed in the automation industry

– Wurldtech Achilles Communication Certification (ACC)

– Wurldtech Achilles Practices Certification (APC)

– MuDynamics MUSIC certification

– Exiday Integrity Certification

– ISCI ISASecure Certification (EDSA)

• More on this from the other speakers in this session

9



Analysis

• Issues found with certification programs

(to learn from the history, not to repeat it)

– Certification criteria

– Must be meaningful measurements of actual security property1

– Must be transparent so the principal can check for fit

– Must take the context of use into account

– Race to the bottom

– Certification labs only compete on price, but have no liability

– Incentive is to reduce cost by lax testing / auditing

– Adverse selection

– Only vendors who can’t demonstrate security with more meaningful

(possibly more expensive) signals will pursue certification

– Lifecycle coverage

– Recertification dilemma with new vulnerabilities or attack paths

10 1 See also S. Pfleeger and R. Cunningham, "Why Measuring Security Is Hard," IEEE Security & Privacy Magazine, vol. 8, 2010, pp. 46-54.

and further references in the paper



Conclusions

• Security is not only a technical matter

• Economic theories explaining the environment and

suggesting solutions are out there

– Transaction cost economics

– Principal-agent theory

• Certification of security properties is one approach

– Has been tried several times and has failed (almost) as often

– Learn from mistakes, don’t repeat them

• Don’t forget alternative approaches

– Leverage the characteristics of the automation domain

– Large, few market actors where individual interaction is common

– Framework contracts reduce the frequency of transactions

11



Questions?

Ask now or contact us later!

12

Principal Scientist

Industrial Software Systems

ABB Switzerland

Corporate Research

Segelhofstr. 1K

CH-5405 Baden 5 Dättwil

Phone +41 58 586 82 97

E-Mail [email protected]


Scientist

Industrial Communication

ABB Norway

Corporate Research

Bergerveien 12

NO-1375 Billingstad

Phone +47 22 874 624

E-Mail [email protected]

Kevin McGrath



security certification - critical review

Technology

security target

security standardization

isa automation week

passfail certification

security function requirements

cyber security properties

security organization

permission of authors