Your SlideShare is downloading. ×
Security Certification - Critical Review
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Security Certification - Critical Review

899
views

Published on

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
899
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Copyright 2010 ISA. All Rights Reserved. Security Certification – A Critical Review Dr. Ragnar Schierholz Kevin McGrathStandardsCertification ABB Corporate ResearchEducation & TrainingPublishingConferences & Exhibits Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org
  • 2. Presenter Copyright 2010 ISA. All Rights Reserved.Dr. Ragnar Schierholz Kevin McGrath• Research Area Coordinator for • Technical lead for security in Secure Remote Service ABB’s Industrial Communication Infrastructure in ABB’s Industrial research program Software Systems research • R&D project manager for program technology development• Voting member of ISA 99 projects committee representing ABB Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 2
  • 3. Outline Copyright 2010 ISA. All Rights Reserved.• Background• Security certification explained – Economic fundamentals – History of certification – (Current approaches in industrial automation)• Analysis – Learn from the past• Conclusions Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 3
  • 4. Background Copyright 2010 ISA. All Rights Reserved.• Security standardization – Setting a minimum level of acceptable security – Enabling technical interoperability• Information asymmetry & market failure – «Market actors having imperfect, asymmetric information» is one condition which can lead to market failure – Hidden characteristics – Hidden action/information – Hidden intention – Security properties of a product are difficult to assess for a customer (hidden characteristics) Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 4
  • 5. Security certification explained Copyright 2010 ISA. All Rights Reserved. Economics Transaction cost economics Principal-Agent theory • Allocate different costs to • Explains effects of con- different stages of a market flicting interests under transaction asymmetric information and suggests governanceStage Examples for associated activities and costs modelsInitiation identification of transaction partners, e.g. marketing (on the vendor’s side) and product/supplier search and comparison – Conflicts: (on consumers’ side) – Moral hazardNegotiation consulting and administrative costs for contract closure, coordination costs in specification, delivery planning, etc. – Adverse selectionSettlement costs for product delivery, management of the exchange of – Hold-up products and payments, validation of delivery and payment – Governance modelsMonitoring monitoring of quality and timeliness of transaction execution – Signalling/ScreeningAdjustment modification of contracts according to changes in requirements – Self selection – Institutional hierarchy Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 5
  • 6. Security certification explained Copyright 2010 ISA. All Rights Reserved.History of certificationCertification of cyber security properties of softwareproducts has been attempted in other industries – Trusted Computer System Evaluation Criteria (TCSEC or Orange Book) – US Government initiative for systems used by government agencies – Characteristics – Direct interaction between government (NSA) and product vendor – Test of systems in their context of use (incl. security organization) – NSA tested against different sets of defined requirements (higher level of certification means more comprehensive or stronger requirements) – Expensive, long testing procedures Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 6
  • 7. Security certification explained Copyright 2010 ISA. All Rights Reserved.History of certificationCertification of cyber security properties of softwareproducts has been attempted in other industries – Information Technology Security Evaluation Criteria (ITSEC) / IEC 15408 (Common Criteria) – EU driven initiative, now internationally standardized, generic certification of software product security – Characteristics – Tests against profiles selected/defined by product vendor (Protection Profile, Security Target, Security Function Requirements, Security Assurance Requirements) – Tested by independent certification labs, accredited for certification (Commercial Licensed Evaluation Facility - CLEF) – Certification levels (EALs) depend on rigor of test procedure – not on different product requirements – Cost of certification depends on certification lab’s procedures Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 7
  • 8. Security certification explained Copyright 2010 ISA. All Rights Reserved.History of certificationCertification of cyber security properties of softwareproducts has been attempted in other industries – ISO/IEC 27000 series – International standard for certification of generic system security – Characteristics – Test of systems in their context of use (incl. security organization) – Guidelines of testing / auditing defined in standard – Cost of certification depends on auditor’s procedures – No certification levels, pass/fail certification Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 8
  • 9. Security certification explained Copyright 2010 ISA. All Rights Reserved.Current approaches in industrial automation• Several certification approaches exist or are being developed in the automation industry – Wurldtech Achilles Communication Certification (ACC) – Wurldtech Achilles Practices Certification (APC) – MuDynamics MUSIC certification – Exiday Integrity Certification – ISCI ISASecure Certification (EDSA)• More on this from the other speakers in this session Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 9
  • 10. Analysis Copyright 2010 ISA. All Rights Reserved.• Issues found with certification programs (to learn from the history, not to repeat it) – Certification criteria – Must be meaningful measurements of actual security property1 – Must be transparent so the principal can check for fit – Must take the context of use into account – Race to the bottom – Certification labs only compete on price, but have no liability – Incentive is to reduce cost by lax testing / auditing – Adverse selection – Only vendors who can’t demonstrate security with more meaningful (possibly more expensive) signals will pursue certification – Lifecycle coverage – Recertification dilemma with new vulnerabilities or attack paths Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 1See also S. Pfleeger and R. Cunningham, "Why Measuring Security Is Hard," IEEE Security & Privacy Magazine, vol. 8, 2010, pp. 46-54. 10 and further references in the paper
  • 11. Conclusions Copyright 2010 ISA. All Rights Reserved.• Security is not only a technical matter• Economic theories explaining the environment and suggesting solutions are out there – Transaction cost economics – Principal-agent theory• Certification of security properties is one approach – Has been tried several times and has failed (almost) as often – Learn from mistakes, don’t repeat them• Don’t forget alternative approaches – Leverage the characteristics of the automation domain – Large, few market actors where individual interaction is common – Framework contracts reduce the frequency of transactions Distributed with permission of author(s) by ISA 2010 Presented at ISA Automation Week 2010; http://www.isa.org 11
  • 12. Questions? Copyright 2010 ISA. All Rights Reserved.Ask now or contact us later! Dr. Ragnar Schierholz Principal Scientist Industrial Software Systems ABB Switzerland Corporate Research Segelhofstr. 1K CH-5405 Baden 5 Dättwil Phone +41 58 586 82 97 E-Mail ragnar.schierholz@ch.abb.com Kevin McGrath Scientist Industrial Communication ABB Norway Corporate Research Bergerveien 12 NO-1375 Billingstad Phone +47 22 874 624 E-Mailby ISAkevin.mcgrath@no.abb.com Week 2010; http://www.isa.org Distributed with permission of author(s) 2010 Presented at ISA Automation 12