Lightship Security Director of Consulting, Lachlan Turner, was nominated by the Government of Canada to participate in the International Atomic Energy Agency (IAEA) Technical Meeting on Reducing Cyber Risks in the Supply Chain which was held at IAEA’s Headquarters in Vienna, Austria, from 25 to 29 June 2018. Lachlan attended along with some 110 other delegates from around the world. Delegates included nuclear regulators, operators, suppliers and various other industry representatives.
The purpose of the event was to promote information exchange and good practices implemented by IAEA Member States to enhance the security characteristics of sensitive digital assets procured through the nuclear supply chain. Lachlan was invited to provide insights into the potential use of Common Criteria for certifying digital products for use in nuclear power plant applications that are important to safety and security.
The nuclear industry is just one of many industry verticals (e.g. automotive, medical, oil & gas etc.) grappling with the challenge of addressing cyber risk in the supply chain. Lachlan was able to explain how Common Criteria works and how it may be applied to bring real world security value and assurance into the nuclear supply chain.
Three key points from Lachlan’s address, which may be equally applied to other industry verticals are as follows:
- Don’t re-invent the wheel. The Common Criteria (ISO/IEC 15408) is the only well established and internationally recognized standard for IT product security evaluation – and it is improving all the time. There is tremendous value in the world-wide network of schemes and accredited labs that can be leveraged for your industry. Uniquely, the Common Criteria provides a flexible but structured framework that can be customized and adopted for a variety of industry vertical use cases, threat models and assurance levels.
- Industry collaboration is critical. The Common Criteria is like a tool box – one must know which tools to use. The hammer is useful, but it does not fix everything (e.g. Evaluation Assurance Levels). To get real value from Common Criteria, industry participants must collaborate to:
- Create a market demand (or regulator requirement) for Common Criteria – vendors will not go to the trouble of certification if there is no demand.
- Create tailored requirements to address the specific industry needs – leverage the Common Criteria User Forum to establish Technical Communities that are focused on sharing threat intelligence and specifying security requirements (both functional and across the product life-cycle) for technologies that are critical to your industry – i.e. via Protection Profiles.
- Automation is here. It is only through industry adoption of test automation that the Common Criteria process will scale and be able to adequately address the current shortcomings that prevent the wider adoption of the standard for other verticals – namely time, cost and demonstrable reduction of risk. We discuss this topic further in our previous Agile Assurance post.
Feel free to contact us today to discuss how your industry may be benefit from the use of Common Criteria to reduce cyber risk in the supply chain.
Lachlan has 15+ years of extensive product security certification experience, including roles as a government certifier, lab evaluator and vendor consultant. Lachlan leads our consulting team to assist vendors to get through the certification process efficiently.