Limites

With regard to European activities, ERNCIP, the European Reference Network for Critical Infrastructure Protection is an important player. Its draft objectives for 2013-14 cover six areas in particular, with the following issues:³²⁸

325See DIN, Koordinierungsstelle Sicherheitschaft im DIN, “Workshop Zertifizierung 2011”, no date.

http://www.sicherheitswirtschaft.din.de/cmd?cmsrubid=134411&level=tpl-rubrik&languageid=de 326See footnote 325

327 ISO/IEC, “ISO/IEC 27001:2013 Information technology -- Security techniques -- Information security management systems – Requirements”, 2013 and ISO, “ISO 28000:2007 Specification for security management systems for the supply chain”, 2007.

328ERNCIP: “ERNCIP background information”, 2014.

 Aviation Security Detection Equipment: Assessing existing test methodologies for suitability for a future EU certification system; survey of test procedures used today;

and review of state-of-the-art for explosive trace detection.

 Explosives Detection Equipment for non-aviation contexts: Defining EU needs for explosives detection for mass land transport, marine transport, large public events etc., analysis of available technologies, first elements of a European common test methodology for non-aviation contexts.

 CB Risks in the Water Sector: Harmonizing test methods of innovative and rapid alarm systems and screening techniques, which make it possible to quickly identify a change of the drinking water quality after an incident.

 Resistance of Structures against Explosions: Guidelines for harmonizing test pro-cedures of structural elements, starting with resistance of glass against far field blast loading.

 Industrial Automated Control Systems incl. Smart grid: Current priorities are to identify the barriers to certification and testing of IACS, including the analysis of ex-isting cyber security testing facilities for IACS and Smart Meter components, and consideration of how to reduce the risks to cyber security from human factors.

 Resistance of Structures against Seismic Risks: Common qualification of research infrastructures on earthquake engineering, including implementation and maintenance of a Distributed Database of test results.

ERNCIP’s activities appear to be most advanced in the fields of ‘CB Risks in the Water Sec-tor’ and ‘Resistance of Structures against Explosives’ because harmonizing test methods. The definition of guidelines for harmonizing test procedures is targeted in 2014.

However, there are also gaps. Although ERNCIP is active in seleted areas of the CBRNE field, a need for solutions remains and is stressed by the European Commission:³²⁹ testing and certification rules are not comparable in the Member States and manufacturers have to physically transport and re-certify their equipment in each separate market.

Although the need for a harmonized approach in the field of alarm systems is often highlight-ed, ERNCIP is not active there.

In addition, the analysis shows that ERNCIP does not have a specific focus on privacy issues and data protection although the importance of privacy-specific solutions is highlighted by many European documents. Therefore the need for action described in the Mandate M/487 Final Report Phase 1 which is even more complex remains: “(I)n the absence of a clear EU framework in this area (of privacy and data protection) there is a lack of clear guidelines for equipment/technology providers with respect to accepted and acceptable performance re-quirements” (p. 27). CRISP builds on several current developments in the privacy field which will be described in detail in further deliverables.

329European Commission, op. cit., 05.02.2013.

7. SUMMARY

This report offers an analysis of the state of the art of security standards and certification in Europe. Following the introduction in Chapter 1, Chapter 2 describes conformity assess-ment systems and explaines the economic benefits of its eleassess-ments. Advantages of conformity assessment are discussed in general and specifics in the security field and the economic value of mutual recognition are highlighted in particular. General advantages include the assurance of high levels of quality and product safety, the avoidance of damage and injuries, such as the reduction of risks and higher specialization effects. With regard to mutual recognition, poten-tial cost savings were highlighted specifically. The most important benefits of using standards in certification include four aspects: trust and transparency, comparability, interchangeability and economic impact.

In Chapter 3 specific insight on the framework conditions of security certification in Europe are given and security-related documents which a) determine the current security certifica-tion landscape and b) build the foundacertifica-tion for future improvements in the marketplace are explained.

In Chapter 4 specific security-related standards and technical committees in Europe are described and current and potential interrelations between standards and certification are shown. Possible needs for new security-related standards are also identified. Chapter 4.4 shows that there are very few European standardization initiatives in the Counter-Terror In-telligence sector. A few international and European standards and activities exist in the sub-field of cyber security but they do not address all areas of that sector. On a functional level, Chapter 4.5 shows that security standards for the detain function are scarce and that the de-taining function executed by private security services is fragmented within the Member States. Therefore, an analysis of a potential need for European standards is regarded as neces-sary.

Furthermore, (nearly) no European standard on software/ICT which is integrated in security products exists according to an interviewee. This is in harmony with the diagnosis in Regula-tion 1025/2012 and hinders security-related certificaRegula-tion based on standards. Given the fact that EN standards are usually developed in three to four years, the first ICT-related standards based on Regulation 1025/2012 will not be published before 2015. After the introductions of the new standards, mechanisms are needed to facilitate their optimal use for certification pro-cesses.

Field research revealed that fostering more standards-based certification requires stimulation by appropriate European directives. The European Directive for Fire Protection is mentioned as a good example for that. In addition, a need for more and similar documents in the areas of CCTV, access control, protection of critical infrastructures and smart grids is expressed.

With regard to the interrelation of standardisation and certification, information was gained from interviewees and emails from CEN/TCs and analyses of the work of a number of certi-fication bodies. Extended analyses in this regards will be provided by CRISP Deliverable 2.2.

An interesting approach regarding the interrelation of standardisation and certification has been used by CEN/CLC TC 4. In cooperation with the EURALARM service section and the EURALARM Working Group CERT the chairman of the TC is organizing a series of

meet-ings with certification bodies to present the current version of EN 16763 and to exchange views on its future use for certification.

The work of additional selected CEN TCs was described in detail. Selected findings are given here:

There are many security solutions and application areas in the field of perimeter protection.

The relevant CEN TC is not active at the moment. This has in particular two reasons: 1. the Member States focus on national solutions and 2. financial recources for further activities on a European level are missing. Inconsistent national standards bear the risk of future market fragmentation. The definition of potential solutions requires further research efforts. Oppor-tunities for public funding have to be analyzed, too.

The activities of several CEN/TCs could not be linked with certification services. An exam-ple is CEN/TC 278. Although privacy is a major topic in almost all standards developed by the TC no certification body seems to be active in this field.

Several standards are used by international certification bodies. Their activities in the differ-ent Member States require further analyses. In addition, EN-ISO 27799 gives an example for a privacy-related standard used for certification in the Netherlands. The use of the standard for certification in other countries needs to be analysed in more detail.

Many security-related TCs are quite new and new standards are under development. There-fore it is recommended to seek collaborations with certification bodies in early stages. In ad-dition, there are national certification bodies which participate in national mirror committees of CEN/CENELEC/TCs. They also provide a good example for the establishment of interre-lations between both fields. National certification bodies will be investigated in more detail in Deliverable 2.2. First talks with experts from these organizations show that there are institu-tions which are aware of the advantages of participating in standardisation, but that they are still too few.

In Chapter 5 security areas in which the use of open standards is limited are analyzed. In particular, the fields of digital signatures, airport screening equipment and air cargo are rele-vant. Usually several different governmental authorities and security authorities are responsi-ble for these topics in a Member State, making the European landscape very complex in this regard. Although databases exist that show all national certification bodies which are accred-ited by a national EA member, databases of non-EA members are not available. Therefore an extension of current databases or creating an additional database is recommended.

An additional area in which standards are not used for certification is related to innovative solutions for which standards do not exist yet.

Representing the core of this document, Chapter 6 gives a detailed overview of the state of harmonization and mutual recognition in Europe and describes suggested concepts of

“one stop testing” and “multiple certification”. This approach is highly recommended for new product classes, new requirements and related standards. With regard to existing certifi-cation services, alternative solutions may also offer advantages.

First of all, there are fields in which appropriate certification solutions are missing in general, for example in areas of complex security systems.

With regards to fields with existing certification services in which common solutions are missing, it was expressed that the key obstacle is often not the use of alternative documents for certification instead of common standards. Differences between the certificates are rather caused by documents which are used in addition to standards. Therefore, needs for additional standards in these fields as well as their potential usability for certification must be analyzed.

In addition, the extent to which the European market for security certificates should keep providing opportunities to compete based on differentiation and the quality of the certificates should be investigated. In other words, it should be analyzed whether the marketplace should maintain the freedom of using ambitious evaluation guidelines in addition to common stand-ards. Making the certification landscape convenient for all players in the market on such a basis would require transparency and the development of databases which allow comparisons between the different certificates based on appropriate criteria.

Offering a European database to security certification bodies to provide information on the characteristics of their certificates might help these market players to identify potential for collaboration with other institutes and for mutual recognition.

Despite the advantages of competing based on quality and differentiation, this option bears challenges, too. A provider whose certificate is too unique – with specific requirements in addition to common standards – may face difficulties in finding collaboration partners. This means that the customers need additional certificates abroad. To avoid extra efforts, they might decide to choose another certification service provider whose certificates are valid in other Member States, too. Alternatively, a database that offers information on certificates related to different quality levels can provide an opportunity to accept the certificates with the highest level of quality in a relevant area in all Member States.³³⁰

Besides the advantages of a European certification database for the specific security areas, there are potential obstacles, too. Certification bodies might resist the introduction of an in-strument which makes them comparable. Therefore the potential success of such an offer needs to be analyzed in more detail.

In addition, there are security issues which are shaped by different national preferences in Member States. EN 50131 which includes specific national amendments provides an example for that. It shows that there are areas which should not be covered by general harmonized solutions but by complementary certification. The number of these areas is to be kept as small as possible.

The previous chapters offered interesting examples for European collaborations in security certification, too. They include the agreement of the Senior Officials Group Information Sys-tem Security (SOG-IS) and the European Fire and Security Group (EFSG). Like the interna-tional CC Recognition Arrangement, SOG-IS provides mutual recognition for certificates on information systems security. Nevertheless, many needs for further action remain.

Quality is a key issue in the certification context. EFSG builds on European standards, and its members compare their test results regularly by round robin tests. The group is also active in standardisation, although its attractive offer to obtain multiple quality marks with minimal duplication and cost is not usable in all European countries yet. In general, mutual

330 Example from another field: certificates that certify security up to EAL level 7 for IT products might be also accepted when only EAL 6 is required.

tion is often practiced by large, industrialized Member States with a large security market and industry. EFSG’s members include partners from France, Germany, Great Britain, Italy and Sweden. Authorizing countries of CC certificates include France, Germany, Great Britain, Italy, Netherlands, Norway, Spain and Sweden, while consuming countries include Austria, Greece, Czech Republic, Denmark, Finland and Hungry.

Efforts to date have been unsuccessful in removing barriers to greater harmonization. A ma-jor obstacle for the expansion of EFSG is, among others, the perceived quality of other na-tional certificates in the relevant fields, which again highlights the quality issue. The market segments in which EFSG is active are neither dominated by certificates that certify “good”

quality, nor exceptional certificates that certify “excellent” quality. Several market players perceive fundamental differences between two groups of certificates in this regard: a number of certificates whose content is comparable on a high level of quality and “other European certificates”.

Several European countries are perceived as providers of high quality products and solutions, and there are even companies which advertise with the slogan “made in country [X]”. Specif-ic concerns exist that collaborations with providers of “other” certifSpecif-icates whose requirements are less advanced bear the risk of diluting the image of their own certificate. The high level of quality which is certified by their specific marks and the excellent image of their certificates have to be kept. Therefore, measures to analyse and improve the quality infrastructure in the relevant other Member States (mostly new Member States) as well as improvements of the image of the relevant certificates, are needed.

Obstacles regarding mutual recognition are also caused by organizational barriers. Smaller Member States with a small number of security companies may lack advanced infrastructures to offer these companies attractive certificates. In addition, the smallness of a national securi-ty industry hinders the recognition of a certificate by foreign certification bodies and is also a barrier to building trust. Countries with few organizations responsible for certification also have problems to become partners for multinational negotiation processes. In summary, sev-eral countries face the problem of a small security industry, the absence of well-known na-tional quality seals and the lack of foreign trust in these seals needed to enter into multina-tional negotiations. A solution might be a collaborative arrangement of countries with un-known seals/quality marks for security products and the creation of a new additional seal

“quality in new Member States” based on European standards and managed by a specific institution allowing the entering in collaborations with organizations such as EFSG. This op-tion needs further analysis in areas including potential cost and financial resources. In addi-tion, the opinions of security providers that should apply for such certificates as well as of countries and institutes that should accept these certificates need to be analysed. This goes beyond the focus of the CRISP project, but further steps will be investigated in CRISP’s Work Package 6.

Other fields of interest include CBRNE products and aviation screening equipment. One ap-proach to meeting specific needs in the aviation field may consist of two elements: 1) pre-tests to get a CBRNE label for a device which can be harmonized; and 2) scenario pre-tests which are carried out by the national security authorities, governmental institutions or together with semi-public organizations.

Additional suggestions and recommended steps include:

 An investigation of options to offer common certification solutions for innovative products and services;

 An investigation of areas where no standards exist;

 The development of concepts to overcome these gaps (both together with the relevant stakeholders);

 A deeper investigation of the certification landscape in new Member States;

 An in-depth investigation of the different levels of quality certified by the different European certification seals; and

 Providing an overview of all these seals for all interesting parties in Europe.

Finally, this report included several general observations. Independently of specific issues regarding certification, a need for several new security-related standards was highlighted;

their development is hindered by a lack of resources. Chapter 3 described that the EU offers funding opportunities for standardisation activities. The need for such measures is to be ana-lyzed in more detail together with the relevant stakeholders and the European Commission.

The establishment of EFSG was a successful step towards harmonization. Instruments used by the group include, for example, round robin exercises. To facilitate harmonization in other security fields, too it is recommended to use this instrument alike.

As mentioned before, EFSG is an example of good practice in many areas. Nevertheless it has not yet reached its full potential. A number of issues remain and require solutions.

The findings of this deliverable include many additional useful observations for further work packages of CRISP in which specific strategic concepts for the European security certifica-tion landscape will be developed. ITSEC’s specific levels of trust and effectiveness for ex-ample offer interesting input for CRISP’s Work Package 4 in which the core certification dimensions security, trust, efficiency and freedom infringements will be analyzed. In addi-tion, CEN/TC 224 gives an example of how aspects of trust can be included in European standards.

REFERENCES

3GPP, no date. http://www.3gpp.org/

3GPP, “CT WG6”, no date.

http://www.3gpp.org/specifications-groups/ct/wg6

Akerlof, George A., The Market for “Lemons”: Quality Uncertainty and the Market Mechanism, The Quarterly Journal of Economics, Vol. 84, No. 3, 1970, pp. 488-500.

http://links.jstor.org/sici?sici=0033-5533%28197008%2984%3A3%3C488%3ATMF%22QU%3E2.0.CO%3B2-6

Aris, Martin, EFSG Quality Marking for European and Worldwide Markets, 2012 Presenta-tion

Arthur, William Brian, Competing Technologies, Increasing Returns, and Lock-In by Historical Events, The Economic Journal, Vol. 99, No. 394, pp.116-131, March 1989.

http://www.jstor.org/stable/2234208

Austrian Standards, 2014. https://www.austrian-standards.at/home/

Basin, David, Cas Cremers, Kunihiko Miyazaki, Sasa Radomirovic, and Dai Watanabe, Im-proving the Security of Cryptographic Protocol Standards, 2013.

http://www.cs.ox.ac.uk/people/cas.cremers/downloads/papers/BCMRW2013-standards-draft.pdf

Baumol, William J., Elizabeth E. Bailey, John C. Panzar, Robert D. Willing, Edward Zajac,

Baumol, William J., Elizabeth E. Bailey, John C. Panzar, Robert D. Willing, Edward Zajac,