Understanding the Impact of the EU Certification Scheme on Cyber Builders

The new EU Certification Scheme is a nice first move but raises many questions about cost, complexity, and communication.

Hello Cyber Builders 👉🏼

I am continuing this exploration of product security with the topics of certification and zooming, particularly on the upcoming EU-wide scheme, as a draft was published last week. You can take a look at the whole document here.

The European Union is an ambitious historical political construction promoting European peace and unity. It serves as a reminder of the history of war across the continent and the importance of maintaining democracy. Recent attacks against Ukraine and Israel highlight the ever-present threat of war and the attempts by extremists to undermine our democratic values.

As a cybersecurity product builder, I am excited about the upcoming EU-wide certification scheme, which addresses the need for a unified approach to product security. In today’s condition, there is no fast track for an EU company to reach other EU countries and do business there. We hope a certification scheme would help people get certified in their home country and send sales easily in other EU countries because end users - future customers - would trust the product and its efficiency.

Spoiler - I am sure we are here already! Let’s dive in.

This post is part of a series:

• 🔗 The Future of Cybersecurity: Everyone is a Software Producer. As software takes command, a new cybersecurity battlefield - software product security and its supply chain

• 🔗 Securing Software Supply Chains Start by Empathy. Exploring the Operational Triad of Software Product Security - Developers, Business Teams, and Product Security Officers

In this post

• The EU certification scheme for cybersecurity products is a much-needed regulation.

• It aims to establish a unified approach to product security in Europe.

• The scheme focuses on deterministic products and provides security requirements.

• It addresses the need for a standard EU certification scheme.

• The certification process is complex and costly.

• Startups and small businesses may face challenges in pursuing certification.

• Clear communication and guidance are needed for the scheme's implementation.

• Recommendations include expanding the scheme to cover all cybersecurity products, supporting startups and SMEs, and addressing the update paradox.

• The scheme has the potential to enhance product security but may not create a substantial EU digital market.

A needed regulation that raises hope

Let’s look at the EU certification scheme and its importance for cybersecurity builders.

First, I have been building cybersecurity products long enough to realize how much the EU certification scheme was needed. It used to be such a problem – getting your product certified in France and then finding that this certificate garnered only honorific value in other EU states. It was like running a marathon with one leg. Not quite the most effective way, right?

The need for acceleration in business growth across the entire EU is an absolute must for us EU Cyber Builders. Without it, entrepreneurs, whether French, Dutch, or German founders (or from any other EU countries), don’t get the tangible advantages of starting their journey in Europe.

"The EU is not a market but a set of markets."

Despite the Commission’s vocabulary of the ‘EU Digital Market,’ Europe is not one single trading area. A wise person once observed, "The EU is not a market; it is a set of markets." Each country houses varied cultures, values, and preferences for specific features over others, which influence purchasing processes and supply chain decisions.

These range from direct interactions to indirect engagements via small local systems integrators or large telecommunications providers. This variety is further underscored by a diversification in customer base, from large enterprises to thriving medium-sized family-owned businesses.

Hence, it is favorable to have a standard EU scheme finally.

Photo by Sherise Van Dyk on Unsplash

Security objectives of European cybersecurity certification schemes

The first piece of the EU approach is the 2019 Cyber Security Act. It defines clearly the objectives of a certification scheme in Article 51.

• to protect stored, transmitted, or otherwise processed data against accidental or unauthorized storage, processing, access, or disclosure during the entire life cycle of the ICT product, ICT service, or ICT process;

• to protect stored, transmitted, or otherwise processed data against accidental or unauthorized destruction, loss alteration, or lack of availability during the entire life cycle of the ICT product, ICT service, or ICT process;

• that authorized persons, programs, or machines are able only to access the data, services, or functions to which their access rights refer;

• to identify and document known dependencies and vulnerabilities;

• to record which data, services, or functions have been accessed, used, or otherwise processed, at what times, and by whom;

• to make it possible to check which data, services, or functions have been accessed, used, or otherwise processed, at what times, and by whom;

• to verify that ICT products, ICT services, and ICT processes do not contain known vulnerabilities;

• to restore the availability and access to data, services, and functions in a timely manner in the event of a physical or technical incident;

• that ICT products, ICT services, and ICT processes are secure by default and by design;

• that ICT products, ICT services, and ICT processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities and are provided with mechanisms for secure updates.

The first scheme for cybersecurity products - the European cybersecurity certification scheme (EUCC)

The draft of the European Cybersecurity Certification Scheme (EUCC) was published in early October.

This initiative will establish the European Cybersecurity Certification Scheme (EUCC) based on common criteria.

The voluntary scheme will introduce security requirements for ICT security products (e.g., firewalls, encryption devices, electronic signature devices) and ICT products with an inbuilt security functionality (i.e., routers, smartphones, bank cards).

Users of products certified under this scheme will have greater security.

It’s a 50-page (core plus appendixes) document.

Let me try to recap critical elements:

• EUCC is based on the Common Criteria, an ISO 15408 standard

• It extends the bar with rules on how the standard is applied and the role of various entities (ENISA at the EU level, National entities, companies, etc..)

• It focuses on the Vulnerability Management practices to actively maintain a certificate over time. It defines what happens (notifications, assessment) when a vulnerability has been found.

• Appendices provide clarity on change management, which is a crucial aspect (see below)

Which products will fall in the regulation is still unclear. The document focuses on “deterministic” products such as smart cards (to store secrets), encryption software or VPNs, firewalls, digital identity systems and wallets, and certified telemetry.

These are security systems bound to maths and physics, where security results from a careful design, which has a long-term value as it relies on either a cryptographic function or a particular architecture (like a packet filter positioned between two physical network cards).

There is no mention of “threat” oriented products such as EDR, IDS, NDR, or XDR - anything that would provide more visibility, detect a threat, and collect forensics data.

Typically, these products detect threats based on behavior rather than a deterministic approach that is not explicitly covered. These products analyze patterns, anomalies, and suspicious activities to detect potential threats. As the cybersecurity landscape continues to evolve, it is vital to consider including these behavior-based threat detection products in future iterations of the certification scheme.

I would also like to point out that another certification scheme covers Cloud technologies.

The ambivalent role of certification for cyber builders

I have worked on several Common Criteria projects involving a firewall, VPN, PKI, or encryption software.

The Common Criteria scheme is complex and rigorous. It begins by defining a Security Target document, which includes the target of evaluation (ToE - what is being assessed), the typical environment, and associated threats (including physical access to the devices). In the Security Target, you can restrict the evaluation using assumptions (such as the famous case of the first CC of Microsoft Windows 2000 being disconnected from the network). You also define the assurance measures taken to ensure the proper execution of security functions, such as architecture documentation (HLD) and testing. Like any ISO standard, a waterfall mapping between objectives, requirements, and implementation is mandatory.

Based on the Security Target, a third-party company is hired to review and assess the work. This company also conducts its functional testing to stress-test the security functions. Ultimately, you obtain strong evidence that the security feature has been correctly designed and implemented.

Implementing the EU certification process can be challenging and requires a thorough understanding. The expectations are high for cybersecurity product builders to enter the EU market, but the certification process's complexity and cost should be considered.

Let’s review four key issues: complexity, cost, ambiguity, and updates.

A complex process

Common Criteria security analysis is a complex process. It demands a comprehensive, meticulous approach, where we examine every aspect of a product, from installation to its modules.

We begin with the product as it is, freshly installed. Our first step is to examine its security functions. From there, we delve into the intricacies of its technical architecture, breaking it down into its constituent modules. These modules must be thoroughly documented and rigorously tested, and their interfaces must be well-known.

This process is more than just functional testing of the entire system to verify its overall response. It is akin to inspecting a car, opening the door, and then dismantling it piece by piece, testing each component against a set of security constraints. This thorough analysis might seem overwhelming, but its value from a security perspective is enormous. It’s a precise and in-depth process, and its complexity necessitates significant work and a high degree of expertise.

From my experience as a Cyber Builder since 2000, I've found that CC-based schemes are often too complex and unsuitable for many certification projects. The project structure and required documentation can be challenging to acquire, adding to their unsuitability.

To address these challenges, we have what are known as "protection profiles." These are templates for security targets designed to streamline and simplify security analysis.

Another route that many countries have taken is to create a simplified certification scheme. Each of these frameworks serves a specific purpose:

• They provide a more accessible and affordable "first step," offering pragmatic and actionable guidance. Examples include French CSPN and UK BSPA.

• They define a vertical focus approach based on expert knowledge. For instance, there is IEC 62443 in the industry, and in IoT, there is IoXT or MiFare.

ENISA hosted a talk on the various schemes (Presentation of Jose Ruiz Gualda on the market of Cybersecurity Certification). I've included some slides below listing the multiple frameworks in the EU.

Presentation of Jose Ruiz Gualda on the market of Cybersecurity Certification

A high-cost process

In the complex world of cyber security, certifications act as crucial indicators of quality and trust. However, obtaining these certifications can be daunting, given their complexity and associated costs.

Internal - Roles and Responsibilities

The journey toward certification begins with assembling a dedicated team. A project manager, capable of navigating the intricacies of standards like ISO, is required to drive the initiative, interact with multiple stakeholders, and coordinate the implementation. In addition, a security architect must understand the functional requirements and evaluate the software's architecture, code, and development process, ensuring that all required practices are correctly implemented.

Thus, the internal cost alone can range between 300,000 and 500,000 euros.

Lastly, software engineers or developers are called upon to fill gaps, implement additional functions, or draft specific documents or tests. Thus, the internal cost alone can range between 300,000 and 500,000 euros.

External - Evaluation and Testing

Beyond internal efforts, the certification process also involves an external evaluation. An audit firm usually performs this task by conducting interviews and reviewing documents. Further, a technical testing center performs tests to stress test the security functions, seeking to bypass them or identify vulnerabilities. Such evaluation phases can cost between 100,000 and 150,000 euros for a product of average complexity.

Impact on Startups and Small Businesses

Adding these costs together, a certification project of this nature can cost between 500,000 and 1 million euros. This estimate does not even consider additional product development, marketing efforts, market access, communication, and other factors that may arise.

Given these prohibitive costs, the question arises: Can startups or small businesses afford such an investment? Particularly for a startup trying to penetrate a market and raise between 1 and 2 million euros at inception, dedicating a third or half of its financing to obtaining this certification seems unrealistic. This situation, unfortunately, excludes smaller companies that lack the bandwidth or resources to pursue certification.

Always ambiguous for end users

Common criteria, the standards used to evaluate the security of a product, are not meant to assess effectiveness against threats posed by cybercriminals or state actors. For instance, when it comes to encryption, common criteria certify whether the Advanced Encryption Standard (AES) is used correctly without exposing the key on the disk or making it vulnerable to an RSA Oracle attack. It does not evaluate the efficiency of the AES algorithm itself.

A major misconception is that security certification is a testament to a security feature's effectiveness against all threats. But, in reality, certifications focus on the intrinsic security of a product, i.e., how well its security functions have been designed, implemented, and tested within the product and by the company selling it.

Don’t get me wrong: cybersecurity must have well-designed and well-implemented security products. An attacker who can hijack a security product will have enormous consequences. It happened multiple times with VPN appliance hacks in the past.

However, the security efficiency to detect and mitigate threats to other systems must be “certified” to help end-users select the correct security products. Offerings providing poor protection to end-users need to be removed from the market.

Communication about certification paths often lacks clarity, leaving users in the dark about what is being certified, what benefits it brings, and why it is relevant. This lack of clear communication can lead to marketing bloats, which, in turn, can undermine the value of the certificate.

For example, I have seen vendors playing with assurance level numbers, ranging from 1 to 7 in the CC scheme. The assurance level is not really about the “security value” of a particular solution. It is more about how much you evaluate the product's intrinsic security. Moreover, the actual use case must be reflected within the security target to prevent a high level of certification in a context that is not how cybersecurity products get deployed.

An Update Paradox

In the ever-evolving world of software, it's a common practice to update and modify a product to keep it at par with the latest threats and advancements. However, this practice often collides with the stringent rules of product certification, creating a paradox.

When you decide to update or modify your software product, its certification becomes void. This is because the certification was granted based on the original version of the product. Any changes, however minor, can potentially impact the product's functionality or security, thus negating the certification.

Under the European Scheme, any change in a software product necessitates an impact study. This study is then communicated to the evaluation center, which works with the software producer to determine if the change impacts an essential function for certification. This approach is logical for deterministic security products such as network equipment, encryption, and digital identity, where even the slightest adjustments can have significant implications. Note this increases the cost of maintenance for a given software.

The paradox becomes even more pronounced when we examine detection or cloud software - which looks out of the scope of the current EUCC draft. These types of software are designed to identify and counter new threats, which means they frequently need to be updated. However, each update technically voids the certification. This puts the customer in a difficult position: update the software to protect against new threats and lose the certification, or stick with the certified version and potentially leave themselves vulnerable to new threats.

There is a clear need for a more flexible certification system to accommodate the dynamic nature of software development while ensuring security and reliability. This will assure consumers of using a certified product without compromising their ability to counter new threats.

Few Recommendations

Let me provide some humble recommendations:

1. Provide ASAP a certification scheme for all cybersecurity products, not just deterministic, crypto-bound products. Add Cloud to that unified scheme as it is a material set of technologies nowadays. This scheme should be easy to implement while still offering high security.

2. Consider how startups and SMEs will be able to implement the EU scheme. This can be achieved by building training, establishing a support team, and allocating dedicated bandwidth to assist those who do not have a dedicated certificate team in-house. Additionally, offering guidance on how to navigate the certification process can be beneficial.

3. Before final publication and enforcement, the scheme should have at least ten protection profiles or “templates.” These profiles will help set a baseline of what is required and ensure comprehensive coverage.

4. Take steps to enhance communication around the scheme. It is essential to communicate what is evaluated during the certification process and provide transparency regarding the threats that are covered and those that are not. This will help stakeholders fully understand the scope and limitations of the scheme.

5. Provide clearer guidelines on the update paradox. This will assist organizations in understanding how to effectively manage updates and ensure that they do not compromise the security of their systems.

These suggestions aim to expand upon the original ideas while providing additional details and considerations.

A step in the right direction, but not yet an EU cybersecurity maker

In conclusion, the EU certification scheme for cybersecurity products is a much-needed regulation that raises hope for cybersecurity builders across Europe. The scheme aims to establish a unified approach to product security and provide greater security for users of certified products.

However, it is essential to acknowledge that the complexity, cost, and ambiguity surrounding the certification process may pose challenges for startups and small businesses. Furthermore, the scheme's focus on deterministic products and the update paradox for software updates may limit its effectiveness in addressing all cybersecurity threats.

Lastly, given its rigidity and the delays it involves, it restricts the ability of all companies - including startups and SMEs - to bring to the market solutions adapted to the threat quickly.

While the scheme is a step in the right direction, it won't create a more substantial EU digital market. It needs several additions and simplifications to amplify EU Cyber Builders' efforts!

I welcome your comments and remarks on the EU certification scheme and its potential impact on the cybersecurity industry in Europe.

Laurent 💚

References

• https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13382-Cybersecurity-security-requirements-for-ICT-product-certification_en

• https://ec.europa.eu/98cb9492-2860-4933-a025-d49b1e3f77fe

• https://www.enisa.europa.eu/events/2023certificationconference-info/agenda

• https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019R0881