Back to the Overview

Trustworthiness in Security Certification

Trustworthiness via Security Certification

Events & Webcasts, Safety, Security

by Sergey Tverdyshev, Director Research & Technology

CCUF (Common Criteria User Forum) is an open community of security experts, security evaluators, vendors of SW and HW products, certification and governmental agencies. The event typically lasts four days fully packed with informal workshops and discussions. CCUF is meeting twice a year with changing venue and participants from all around the globe.

ICCC (International Common Criteria Conference) is an annual venue and took place this year for the 17th time. Common Criteria (also known as ISO 15408) is an international framework for IT security evaluations. ICCC is a prime event to present the progress in the security certification approaches which enables international business operations.

Typically, CCUF and ICCC are co-located, with CCUF preceding ICCC.

During the CCUF a new working group on hypervisors for cloud environment has been initiated. It is very good news since it nicely completes the activities in the Separation Kernel Working Group (SK WG). The SK WG is focussed on embedded devices and compositional assurance. Both groups have in common some technologies (e.g. usage of the same CPUs) but act in completely different environments, and thus, have different top-level requirements. We have a nice exchange and are looking forward to profit from each other’s work.

This year there are a lot of discussions about forming of an industrial security certification scheme as it is working now in the safety domain and applied in avionics and railway. Nowadays, security certification is done with the help of the governmental agencies. The overall industry recognises that an avalanche of IoT devices and connected vehicles will challenge the current certification approaches via governmental agencies. This fact is underlying by the omnipresent headlines of hacked dolls, webcams, kitchen appliances, sex toys and the list can go indefinitely. Thus, the industrial environment needs a way to give the end customer security assurance: a security assurance they can afford and the security assurance that can keep up with the high-speed lifecycle of the modern connected world. An industrial certification scheme could help keep up with that challenge.

This year me and @Alvaro had a joint presentation on compositional security assurance in safety critical systems. The room was complete with about 90 participants. For the talk we have chosen one of the @certMILS pilots, the Prague subway system, to demonstrate how safety and security requirements interact and are addressed coherently.

The pilot in short: The subway control networks are classified into three categories: Cat-3 can be an open network where a traffic can hardly be controlled. Cat-2 is a restricted environment where systems such as operation management and supervision reside. Cat-2 network has connection to the company office networks which are Cat-3 (e.g. for schedule planning) and also connected to the Cat-1 network. The Cat-1 network is safety critical network where real-time behaviour, determinism, and dependable execution is a must.

In certMILS project we focus on mixed-critical gateways which are connecting all those networks and guarantee the safe and secure information processing and flow. On Figure 1 they are GW blocks in circles. The gateways are built with the MILS approach [MILS Architecture].

The ultimate goal is to create assurance for the whole subway network which is a huge distributed system of systems.

In the certMILS consortium we have defined an approach consisting of combination of IEC 62443 and Common Criteria.

To create assure for the top-level part of the system, e.g. company network (Cat-3), operating (Cat-2), we apply IEC 62443 part 2 and part 3. For the assurance for the mixed critical gateway in the subway domain we apply IEC 62443 part 4 and we enforce the design and achieve high-assurance of this gateway by applying Common Criteria (see Figure 2).

The Common Criteria is used to create assurance for the critical components such as the Separation Kernel, specific device drivers, and software components of different criticalities. The challenge is that at the end we need “one composed assurance”, i.e. the security case, to be exported into the higher-level security case created within IEC 62443 part4/part3. Another challenge is that functional composition of these gateways changes depending on the deployment, e.g. some need Wifi support another does not need it, and thus, two different systems for certification appear.

To address these two challenges the certMILS project is developing a compositional security approach allowing Pick&Mix for security assurance in a similar way as we do during the software system integration. [1] [2] The core of this approach is in using Common Criteria modules which have been introduced in the recent release Common Criteria v3.1 r5. We have created a base specification for the Separation Kernel and a list of modules which can be Picked&Mixed as it is required by the system architecture. The work is done in the certMILS project and publicly discussed and improved in the Separation Kernel Working Group of the CCUF.

Dear reader, you have managed to read until this place, thus, you are welcome and definitely should join the separation kernel working group at the CCUF. Just go to to join the CCUF and then, to join the separation kernel working group, send us an E-Mail at

These two events were full of interesting encounters and I need a moment to give my mind to digest all this new information. Luckily, the sun has appeared and I had a nice “mental digesting” opportunity of 1-hour walk through beautiful Amsterdam to the railway station. On my way I have noticed that sign which recalled me of a coherent composition for a seamless integration in the traffic control I was talking during my talk.