Standards Development

Scope

This document provides the foundations and concepts for the cybersecurity evaluation of complex systems. Two frameworks are defined: 

• The first is used to specify the cybersecurity of a complex system, including system of systems.

• The second is used to evaluate the corresponding cybersecurity solutions. The frameworks use basic architecture concepts:

• to enable description of reference or solution cybersecurity architectures;

• to support model-based, comprehensive and scalable security solutions and their evaluation; and.

• to allow for the definition of architecture-based cybersecurity profiles (ACP) and hierarchies of profiles

Purpose

The purpose of this NP is to address the cybersecurity evaluation of complex systems. The context of the work is the following:

The evaluation of system is a concern that has been addressed by ISO/IEC 15408. As stated in ISO/IEC 15408: The ISO/IEC 15408 series permits comparability between the results of independent security evaluations. The ISO/IEC 15408 series does so by providing a common set of requirements for the security functionality of IT products and for assurance measures applied to these IT products during a security evaluation. These IT products may be implemented in hardware, firmware, or software. The scope of ISO/IEC 15408 being on IT products, it uses terms and concepts adapted to the description and evaluation of an internal subsystem (TOE) of an IT product (TOE), in particular related to

– security problems,

– security objectives, and

– security requirements of IT products.

Terms at the outer level describe conditions that are external to the TOE, related to

– assumptions,

– organisation security policies, and

– security objectives of the environment.

Consequently ISO/IEC 15408 mainly addresses component level considerations, it does not include material related to other levels of abstraction such as systems, complex systems or system-of-systems (SoS). Examples of systems could be local IT networks, clients and servers, datacentre applications with multiple components, combined automation solutions, etc.

Note that in the case systems are considered as organisations (including implemented processes), the 27000 series describe requirements for an Information Security Management Systems (ISMS) as well as assurance requirements for verifying its implementation (done by audits).

ISO/IEC WG3 has carried out the following work

– two initial study periods started in October 2019:

o cybersecurity assurance of complex systems (WG3_N1767)

o integral structured multi-dimensional security model for IT systems (WG3_N1768)

The first provided a model of complex system cybersecurity, listed challenges, and suggested to work on an ontology for complex system cybersecurity;

The second provided a security model and suggested two items of work: a contribution on a high-level framework (generic cybersecurity reference architecture), and the application of the framework to the specific ISO/IEC 15408 environment.

– PWI 5896 (cybersecurity assurance of systems and systems of systems based on ISO/IEC 15408), started in September 2020 (WG3_N1795, WG3_N1871, WG3_N1885, WG3_N1891, WG3_N1992, WG3_N2115, WG3_N2258, WG3_N2344, WG3_N2416) to propose an architecture-based approach for cybersecurity of complex systems, i.e., systems and system of systems (SoS).

The PWI has produced a report which covers the following points:

– An architecture-based framework for cybersecurity of complex systems.

– An architecture-based framework for evaluating cybersecurity of complex systems.

– A cybersecurity reference architecture for complex system

– Alignment with relevant existing standards, such as ISO/IEC/IEEE 420x0 series (architecture),

ISO/IEC 15408 series, ISO/IEC 27000 series, and others.

– The identification of future work, e.g. on agile certification and governance support The resulting PWI report is the supporting document for this NP