Adaptation of Common Criteria Methodology to the Security Evaluation of Industrial Automation and Controls Systems – Theory Basics and Case Study (D30b)
This talk shows how CC and CEM can be adapted to the security evaluation of industrial automation and control systems (IACS). The IACS are often used in critical infrastructures like power grids, transportation, power plants, and the chemical industry. Thus they are becoming increasingly a target of cyber-attacks. The adaptation of CC methodology was based on the IEC 62443 standard. This standard defines technical security requirements and practices for developing and maintaining secure IACS components. This talk shows how the IACS security requirements were adapted to CC requirements and CEM evaluation work units. It also presents the case study of security evaluation of the PLC used in power substations. The results of CC adaptation to IACS-type products can be used in lightweight evaluation schemes, FITCEM-like standards, and compiling new evaluation methods under CC part 4 (CC:2022) (CyberBeam R&D Project).