A story which has become legendary in the cybersecurity community relates how a casino operation in America was hacked via an Internet-connected thermometer attached to an aquarium in the lobby.

According to the account, which appeared in Hacker News last year, the cybercriminals “exploited a vulnerability in the thermostat to get a foothold in the network.” From there they were able to access the casino’s database of wealthy clients and spirit the information into the cloud via the same thermometer.

A cautionary tale about the dangers posed by random devices connected to strategic systems, this story demonstrates how easy it is to disregard cybersecurity in the context of the connected products and Internet of Things devices which have become an integral part of our personal and professional lives.

The Cybersecurity Act

On March 12 2019 when representatives from the European Parliament approved the Cybersecurity Act, they also approved the establishment of an EU cybersecurity certification framework premised on incorporating security features in the early stages of their technical design and development (security by design) to ensure that products, processes and services meet common minimal cybersecurity requirements which are valid throughout Europe.

Security by Design

The concept of security as intrinsic to the design process (security by design) is eloquently described by Dr. Andrea Rigoni, Partner at Deloitte - Cyber Risk Services in an article entitled Cybersecurity: The Importance of Being Certified (and Competitive). Comparing the safety of a digital service with that of an airplane he writes:

“Security is not “bolted-on” to the aircraft at the end of the production line, but is built-in, in every component, every wire, every material. The same is true for cybersecurity.”

The reality, he maintains, is that “most IT products and services are designed without considering their cyber risk exposure: making them secure at a later stage is not only very expensive, but very ineffective. “

Work Programme

Cybersecurity is one of five ICT standardisation priorities identified by the European Commission in 2016 as essential building blocks of the Digital Single Market. The others are 5G communications, cloud computing, the internet of things (IoT), and (big) data technologies.

Given the sheer number and variety of the certification schemes which will need to be developed to cover the full landscape of products, services and technologies requiring certification, the implementation process will be managed over a succession of annual work programmes. The publication of the 2020 Rolling Plan for the uptake of ICT security standards is imminent.

Cybersecurity Certification for Cloud Services

In the mean time, The EU’s cybersecurity agency ENISA is already at work on the preparation of candidate cybersecurity certification for cloud services, taking into account existing and relevant schemes and standards, and will shortly launch a call for expressions of interest in an Ad-Hoc Working Group for Cloud Cybersecurity Certification.

For more in-depth coverage on the birth of the Cybersecurity Act, read this article. 

Cybersecurity Certification for Training

From the perspective of CYBERWISER.eu, certification related to training is obviously of key interest. As such, we liaise closely with the European Competence Centre Pilot Projects, all of which are contributing to ENISA's work in this regard. The Competence Centres were represented at the first Cyberwiser.eu Open Pilots Workshop held in Pisa on 5 November. A second workshop is in preparation and will take place in Lille on 31 January 2020.