Defining security requirements with Common Criteria: applications, adoptions, and challenges

Advances of emerging Information and Communications Technology (ICT) technologies push the boundaries of what is possible and open up new markets for innovative ICT products and services. The adoption of ICT products and systems with security properties depends on consumers’ confidence and markets’ trust in the security functionalities and whether the assurance measures applied to these products meet the inherent security requirements. Such confidence and trust are primarily gained through the rigorous development of security requirements, validation criteria, evaluation, and certification. Common Criteria for Information Technology Security Evaluation (often referred to as Common Criteria or CC) is an international standard (ISO/IEC 15408) for cyber security certification. In this paper, we conduct a systematic review of the CC standards and its adoptions. Adoption barriers of the CC are also investigated based on the analysis of current trends in security evaluation. Specifically, we share the experiences and lessons gained through the recent Development of Australian Cyber Criteria Assessment (DACCA) project that promotes the CC among stakeholders in ICT security products related to specification, development, evaluation, certification and approval, procurement, and deployment. Best practices on developing Protection Profiles, recommendations, and future directions for trusted cybersecurity advancement are presented.

[1]  Liu Chen,et al.  A Survey on NoSQL Stores , 2018, ACM Comput. Surv..

[2]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[3]  Baldini Gianmarco,et al.  An analysis on the development and application of cybersecurity standards , 2018 .

[4]  Antonio F. Gómez-Skarmeta,et al.  Security certification and labelling in Internet of Things , 2016, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT).

[5]  Hans A. Hansson,et al.  Applicability of the IEC 62443 standard in Industry 4.0 / IIoT , 2019, ARES.

[6]  Claudio Gutierrez,et al.  Survey of graph database models , 2008, CSUR.

[7]  Zhenhua Wei,et al.  Summary of Research on IT Network and Industrial Control Network Security Assessment , 2019, 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC).

[8]  Yang Xiao,et al.  A Survey of Payment Card Industry Data Security Standard , 2010, IEEE Communications Surveys & Tutorials.

[9]  Rahim Tafazolli,et al.  Large-Scale Indexing, Discovery, and Ranking for the Internet of Things (IoT) , 2018, ACM Comput. Surv..

[10]  F SkarmetaAntonio,et al.  A Survey of Cybersecurity Certification for the Internet of Things , 2020, ACM Comput. Surv..

[11]  P. Alam,et al.  H , 1887, High Explosives, Propellants, Pyrotechnics.

[12]  Dongho Won,et al.  Protection Profile for Secure E-Voting Systems , 2010, ISPEC.

[13]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[14]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[15]  Hsinchun Chen,et al.  Uninvited Connections: A Study of Vulnerable Devices on the Internet of Things (IoT) , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[16]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[17]  Dan M. Bowers Access Control and Personal Identification Systems , 1988 .

[18]  Wei Ni,et al.  Anatomy of Threats to the Internet of Things , 2019, IEEE Communications Surveys & Tutorials.

[19]  Sarah Higgins Information Security Management: THE ISO 27000 (ISO 27K) SERIES , 2009 .

[20]  Richard E. Smith Trends in Security Product Evaluations , 2007, Inf. Secur. J. A Glob. Perspect..

[21]  Shin'ichiro Matsuo How formal analysis and verification add security to blockchain-based systems , 2017, 2017 Formal Methods in Computer Aided Design (FMCAD).

[22]  Christoph Busch,et al.  Biometric Systems and Data Protection Legislation in Germany , 2008, 2008 International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[23]  David M. Nicol,et al.  Designed-in Security for Cyber-Physical Systems , 2014, IEEE Secur. Priv..

[24]  JindalRajni,et al.  Blockchain Technology for Cloud Storage: A Systematic Literature Review , 2020 .

[25]  George Suciu,et al.  Lego Methodology Approach for Common Criteria Certification of IoT Telemetry , 2019, WorldCIST.

[26]  Ganesh Chandra Deka,et al.  A Survey of Cloud Database Systems , 2014, IT Professional.

[27]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[28]  Anders Carlsson,et al.  Analysis of Assets for Threat Risk Model in Avatar-Oriented IoT Architecture , 2018, NEW2AN.

[29]  Miroslav Bures,et al.  Internet of Things: Current Challenges in the Quality Assurance and Testing Methods , 2018, ICISA.

[30]  Massonet Philippe,et al.  Towards Incremental Safety and Security Requirements Co-Certification , 2020, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[31]  Patrick Valduriez,et al.  Distributed and parallel database systems , 1996, CSUR.

[32]  Mike Bond,et al.  How Certification Systems Fail: Lessons from the Ware Report , 2012, IEEE Security & Privacy.

[33]  Paul Rimba,et al.  Data-Driven Cybersecurity Incident Prediction: A Survey , 2019, IEEE Communications Surveys & Tutorials.

[34]  Khaled M. Khan,et al.  Characterising user data protection of software components , 2000, Proceedings 2000 Australian Software Engineering Conference.

[35]  Aaron Adler,et al.  Remote Management of Boundary Protection Devices with Information Restrictions , 2019, AAAI.

[36]  Air Force Air Force Materiel Command Hq FIPS-PUB-180-1 , 1995 .

[37]  Els J. Kindt,et al.  Privacy and Data Protection Issues of Biometric Applications , 2013 .

[38]  Abdulmonam Omar Alaswad,et al.  Vulnerabilities of Biometric Authentication “Threats and Countermeasures” , 2006 .

[39]  Sedat Akleylek,et al.  Security requirements for cryptographic modules , 2013 .

[40]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[41]  Dongubm Lee A Study on Protection Profile for Multi-function Devices , 2015, Inscrypt 2015.

[42]  Janet Cugini,et al.  The common criteria: on the road to international harmonization , 1995 .

[43]  Rafal Leszczyna,et al.  Cybersecurity and privacy in standards for smart grids - A comprehensive survey , 2018, Comput. Stand. Interfaces.

[44]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[45]  F. Cappa,et al.  An effective approach to mobile device management: Security and privacy issues associated with mobile applications , 2020, Digital Business.

[46]  Lawrie Brown,et al.  Computer Security: Principles and Practice , 2007 .

[47]  A first Step towards a Protection Profile for the Security Evaluation of Consensus Mechanisms , 2020, 2020 7th International Conference on Internet of Things: Systems, Management and Security (IOTSMS).

[48]  P. Alam,et al.  R , 1823, The Herodotus Encyclopedia.

[49]  Charlotte Hill,et al.  Wearables – the future of biometric technology? , 2015 .

[50]  Tom Caddy,et al.  Common Criteria , 2005, Encyclopedia of Cryptography and Security.

[51]  Nahid Shahmehri,et al.  Introducing Vulnerability Awareness to Common Criteria's Security Targets , 2009, 2009 Fourth International Conference on Software Engineering Advances.

[52]  Xiaojiang Du,et al.  A survey of key management schemes in wireless sensor networks , 2007, Comput. Commun..

[53]  Alexey Markov,et al.  Modern trends in the regulatory framework of the information security compliance assessment in Russia based on common criteria , 2015, SIN.

[54]  Gerald J. Popek,et al.  Encryption and Secure Computer Networks , 1979, CSUR.

[55]  Seungjoo Kim,et al.  How to Obtain Common Criteria Certification of Smart TV for Home IoT Security and Reliability , 2017, Symmetry.

[56]  Mohsen Guizani,et al.  Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications , 2015, IEEE Communications Surveys & Tutorials.

[57]  Jian-hua Li,et al.  Cyber security meets artificial intelligence: a survey , 2018, Frontiers of Information Technology & Electronic Engineering.

[58]  Mauro Conti,et al.  Key Management Systems for Smart Grid Advanced Metering Infrastructure: A Survey , 2018, IEEE Communications Surveys & Tutorials.

[59]  Marcos Augusto M. Vieira,et al.  Survey on wireless sensor network devices , 2003, EFTA 2003. 2003 IEEE Conference on Emerging Technologies and Factory Automation. Proceedings (Cat. No.03TH8696).

[60]  Alan Calder Cyber Essentials: A Pocket Guide , 2016 .

[61]  Xiaohong Li,et al.  FESR: A Framework for Eliciting Security Requirements Based on Integration of Common Criteria and Weakness Detection Formal Model , 2017, 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS).

[62]  Ping Wang,et al.  On the Challenges in Designing Identity-Based Privacy-Preserving Authentication Schemes for Mobile Devices , 2018, IEEE Systems Journal.

[63]  Zhaoyi Wei,et al.  Emerging Issues in Cloud Storage Security: Encryption, Key Management, Data Redundancy, Trust Mechanism , 2014 .

[64]  Samuel Paul Kaluvuri,et al.  A Quantitative Analysis of Common Criteria Certification Practice , 2014, TrustBus.

[65]  Jack R. Meredith,et al.  Core Concepts , 2006, Communicating in Risk, Crisis, and High Stress Situations.

[66]  Ahmad-Reza Sadeghi,et al.  Modeling Trusted Computing Support in a Protection Profile for High Assurance Security Kernels , 2009, TRUST.

[67]  Deepak Choudhary,et al.  Internet of things: A survey on enabling technologies, application and standardization , 2018 .

[68]  Tanya L. Brewer,et al.  Guidelines for Smart Grid Cybersecurity , 2014 .

[69]  John Tierney,et al.  Common Criteria: Origins and Overview , 2017, Smart Cards, Tokens, Security and Applications, 2nd Ed..

[70]  Mehmet Kara,et al.  REVIEW ON COMMON CRITERIA AS A SECURE SOFTWARE DEVELOPMENT MODEL , 2012 .

[71]  A Perspective of the Common Criteria in Modern IT Business , 2002 .

[72]  Danna Zhou,et al.  d. , 1840, Microbial pathogenesis.

[73]  Ken Wong Data protection law , 1984 .

[74]  Sam Weber,et al.  Lessons Learned: Building the Caernarvon High-Assurance Operating System , 2011, IEEE Security & Privacy.

[75]  Ana C. R. Paiva,et al.  A Brief Overview of Existing Tools for Testing the Internet-of-Things , 2018, 2018 IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW).

[76]  Pål Spilling,et al.  A survey of key management in ad hoc networks , 2006, IEEE Communications Surveys & Tutorials.

[77]  Kristian Beckers,et al.  A Problem-Based Threat Analysis in Compliance with Common Criteria , 2013, 2013 International Conference on Availability, Reliability and Security.

[78]  Vasant Raval,et al.  PCI DSS: Payment Card Industry Data Security Standards in Context , 2008, Comput. Law Secur. Rev..

[79]  Katherine M. Shelfer,et al.  Smart card evolution , 2002, CACM.

[80]  Carole-Jean Wu,et al.  A study of mobile device utilization , 2015, 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS).

[81]  Won Kim,et al.  Relational Database Systemsr , 1979, CSUR.

[82]  Alexander V. Lyubimov,et al.  Ontology-based analysis of information security standards and capabilities for their harmonization , 2010, SIN.

[83]  Debra S. Herrmann,et al.  Using the Common Criteria for IT Security Evaluation , 2002 .

[84]  Rui Zhang,et al.  Security and Privacy on Blockchain , 2019, ACM Comput. Surv..

[85]  Agustí Verde Parera,et al.  General data protection regulation , 2018 .

[86]  Christoph Schmittner,et al.  Status of the Development of ISO/SAE 21434 , 2018, EuroSPI.

[87]  Design Plan of Secure IoT System based Common Criteria , 2017 .

[88]  Randy H. Katz,et al.  Core Concepts, Challenges, and Future Directions in Blockchain , 2020, ACM Comput. Surv..

[89]  Rolf Oppliger,et al.  Does trusted computing remedy computer security problems? , 2005, IEEE Security & Privacy Magazine.

[90]  Georges Ataya,et al.  PCI DSS audit and compliance , 2010, Inf. Secur. Tech. Rep..