Ensuring cybersecurity is becoming increasingly crucial for critical infrastructures, which are the bodies and agencies that perform essential strategic functions such as interior, defense, or energy. These entities use complex and interconnected computer systems that must be safeguarded with today's highest security standards. If these systems are compromised, they can cause significant harm to the organization providing the service, the public, and businesses. According to research by the Digital Innovation Observatory of the Politecnico di Milano, participating in a supply chain that includes critical infrastructures increases the risk of cyber-attacks on companies. In this context, the Common Criteria, which represent the highest security standard available today for critical infrastructures, play a crucial role.
What is Common Criteria?
The Common Criteria is the international standard for assessing and certifying the security and reliability of computer hardware and software platforms available on the market. They consist of a set of guidelines, criteria, and methodologies that a product must follow to be declared compliant with one or more specific security requirements. This structure was developed to provide a shared and uniform approach worldwide to assessing the security of IT systems. Countries adhering to the Common Criteria can guarantee high levels of security for their critical infrastructures regarding data protection, including access management, confidentiality, integrity, and other critical aspects of information security.
The Common Criteria framework consists of 3 pillars:
-
Protection Profile (PP). This technical specification identifies and describes the security requirements of a particular IT product or system. These requirements may include, for example, authentication criteria, access control, data protection, key management, threat resistance, etc.
-
Evaluation Assurance Level (EAL). This defines how thoroughly the product is tested. EALs range from 1 to 7, where 1 represents the lowest evaluation level and 7 is the highest evaluation level. A higher evaluation level does not mean that the product has a higher level of security, only that the product has passed more tests.
-
Target of Evaluation (TOE). This is the specific product or system that is the subject of evaluation and certification. The TOE can be any system element (such as a software application, hardware device, operating system, etc.) subject to evaluation.
Common Criteria: how the market is changing
The spread of an international standard on a critical issue such as cybersecurity offers significant guarantees for the protection of critical infrastructure. Consider, for example, the ability to evaluate products and solutions against the same yardstick worldwide, or the increased interoperability between different systems and products that follow common guidelines. At the same time, Common Criteria certification can bring several tangible benefits:
-
PA Market Access. Many government organizations require platforms to comply with Common Criteria standards. Certification can facilitate access to these markets, as certification is increasingly a requirement to participate in public tenders or to be considered as an eligible vendor.
-
Improved reputation. Achieving Common Criteria certification can increase customer confidence in the supplier, demonstrating a commitment to product security and quality.
-
International recognition. Common Criteria is a globally recognized framework for evaluating and certifying the security of IT products. Certification to this standard can make software more internationally acceptable, opening up more business opportunities.
-
More robust software. The rigor of the Common Criteria standards means that the software developed is more robust. This benefits both customers and suppliers.
-
Competitiveness. The Common Criteria-certified product has a significant competitive advantage over the competition, especially in areas where security is paramount.
An organization committing to a Common Criteria certification path is making a strategic choice, as it is a structured activity involving several parts of the organization. Certification cannot therefore be seen as a one-off initiative, but rather as a structured, ongoing process that must take into account several factors:
-
Organisation. It is essential to establish a team that is highly specialized and competent in the field of IT security. The team should be responsible for managing the certification process and preparing the necessary documentation.
-
Time frame. The Common Criteria certification process typically takes 12 to 18 months to complete.
-
Training. People involved in the process need to acquire specific and in-depth IT security and Common Criteria skills.
-
Laboratory turnaround time. Collaboration with the laboratories performing the evaluations is essential. However, laboratory turnaround times can vary and must be factored into the overall planning.
-
Product release and certification process. It is important to plan product releases carefully so that the necessary safety requirements are built in from the outset. It is also important to consider that significant changes to the product may require a new certification process.
The constant evolution of technology brings with it the risk of exposure to new cybersecurity threats. In a rapidly changing digital ecosystem, institutional and corporate decision-makers need to anticipate cybersecurity challenges. This means making structural investments to create dedicated teams and stable processes that maintain a high level of protection for sensitive information. In this context, the Common Criteria is a valuable resource that enables institutions, organizations, and companies worldwide to select or deploy hardware and software platforms that have been tested against all known risks. In an increasingly interconnected society, this provides a secure foundation for building a more secure community and a more robust business.