Although initially focused on industrial automation, this cyber security set of standards has also been adopted by the energy sector, since it provides a methodology for applying security in operational and field environments for cyber-physical systems. It can be used in conjunction with the ISO/IEC 27000 series (in particular with ISO/IEC 27019 for the energy domain) and with IEC 62351 which provides some security solutions.
For suppliers the requirements are set at the component level:
Common Criteria is meant to be applicable to any product. The standard provides catalogues of functional requirements, and assurance requirements that specify how a product should be evaluated.
Common Criteria has been applied in the electricity sector in two protection profiles for smart metering. The German national security authority, BSI, has developed a protection profile for smart metering gateways, ESMIG has developed a protection profile for smart meters.
Common Criteria provides a workable way:
The essence of the methodology is to analyze the documentation and in certain cases the source code before and during the vulnerability assessment phase of the target. This way a greater set of flaws could be identified and then corrected, because we gain a more detailed knowledge about how the target in scope works.
Based on the deficiencies/vulnerabilites found, we perform a “generalization” of the errors, provide recommendations about how to eliminate or correct them and perform a re-check.
A wide range of services are available: