Standards on Cybersecurity

Related standards or drafts

• Cybersecurity
• Requirements for the competence of it security testing and evaluation laboratories
• Information security, cybersecurity and privacy protection
• Evaluation criteria for it security
• Security techniques
• Iot security and privacy
• Information security management systems
• New concepts and changes in iso/iec 15408:2022 and iso/iec 18045:2022
• Guidelines for information security management systems auditing
• Verification of cryptographic protocols
• Fixed-time cybersecurity evaluation methodology for ict products
• Security evaluation standard for iot platforms
• Supplier relationships
• Health informatics - device interoperability
• Road vehicles — guidelines for auditing cybersecurity engineering
• Road vehicles — cybersecurity engineering
• Road vehicles — safety and cybersecurity for automated driving systems
• Railway applications - cybersecurity
• Maritime navigation and radiocommunication equipment and systems - cybersecurity
• Nuclear power plants - instrumentation, control and electrical power systems - cybersecurity requirements
• Nuclear power plants - instrumentation and control systems - requirements for coordinating safety and cybersecurity

Cyber-attacks on crucial infrastructure, like power plants or hospitals, can significantly impact people's physical welfare and affect their ability to undertake basic activities. The security of these systems, apart from their broader IT systems, is ensured by Operational Technologies (OT) which supervise the proper performance of automated tasks like shutting down a generator to prevent a blackout or stopping a valve to avoid chemical overflow.

Cybersecurity is an important topic for connected devices and systems. ISO, IEC and CEN or CENELEC standards support cybersecurity and the application of the Cybersecurity Act.

European standards and International standards support the application of the Cybersecurity act and associated implementing legislation in Europe.

The line distinguishing Informational Technologies (IT) and Operational Technologies (OT) has been blurred thanks to the Industrial Internet of Things (IIoT) which connects physical machines to networked sensors and software. This connectivity and interaction have increased the potential entry points for cybercriminals, hence the need for a defense strategy that considers IT and OT environments.

Standards have been developed to protect information and ICT measures. These include security requirements capture methodology, management of information, and multiple security mechanisms. Such standards offer guidelines for security controls, services, and the management of information security systems. They also cover areas such as cryptographic and other security mechanisms, security aspects of identity management, and conformance assessment. As such, organizations must follow these standards to ensure the integrity of their IT and OT systems and minimize the risk of cyber-attacks. They span areas from cybersecurity evaluation methodology for ICT products, to supplier relationships in cybersecurity, health informatics cybersecurity, IoT security, and privacy requirements.

These stringent standards are a vital tool in the ongoing fight against cybercrime, providing clear guidelines for protecting the IT and OT environments within our critical infrastructure. Some of these standards address partially the Essential Requirements of the current proposal for Cyber Resilience Act:
- Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks;
- Products with digital elements shall be delivered without any known exploitable vulnerabilities;
- On the basis of the risk assessment referred to in Article 10(2) and where applicable, products with digital elements shall:
- - be delivered with a secure by default configuration, including the possibility to reset the product to its original state;
- - ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems;
- - protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms;
- - protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions;
- - process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’);
- - protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks;
- - minimise their own negative impact on the availability of services provided by other devices or networks;
- - be designed, developed and produced to limit attack surfaces, including external interfaces;
- - be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques;
- - provide security related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions;
- - ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users.

You may find below link to the European and International standards on Cybersecurity.

Click on the links below for accessing the standards or information about them.

Keywords: European Standards, International Standard, CEN standard, CENELEC standard, ISO/IEC Standard, ENISA, ENISA Regulation, ENISA, Cybersecurity Regulation, Cyber, EU Cyber, EU cyber security, Cyber security Europe, Cyber Resilience Act