Cabinet Louis Reynaud:
SSCP® Certification, evolutions & new challenges
"One of the next steps for SPAC® is to expand the scope of products assessed under the SSCP® certification framework"
Director of Cabinet Louis Reynaud.
Cabinet Louis Reynaud (CLR Labs) specializes in expert analysis of technology, standards and regulations in the area of digital trust and cybersecurity, and serves as a test and assessment lab for biometrics, digital security, and the SSCP® communication protocol promoted by SPAC®. Stéfane Mouille, Director of CLR Labs, talks about the process of implementing the SSCP® certification framework, next steps and the major challenges that need to be met in the security sector.
What have you done with SPAC® since it was launched?
When SPAC® was launched, we identified a real need to create sector-specific certification frameworks, especially for critical environments such as physical access control information systems. Logical and physical security players created the SPAC® alliance to set up compliance certification frameworks for the SSCP® protocol.
Assessing products from different manufacturers can pose issues with competition and data confidentiality linked to the possession of strategic information. The strength of SPAC® lies in the fact that we have all come together to lay the foundations for trust and move forward with the SSCP® protocol compliance certification framework. In this spirit, we certified 6 companies in late 2022 - ALCEA, ELSYLOG, OMNITECH SECURITY, SECURE Systems & Services, TIL TECHNOLOGIES and STid - and we are planning for more in the coming months.
What are the steps for certifying SSCP® - compliant products?
First you need to obtain an SSCP® protocol license from SPAC® Alliance, and then apply for an assessment by CLR Labs who will perform the technical tests (compliance) and request certification from SPAC® Alliance. The company must then clearly define the assessment target (LPU, reader) and the level of certification (basic, substantial or high). Once the tests are completed, the assessment report is sent to the company. The SPAC® Alliance is then in a position to certify the product(s).
What do the different levels of certification involve?
In line with the EU Cybersecurity Act (CSA), SPAC® Alliance has defined 3 levels of certification that take the European approach into account, and incorporate the issues of manufacturers and end customers. The “basic” level tests whether the SSCP® protocol has been correctly implemented (simulation of replay and relay attacks, verification of “large number” generation for products used to generate secret keys, etc.). The “substantial” level incorporates ANSSI requirements as well, in particular for Transparent Data Encryption, while for the “high” level, we assess and certify the production firmware, i.e., the software used by end customers.
How do you see the future of the certification framework?
First, we are planning to expand the scope of products assessed under the SSCP® certification framework to include simple products that use LEDs, for example, and more complex ones such as IoT products serving Industry 4.0. This is a natural progression based on convergence between the issue of securing physical access controls and IoT systems!
The next important step is to work with SPAC® to make the framework compliant with the international requirements of ISO 17065. The goal is for the SPAC® Alliance to become a Conformity Assessment Body (CAB) under mutual agreements for conformity certificates, in order to gain recognition of the excellence of the certification framework! In the same vein, CLR Labs is in the process of obtaining COFRAC accreditation under ISO 17025 for assessment laboratories working alongside CABs.
What security challenges are we facing?
The first challenge is to make manufacturers aware of the need to introduce the concept of “security by design” right from the start of product development. This is already done by SPAC® members and people involved in SSCP® protocol certification, but the approach needs to be systematic, right from the specifications phase for future products or services.
Another key issue is that more and more services are being provided using the SAAS (Software/Infrastructure As A Service) model. But to what extent can we trust cloud services? It is important to ensure that they are governed exclusively by European law and that no other outside laws apply. This is a key security issue and a major concern for Europe. That’s why ENISA has been tasked with preparing a European cybersecurity certification framework for cloud services. ANSSI is leading a similar project in France with SecNumCloud certification, which ensures that the organizations operating these clouds have the right level of security and that only European law applies. It's a comprehensive approach to European sovereignty and strategic autonomy!
Last but not least, the European NIS 2 Directive comes into force in the 2nd half of 2024! While NIS 1 created the concept of operators of essential services, NIS 2 will extend the principle of transfer of responsibility. Operators of essential services will transfer their obligations to their sub-contractors (small and medium-sized businesses), thereby creating a virtuous circle.