Ref. Ares(2017)6228114 - 19/12/2017
X2Rail-1
Project Title:
Start-up activities for Advanced Signalling
and Automation Systems
Starting date:
01/09/2016
Duration in months:
36
Call (part) identifier:
H2020-S2RJU-CFM-2015-01-1
Grant agreement no:
730640
Deliverable D8.1
Selection of the “Secure-by-design” standard
Due date of deliverable
Actual submission date
Organization name of lead contractor for this deliverable
Dissemination level
Revision
Month 09
17-07-2017
ALS
CO
TMT approval
Deliverable template version: 02 (09/11/16)
GA 730640
Page 1 of 57
X2Rail-1 WP8
Deliverable D8.1
Selection of the “Secure-by-design” standard
Authors
Author(s)
Contributor(s)
Alstom Transport S.A. (ALS)
DAZA PASTRANA, Francisco José
HAUSMAN, François
Bombardier Transportation Sweden AB (BTSE)
MARQUES, Tiago
AŽD Praha s.r.o (AZD)
PIDRMAN, Milan
ANSALDO STS S.p.a (ASTS)
SORRENTINO, Giovanni
CAF Signalling S.L. (CAF)
ERDOZAIN, Aitor
OLIVA, Mario
Deutsche Bahn AG (DB)
ESCHBACH, Benedikt
Siemens AG (SIE)
MCLELLAN, Craig
Kapsch (KCC)
BRUCKNER, Berhnhard
Network Rail Infrastructure Ltd. (NR)
HEPBURN, Darren
Fondation de Cooperation Scientifique Railenium (RAILENIUM)
GRANSARD, Christophe
Société Nationale des Chemins de fer Français (SNCF)
GARNIER, Yseult
Trafikverket (TRV)
GAMELAS, Jorge
Thales Transportation Systems GmbH (TTS)
LUTZE, Claudia
GA 730640
Page 2 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
1. Executive Summary
The present document constitutes the first issue of Deliverable D8.1 “Selection of the ‘Secureby-design’ standard” in the framework of the project titled “Start-up activities for Advanced
Signalling and Automation Systems” (Project Acronym: X2Rail-1; Grant Agreement No 730640).
Secure-by-design means that the component has been designed from the ground up to be
secure. Malicious behaviours against the system are taken for granted and a particular attention
must be paid to minimize impact when a security vulnerability is discovered or on invalid inputs.
Defining a “Secure-by-design” framework for the railway domain has been considered as a key
building block for establishing and assuring security capabilities in the future Railway Security
Architecture.
This deliverable focuses on:
1. Establishing a list of objectives and criteria to assess the essential requirements to be
covered independently of the type of actor (Product Supplier, System Integrator,
Operator or Asset Owner).
2. Identifying and presenting the most relevant parts of the candidate standards able to
cover or be adapted into a Railway Application environment.
3. The compliance of each proposed standard against the agreed evaluation criteria.
Finally, a rationale for the chosen standard framework (ISA/IEC 62443) regarding thoroughly
cyber security aspects is provided.
The choice of the standard framework resulted from this analysis will be used as basis for a
railway dedicated secure-by-design standard that may be amended to take into account railway
specific aspects (e.g. safety, life-cycle, etc.) during the development of railway components.
GA 730640
Page 3 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
2. Table of Contents
1.
EXECUTIVE SUMMARY ..............................................................................................................................3
2.
TABLE OF CONTENTS .................................................................................................................................4
3.
ABBREVIATIONS AND ACRONYMS .............................................................................................................6
4.
BACKGROUND ..........................................................................................................................................7
5.
OBJECTIVE / AIM ......................................................................................................................................8
6.
OVERVIEW ON SECURITY STANDARDS AND FRAMEWORKS ........................................................................9
6.1.
6.2.
6.3.
6.4.
6.5.
6.6.
6.7.
7.
SURVEY OF FRAMEWORK CANDIDATES ................................................................................................... 17
7.1.
7.2.
7.3.
7.4.
7.5.
7.6.
7.7.
7.8.
7.9.
7.10.
8.
IEC/ISA 62443-4 ........................................................................................................................................... 11
ISO/IEC 15408: COMMON CRITERIA ................................................................................................................. 11
ISO/IEC 27034 .............................................................................................................................................. 12
NIST STANDARDS AND NIST CYBER SECURITY FRAMEWORK (CSF) ........................................................................... 13
ANSSI ........................................................................................................................................................... 14
MICROSOFT SDL (VERSION 5.2) ......................................................................................................................... 15
CODING RULE STANDARDS.................................................................................................................................. 15
EVALUATION PROCESS ...................................................................................................................................... 17
EVALUATION CRITERIA ...................................................................................................................................... 17
EVALUATION RESULTS PER STANDARD .................................................................................................................. 19
ISA/IEC 62443-4 ........................................................................................................................................... 20
ISO 15408 (COMMON CRITERIA)....................................................................................................................... 21
ISO/IEC 27034 (INCLUDES 27001/2/5) ............................................................................................................ 22
NIST STANDARDS AND NIST CYBER SECURITY FRAMEWORK (CSF) ........................................................................... 23
ANSSI ........................................................................................................................................................... 24
MICROSOFT SDL.............................................................................................................................................. 25
CODING RULES................................................................................................................................................. 26
CONCLUSION .......................................................................................................................................... 28
APPENDIX A – REFERENCES ............................................................................................................................. 29
9.
APPENDIX B – FURTHER INFORMATION ABOUT STANDARDS .................................................................... 30
9.1.
ISA/IEC 62443-4 ........................................................................................................................................... 30
9.1.1.
Scope of the standard ........................................................................................................................ 30
9.1.2.
Target audience ................................................................................................................................. 30
9.1.3.
Framework focus................................................................................................................................ 30
9.1.4.
Type of requirements ......................................................................................................................... 31
9.2.
ISA/IEC 15408 .............................................................................................................................................. 34
9.2.1.
Scope of the standard ........................................................................................................................ 34
9.2.2.
Target audience ................................................................................................................................. 38
9.2.3.
Framework focus................................................................................................................................ 38
9.2.4.
Type of requirements ......................................................................................................................... 38
GA 730640
Page 4 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.3.
ISO/IEC 27034 (INCLUDES ISO/IEC 27001/2/5) ............................................................................................... 39
9.3.1.
Scope of the standard ........................................................................................................................ 39
9.3.2.
Target audience ................................................................................................................................. 41
9.3.3.
Framework focus................................................................................................................................ 41
9.3.4.
Type of requirements ......................................................................................................................... 42
9.3.5.
ISO/IEC 27001/2/5 ............................................................................................................................. 42
9.4.
NIST CSF & OTHER NIST STANDARDS ................................................................................................................ 44
9.4.1.
Scope of the standard ........................................................................................................................ 44
9.4.2.
Target audience ................................................................................................................................. 46
9.4.3.
Framework focus................................................................................................................................ 47
9.4.4.
Type of requirements ......................................................................................................................... 47
9.5.
ANSSI ........................................................................................................................................................... 49
9.5.1.
Scope of the standard ........................................................................................................................ 49
9.5.2.
Target audience ................................................................................................................................. 50
9.5.3.
Framework focus................................................................................................................................ 50
9.5.4.
Type of requirements ......................................................................................................................... 50
9.6.
MICROSOFT SDL.............................................................................................................................................. 51
9.6.1.
Scope of the standard ........................................................................................................................ 51
9.6.2.
Target audience ................................................................................................................................. 52
9.6.3.
Framework focus................................................................................................................................ 52
9.6.4.
Type of requirements ......................................................................................................................... 52
9.7.
CODING RULES................................................................................................................................................. 53
9.7.1.
Scope of the standard ........................................................................................................................ 53
9.7.2.
Target audience ................................................................................................................................. 54
9.7.3.
Framework focus................................................................................................................................ 54
9.7.4.
Type of requirements ......................................................................................................................... 55
10.
APPENDIX C – COMMENTS .................................................................................................................. 57
GA 730640
Page 5 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
3. Abbreviations and acronyms
Abbreviation / Acronyms
ANSSI
ASC
ASMP
CAP
CC
CERT
COTS
CWE
CSF
EAL
FW
HW
IACS
ICS
IEC
IEEE
ISA
ISO
JPL
MISRA
NIST
O#
PP
R&D
SAR
SDL
SEI
SFR
SL-C
SL-T
ST
SW
TOE
TS
V&V
GA 730640
Description
Agence National de la Sécurité des Systèmes d’Information
(National Agency for Security in Information Systems)
Application Security Control
Application Security Management Process
Composed Assurance Packages
Common Criteria (ISO/IEC 15408)
Computer Emergency Response Team
Commercial Off-The-Shelf
Common Weakness Enumeration
Cyber Security Framework
Evaluation Assurance Level
Firmware
Hardware
Industrial Automation and Control System
Industrial Control System
International Electrotechnical Commission
Institute of Electrical and Electronics Engineers
International Society of Automation
International Organization for Standardization
Jet Propulsion Laboratory (of NASA)
Motor Industry Software Reliability Association
National Institute of Standards and Technology
Objective number: #
Protection Profile
Research & Development
Security Assurance Requirement
Secure Development Lifecycle
Software Engineering Institute
Security Functional Requirement
Security Level Capability
Security Level Target
Security Target
Software
Target Of Evaluation
Technical Specification
Verification and Validation
Page 6 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
4. Background
The present document constitutes the first issue of Deliverable D8.1 “Selection of the ‘Secureby-design’ standard” in the framework of the Project titled “Start-up activities for Advanced
Signalling and Automation Systems” (Project Acronym: X2Rail-1; Grant Agreement No 730640).
This memo describes the process for the choice of the “secure-by-design” standard framework
by evaluating some of the most common standards, guidelines and best practices in cybersecurity from several international and national organisms, putting special emphasis onto
industry-oriented publications.
The choice of the standard framework resulting from this analysis will be used as basis for
railway dedicated secure-by-design standard that may be amended to take into account railway
specific aspects (e.g. safety, life-cycle, etc.) during the development of railway components.
GA 730640
Page 7 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
5. Objective / Aim
“Security is better built in, not bolt on” is a common and acknowledged statement in the security
domain, that aims to underline the experience of past years that components best can ensure
availability, integrity and confidentiality of data and functions when security is considered from
the ground up.
In general the term secure-by-design encompasses a framework of good design principles,
patterns, processes, functional requirements and many more that enables developers to design,
build and maintain components in a way that security is embedded in each stage of the
development, resulting in a product that is – secure by its design –. Applying secure-by-design
frameworks in a larger domain contributes to establish and improve the security footprint of a
system and furthermore helps to avoid most of today’s security pitfalls.
With respect to the railway applications domain such a comprehensive, unified security
framework providing guidance and best practices for railway suppliers does not yet exist. In the
same way as for railway-specific developments, and in particular with the trend to utilize nonrailway-dedicated building blocks such as open protocols, libraries and COTS software and
hardware to build railway specific applications, it is evident that this shortcoming has to be
tackled.
For that reason, defining a secure-by-design framework for the railway domain has been
considered as a key building block for establishing and assuring security capabilities in the future
Railway Security Architecture. The objectives for establishing the secure-by-design standard
framework have been aligned and defined as follows:
(O1) Define a framework of requirements and processes for development, deployment and
maintenance of railway components from its design.
(O2) Ensure that railway components follow the defence-in-depth principle.
(O3) Ensure that security is considered with respect to the threat landscape.
(O4) Ensure a systematic approach to develop and validate security requirements.
(O5) Ensure a systematic approach to assess and manage security defects during lifecycle.
(O6) Ensure clear requirements and responsibilities among stakeholders.
(O7) Ensure coherence with future Railway Security Architecture.
(O8) Ensure a systematic approach to assess the quality assurance level of security
requirements implementation.
GA 730640
Page 8 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
(O9) Allow defining several security levels depending on the level of protection provided by the
system under examination and provide an approach to assess it.
6. Overview on security standards and frameworks
Today the market offers a continuously growing number of security standards and frameworks
in different industries. To analyse and compare different standards and frameworks it has to be
considered that they differ quite significantly in the way they are tackling the security challenge.
A first key in the comparison is to analyse the target audience. The audience, or target scope of
the standard, can range from general companies to enterprises in a specific industry and
furthermore on the organisation level they are focusing on (e.g. specific organisational groups
or divisions such as R&D, Risk Management, Product Development, IT Operations, etc.).
A second key in the comparison is to evaluate the type of requirements a standard is providing
to the target audience. From a requirements perspective, a standard can guide the user with
organisational, procedural and/or product/functional requirements, while the framework focus
provides information about the type of organisation that such requirements are addressed to.
The standards and frameworks evaluated have been developed with certain ways at looking at
the security challenge that has to be considered during the assessment. The different aspects in
which the analyses of the standards have been based on are:
Framework Focus:
Frameworks operate on different levels and may provide guidance for different aspects within
an organisation. Depending on the covered scope, a framework can be categorized as follows:




Organisational Level:
Frameworks considering security activities on a holistic, enterprise-wide scope.
Operational System Level:
The focus of a framework is narrowed down to an operational subsystem or
operational process.
Product/Component Level:
The way of looking is limited to the boundaries of product or component.
Technology Level:
Compared to other levels those frameworks have been built around a certain
technology.
Type of Requirement:
A standard or framework provides guidance in the form of requirements for an organization or
user. Depending on the type and nature, those requirements can be categorized as follows:
GA 730640
Page 9 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard



Organisational Requirements:
Requirements that address the organisational framework conditions and governs
the implementation of security activities.
Procedural Requirements:
Contains requirements such as methodologies that must be followed and/or
constraints that an organisation has to follow.
Product/Component Requirements:
Concludes requirements in terms of features, functionalities, behaviours, etc.
This evaluation is summarised in the following figure, where the standards and frameworks
have been represented in function of the scope of their requirements:
Type of Security Requirement
Organisational
Procedural
Product/Component
Framework Focus
Organisational
Level
Operational system
Level
ANSSI
ISO/IEC 27034
NIST
ISO/IEC 62443-4
Product /
Component
Level
ANSSI
ISO/IEC 15408 (Common Criteria)
Secure by design
framework scope
Microsoft SDL
Coding Rules
Coding Rules
Technology Level
International Standards or Frameworks
National Standards, Frameworks or Practices
Company or Industry Practices
Fragmented Standards, Frameworks or Practices
Figure 1 – Coverage of candidate standards against “Secure-by-design” framework scope
As the secure-by-design standard encompasses a framework of good design principles, patterns,
processes, functional requirements and many more that enables developers to design, build and
maintain a secure component/product, the main scope for the secure-by-design standard is to
cover the procedural and product/functional requirements in the context of the
component/product or of the system in operation.
The following sections give a brief overview on a selected list of standards.
GA 730640
Page 10 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
6.1. IEC/ISA 62443-4
IEC/ISA 62443 is a multi-part standard where the part four is the goal of our assessment. ISA/IEC
62443-4 is divided in two parts: ISA/IEC 62443-4-1 – “Secure product development
requirements” and ISA/IEC 62443-4-2 – “Technical security requirements for IACS systems”.
While IEC/ISA 62443-4-1 focuses in defining the overall requirements for an industrial system
during a product development lifecycle, IEC/ISA 62443-4-2 provides the detailed technical
system requirements (SRs) for IACS. Although ISA/IEC 62443-4 parts are focused on product
suppliers, the whole framework standard (ISA/IEC 62443-X) covers other aspects that should be
taken into account to have a deeper understanding of the integration of the components into
the system (ISA/IEC 62443-3), as well as their impact at global and operational level (ISA/IEC
62443-1/2).
The goal of IEC/ISA 62443-4 is to provide a framework to address a secure-by-design, defencein-depth approach from its process level to conceive, build, maintain and retire industrial
automation and control products and systems. Application of the framework is intended to
provide confidence that the component, product or system has built-in security capabilities to
reach its expected security level throughout the product’s life-cycle.
The target audience for the development and maintenance of railway security components are
product suppliers (for part 4-1), in particular software development teams for who the standard
specifies a secure development life-cycle (SDL) encompassing security requirements, definition,
secure design and implementation (including coding rules), V&V, defect and patch management,
and product phase-out. This standard provides the process necessary for the product
development from the beginning of its life cycle and introduces security specific measures both
at organizational and technical levels throughout its different phases, providing so the inherent
security sought in the security standards under consideration.
This part of the standard does not address technical design, installation or operation of the
industrial control system component, rather intends to help implementing a lifecycle under the
secure-by-design principles at product/component level. In addition, the requirements
proposed help to align the development process of a product with the strong security needs of
industrial users such as component providers, asset owners, system integrators and
maintenance contractors.
6.2. ISO/IEC 15408: Common Criteria
The ISO/IEC 15408 standard, widely known as Common Criteria (CC), is a framework that guides
in the security assessment of IT products. The system subject to the assessment is defined in CC
as Target of Evaluation (TOE). A TOE is further defined as a set of software, firmware and/or
GA 730640
Page 11 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
hardware possibly accompanied by guidance. A Security Target (ST) is a complete and rigorous
description of a security problem for a certain TOE; it contains among other aspects, the TOE
description, threats, assumptions, security objectives, security requirements, and rationales.
Another important aspect of CC is the Protection Profiles (PP). Whereas an ST always refers to a
specific TOE (specific product), a PP is intended to describe a TOE type (e.g. a firewall). The same
PP may therefore be used as a template for many different STs. In the definition of the ST,
conformance to a certain PP can be addressed.
Security requirements in CC are divided into two groups: the Security Functional Requirements
(SFR) and the Security Assurance Requirements (SAR). The firsts are technical requirements to
be addressed by the TOE in order to counter the threats and fulfil the security objectives. The
SARs, on the other hand, define activities to be carried out to provide assurance in the
correctness of the TOE, i.e. their fulfilment help in reducing vulnerabilities in the TOE by a
correctly defined development process. It is worth highlighting that measures regarding the
operational environment are not addressed in these requirements and consequently the
ISO/IEC 15408 does not consider assessment of those measures; however, it does specify that
such operational environment measures –even if not assessed– should be defined among the
security objectives to be described in the ST.
The ISO/IEC 15408 is divided into three parts. The first part (ISO/IEC 15408-1) contains the
introduction and defines the general model (ST, PP, etc.). The second part (ISO/IEC 15408-2),
defines the set of all the SFR, whereas the third part (ISO/IEC 15408-3) is reserved for the SAR.
Some of the aspects and requirements related to the Security-by-design concept are located in
the third part of the standard.
In summary, ISO/IEC 15408 standard defines a model at organizational and procedural level to
create Protection Profiles which will gather the necessary security requirements for the product
assessed.
6.3. ISO/IEC 27034
ISO/IEC 27034 is a multi-part standard aiming at defining processes for considering security
along the application lifecycle that are in line with other standards of the ISO/IEC family. Rather
than outlining precise security control requirements, this multi-part standard provides
processes to develop a set of Application Security Controls (ASC) called “ASC Library” that
depends on the business, regulatory and technological context of the application. An ASC is
defined, according to the standard, as a data structure containing a precise enumeration and
description of a security activity and its associated verification measurement to be performed at
a specific point in an application's life cycle.
GA 730640
Page 12 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
The requirements and processes specified in ISO/IEC 27034 are not intended to be implemented
in isolation but rather integrated into an organization's existing processes. It introduces
definitions, concepts, principles and procedures involved in application security in order to
establish an Application Security Management Process (ASMP) for an organization. Due to the
detachment with any software life cycle, the ISO/IEC 27034 “Life cycle reference model” is
rather an organisation-specific “software assurance programme” than a proper development
software life cycle. It is aimed at architects, analysts, programmers, testers, IT teams, data base
administrators, etc., who need to know when and which ASCs should be applied, who integrate
ASCs in their activities, who assure that ASCs meet the requirements of associated
measurements, who get access to tools and best practices and who facilitate peer review. It can
also be used by auditors, in order to know the scope and process of verification measurements
for the corresponding ASC.
ISO/IEC 27034 is part of the well-known ISO/IEC 27k series focusing in “Application Security”
and relies on ISO/IEC 27001 for describing the key concepts and security requirements, on
ISO/IEC 27002 for specifying the ASCs and on ISO/IEC 27005 for defining the risk assessment
methodology of the applications. In summary, regarding the secure-by-design scope and due to
the detachment with any software life-cycle, ISO/IEC 27034 “Life cycle reference model” is
rather an organisation-specific “software assurance programme” than the proper secure
development life cycle sought on this study.
6.4. NIST Standards and NIST Cyber Security Framework (CSF)
The “National Institute of Standards and Technology” (NIST) provides a set of publications and
frameworks that are applied to technology. One of the largest areas within NIST is the
Computer Security division. Security publications are split into 3 subsets which have been
reviewed by the X2Rail WP8 group. These are:



SP 800 Series – Computer Security
SP 1800 Series – NIST Cyber Security Practice Guides
SP 500 Series – Computer Systems Technology
Although there are many publications, it became apparent on the review which standards
would be relevant to this work package. Appendix B details a full assessment of the specific
standards and gives an outline on what each standard or publication articulates.
The conclusion from the analysis of this section is that there is a considerable amount of
information detailed within NIST. Each of the standards or publications brings benefit in some
way; however there is no single standard or publication that would be fully applicable to the
work that is being carried out within WP8. NIST publications and standards do provide a good
GA 730640
Page 13 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
level of information detail, although not all of it is relevant to European standards, regulations
and legal requirements. However, upon review and discussion it was agreed that elements of
the NIST library could be used to further develop the secure-by-design framework by
complementing the chosen standard framework if required.
The other element of NIST considered is the NIST Cyber Security Framework (CSF). This
document sets out how organisations could mature in defining levels of security based around
an approach of: Identify, Protect, Detect, Respond and Recover. These key concepts of cyber
security maturity would allow organisations to reference different standards and how they
relate to the key areas identified above and ensure that systems are being protected
appropriately during their whole life cycle.
6.5. ANSSI
ANSSI is the national cybersecurity agency of France. As a national authority, ANSSI reports to
the “Secretary General for Defence and National Security” (“Secrétaire Général de la Défense et
de la Sécurité Nationale” - SGDSN). The SGDSN assists the Prime Minister in fulfilling his
responsibilities in matters of national defence and security. There is no standard as such that
ANSSI has developed specifically for the railway industry. Depending on the nature of the
industrial activity the set of regulations and security rules are different.
The documents of ANSSI are intended for Security Managers, Security Administrators, Auditors,
Developers and Suppliers. ANSSI does not publish any security framework either; it does
however publish sets of regulations, best practices and guidelines that can be used
independently based on the needs of the organisations.
The focus of ANSSI spreads from security management activities to more technical activities
such as network level configurations. As the documents of ANSSI are published as guidelines
and best practices, the requirements are very general (high-level) and the respective
organisations that intend to or must comply with the requirements of ANSSI and the French law
have the responsibility to define more detailed actions.
There are no requirements that ANSSI imposes, however according to the Military Program Act
(Loi de Programmation Militaire - LPM) there are mandatory requirements that Critical
Infrastructure Operators must comply with as is stated in the French law. These high-level legal
requirements include: Identification of critical infrastructure information systems according to
the criteria defined by ANSSI; Notify of security incidents that affect the critical infrastructure
operators; Compliance to predefined security rules defined by French legislation for each critical
infrastructure operators according to specific industry activity, and Auditing exercise by ANSSI in
GA 730640
Page 14 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
order to verify compliance of the security controls that will be conducted by ANSSI experts,
authorised government agencies or qualified suppliers.
The ANSSI also publishes best practice security rules that all critical infrastructure operators
must already have in place or have planned to implement in the future. These include:
Information security policy, Security qualification, Security architecture, Security assurance, Log
management, Detection mechanism, Incident management, Alert management, Crisis
management, Identity & Access management, Privilege management, Defence-in-depth and
Indicators. Most of these concepts can be found on a secure-by-design scope, but as stated
above, ANSSI does not address such principles in form of detailed requirements to be
implemented into a product development life-cycle.
6.6. Microsoft SDL (Version 5.2)
The Security Development Lifecycle (SDL) is a software development process by Microsoft that
helps companies, working (mainly) under a Microsoft development framework, to build more
robust software and address security compliance requirements through seven phases in which
security software practices are defined into the development lifecycle.
The Microsoft SDL framework is intended for the whole software development team. The key
principles for the framework are referred to as SD3+C – Secure by Design, Secure by Default,
Secure in Deployment and Communications. Each of the key principles imposes different
requirements in different phases on the development lifecycle.
From a secure-by-design point of view, the seven phases of the standard cover most of the
requirements necessary to develop a secure software product using a Microsoft development
framework. All these requirements aim to minimize security-related vulnerabilities in the design,
code, and documentation and to detect and eliminate vulnerabilities as early as possible in the
development life cycle. These improvements reduce the number and severity of security
vulnerabilities as well as improve the protection of users’ privacy. Together with the SDL
framework, Microsoft provides also tools able to check and assist in the different phases of the
lifecycle to detect, for example common vulnerabilities and coding errors.
6.7. Coding rule standards
The coding rule standards and technical specifications assessed for X2R WP8 should be
considered as guidelines and best practices into the coding phase of a complete software
development life cycle of product suppliers. Such standards, resources and tools, do not assure
that vendors, developers or manufacturers have developed a secure hardware, rather it shall be
considered as a guideline and support to encourage programmers to follow a uniform set of
GA 730640
Page 15 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
rules and best practices determined by the requirements of the project and organization, rather
than by the programmer’s familiarity or preference. Once established, these standards can be
used as a metric to evaluate source code (using manual or automated processes) to determine
compliance with the standard applied. Therefore, the main target audience for these coding
rules are Software Developers, Project Managers and Testers.
From all elements evaluated for the WP8 (specified in Appendix B of this document), the
technical specification ISO/IEC TS 17961:2013 “C secure” is probably the most spread reference
in secure development for C and C++ programming languages. Most of the standards and
guidelines in secure-coding cover, amend and/or map ISO/IEC TS 17961:2013.
The evaluation of “rules” as useful resources and guides in the coding phase of a secure-bydesign standard framework is divided into “Language standards”, “Secure development
standards, guidelines or technical specifications” and “Secure-coding analysis tools”: the first
establish the definition and requirements of a programming language; the second are focused
on ways to diagnose insecure code and/or provides best practices beyond the requirements of a
language standard in order to avoid known errors and attacks due to flaws in the code; and the
third are examples of software tools able to analyse written code in order to find common
errors, flaws and vulnerabilities automatically. This evaluation also references several wellknown organisms developing their own standards and best practices in coding, as NASA, CERT
or MISRA. Finally, it is mentioned the Common Weakness Enumeration (CWE) database as
currently is one of the main resources used by developers to keep track of new flaws and
vulnerabilities discovered in common devices and/or applications (COTS networking devices, OS,
etc.), therefore providing a “technological watch” in coding topics at product /component level.
GA 730640
Page 16 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
7. Survey of Framework candidates
7.1. Evaluation Process
The procedure pursued for the assessment of existent frameworks for a secure-by-design
standard is:
1. Establish a list of objectives and criteria to assess the essential requirements to be
covered independently of the type of actor (Product Supplier, System Integrator,
Operator or Asset Owner).
2. Identification and presentation of most relevant parts of the candidate standards able to
cover or be adapted into a Railway Application environment.
3. For each candidate standard, compare against the evaluation criteria proposed the level
of coverage in a Railway Application environment.
4. Finally, a rationale for the chosen standard/s regarding carefully cyber security aspects is
provided.
7.2. Evaluation Criteria
The following figure illustrates the product life-cycle considered for this evaluation and the
definition of evaluation criteria.
Figure 2 – V-Model from railway international standard EN50126. © CENELEC
To evaluate the landscape of available standards from international bodies and companies, a list
of criteria has been established to assess the completeness and overlaps of different concepts.
GA 730640
Page 17 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
The criteria listed below aim to set out key requirements on different technical and
organisational aspects and for different stakeholder – suppliers, integrators, operators and asset
owners - that act as a guidance throughout the selection of a secure-by-design standard.
Criteria
Criteria
Type
Objective
coverage
Description
Design and
Development
Development
Process
The proposed standard defines the requirements for the O1/O4/O7
complete design process, from the system design up to the
detailed implementation. These requirements should cover the
technical and organisational aspects and be hardware and
software independent.
Verification
and validation
Development
Process
The proposed standard defines the requirements applicable to O1/O4/O7
the verification and validation process of the security functions.
These requirements shall cover the technical and organisational
aspects and be hardware and software independent.
Security level
Product
Capability
The proposed standard defines several security levels reflecting O9
the level of protection provided by the system under
consideration.
Maturity level
Governance
The proposed standard defines several maturity levels for the O8
implementation of the security functions.
Defence-indepth
Product
Capability
The proposed standard implements, throughout the system, O2
multiple layers of security controls (defence).
Security defect
management
Operational
Process
The proposed standard defines the way to assess and manage
security defects discovered during the development cycle and
after. Both technical and organisational aspects should be
covered.
Patch
management
Operational
Process
The proposed standard defines the requirements applicable to O1/O5
patch management process in order to ensure the security
level. These requirements shall cover the technical or
organisational aspects.
Security
assessment
Governance
The proposed standard shall define or refer a way to assess the O9
security level of equipment.
GA 730640
O1/O3/O5
(threat
landscape
evolution)
Page 18 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Guideline/docu
mentation
Product
Capability
The proposed standard shall define the requirements in terms O1
of documentation and guideline to ensure the security of the
component during its complete life-cycle.
System
integration and
use
Product
Capability
The proposed standard shall consider the integration of the O6
secure components inside wider systems and sub-systems and
the way to exchange the information and exported security
requirements between the different stakeholders (provider,
integrator and final user).
Technological
watch
Governance
The proposed standard shall define requirements to ensure O3/O5
that:


the up-to-date recommended security practices are
implemented during development and maintenance
phases;
the up-to-date threat landscape and vulnerabilities are
used to perform the security assessment during
development and maintenance phases (periodically).
Protection
profile
Product
Capability
The proposed standard shall provide an implementation- O4
independent set of security requirements associated with a
family of products, often referred to as protection profile.
Product life
cycle
Governance
The proposed standard shall cover all life cycle phases from O1/O5
design to validation, as well as its deployment, maintenance
and decommissioning.
7.3. Evaluation Results per Standard
The standards have been evaluated based on the level of compliance against the criteria listed
above. The fulfilment grade is differentiated between:




OK: The standard under consideration covers the criterion as a whole.
High Level: The standard under consideration covers the criterion but without providing
in-depth approach.
Partial: The standard under consideration either covers partially the criterion, or the
criterion is only fulfilled for a part of the standard. Details about the coverage should be
provided in the “Remark column”.
Not OK: The standard under consideration does not take into account the criterion.
GA 730640
Page 19 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
7.4. ISA/IEC 62443-4
ISA/IEC
62443-4
Remarks
Design and Development
OK
ISA/IEC 62443-4-1 Practice 1 – Security management and Practice 3 –
Secure-by-design.
Verification and validation
OK
ISA/IEC 62443-4-1 Practice 1 – Security management and Practice 5 –
Security verification and validation testing.
Criteria
ISA/IEC 62443-1-1 defines the security levels (10.4) as a fundamental
concept (10).
Security level
OK
ISA/IEC 62443-3-2 defines security levels target (SL-T) for zones and
conduits.
ISA/IEC 62443-4-2 defines component requirements based on SLs, the
security capabilities (SL-C) for 4 different product types.
Maturity level
OK
ISA/IEC 62443-1-1 defines the maturity levels (10.2) as a fundamental
concept (10).
ISA/IEC 62443-4-1 implements the concepts of maturity levels.
Defence-in-depth
OK
Security defect management
OK
ISA/IEC 62443-1-1 defines defence-in-depth (9.4) as a general concept
(9).
ISA/IEC 62443-4-1 Practice 1 – Security management, Practice 3 –
Secure-by-design and Practice 8 – Security guidelines.
ISA/IEC 62443-4-1 Practice 1 – Security management and Practice 6 Security defect management.
ISA/IEC 62443-1-1 describes patch management as part of product
and system life-cycle activities.
ISA/IEC TR62443-2-3
management.
Patch management
OK
provides
detailed
guidance
in
patch
ISA/IEC 62443-4-1 Practice 1 – Security Management and Practice 7 –
Security update management.
Requirements to patch management are also defined in ISA/IEC
62443-2-4 and ISA/IEC 62443-2-1 for system integrators and asset
owners/operators.
ISA/IEC 62443-1-1 defines the context model (9.1) and Threat-Risk
Assessment (9.5) as general concepts (9).
Security assessment
OK
ISA/IEC 62443-4-1 Practice 1 – Security management, Practice 2 –
Specification of security requirements and Practice 5 – Security
verification and validation testing.
Addressed in ISA/IEC 62443-2-1 and ISA/IEC 62443-3-2 (risk
assessment) for asset owners/operators.
Guideline/documentation
OK
ISA/IEC 62443-1-1 defines Policies and Procedures (9.6) as general
concept (9) and introduces security documentation, guidelines and
support in security life-cycle (10.1) which is a fundamental concept.
ISA/IEC 62443-4-1 Practice 1 – Security management, Practice 8 –
Security guidelines.
GA 730640
Page 20 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
System integration and use
OK
ISA/IEC 62443-1-1 introduces the principal roles
owner/operator, system integrator and product supplier.
(7)
asset
ISA/IEC 62443-2-1 and ISA 62443-2-4 cover this criterion.
ISA/IEC 62443-1-1 defines life-cycles (10.1) as fundamental concept
(10).
Technological watch
OK
ISA/IEC 62443-4-1 Practice 1 – Security management, Practice 2 –
Specification of security requirements, Practice 3 – Secure-by-design,
Practice 5 – Security verification and validation testing and Practice 6
– Security defect management.
ISA/IEC 62443-4-1 references NIST Protection Profile in bibliography.
ISA/IEC 62443-4-2 references Common Criteria Protection Profiles in
CR 1.14 RE1 and RE2.
Protection profile
OK
ICCF (IACS Cybersecurity Certification Framework) Figure 27 illustrates
the mapping between security objectives and assumptions of ANSSI
short-term protection profile for a PLC to ISA/IEC 62443-4-2
component requirements based on ICCF ICPRO (IACS Component
Cybersecurity Protection Profile) pillar.
ISA/IEC 62443-1-1 defines product and IACS life-cycles (10.1) as
fundamental concept (10).
Product lifecycle
OK
ISA/IEC 62443-4-1 describes product development life-cycle
requirements related to cyber security for products intended for use
in the industrial automation and control systems environment.
7.5. ISO 15408 (Common Criteria)
Criteria
Design and Development
Verification and validation
Security level
GA 730640
ISO 15408
(CC)
Remarks
High-level
It defines requirements for the complete design process. However,
requirements, rather than technical or organisational, can be
categorized as procedural (with the corresponding outcome
documentation).
OK
The concepts as verification and validation are not directly addressed,
at least with those names. Instead, there are requirements that
specify how to carry out the evaluation of the ST, and also
requirements on how to perform the tests. In addition, in each SAR
component, there are requirements that apply to the evaluator. As in
the design process, requirements, rather than technical or
organisational, can be categorized as procedural (with the
corresponding outcome documentation).
High-level
CC does not describe security levels as ISA/IEC 62443. CC focuses on
an asset-based certification approach founded on PPs and STs where a
certain set of SFRs are defined, whereas ISA/IEC 62443 has an
scenario-based approach (threat landscape and risk-based) where
security levels are a fundamental principle related to the product
and/or the system partitioned into zones and conduits. Finally, while
CC aims to keep flexibility in the way requirements are defined,
Page 21 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
ISA/IEC 62443 introduces a static pre-defined set of requirements.
OK
The EAL is a kind of maturity level based on the depth in which the
SARs have to be applied. Therefore, the EAL applies to "procedural"
requirements (the SARs).
Defence-in-depth
OK
Not addressed as defence-in-depth, but the security requirements are
applied for the different steps of the development process. In function
of the EAL, more requirements applying to the different layers are
defined.
Security defect management
OK
Addressed under Flaw Remediation (ALC_FLR) assurance family.
Patch management
OK
Addressed under Flaw Remediation (ALC_FLR) assurance family.
Security assessment
OK
The Vulnerability Assessment (AVA) assurance class handles the
vulnerability evaluation and defines how to assess the strength of the
TOE security functions.
Guideline/documentation
OK
It defines the documentation that has to be presented in every lifecycle step. In addition, there is a class (AGD) with specific
requirements related to guidance documents.
System integration and use
OK
Requirements that address how to carry out the composition of
different products is addressed in the standard by the definition of
extra assessment requirements.
Partial
The technological watch concept is not treated in its whole. Only the
vulnerability analysis is addressed under the Vulnerability Analysis
(AVA_VAN) assurance class.
Protection profile
OK
It does define how to define protection profiles and security profiles
(this last named Security Targets).
Product lifecycle
OK
The class (ALC = Life Cycle Support) is defined, but as other class, only
describes requirements to acquire from an external life-cycle
development, it is not a life cycle itself.
Maturity level
Technological watch
7.6. ISO/IEC 27034 (includes 27001/2/5)
ISO/IEC
27034
Remarks
Design and Development
OK
The standard defines processes for the whole Application Lifecycle. But
this standard is focussing mainly on application development.
Verification and validation
OK
It is part of the ASC.
Criteria
Security level
NOK
Security levels can appear depending on the implementation of the
standard, but it is not defined.
Maturity level
NOK
The process and level of maturity are not formally defined by the
ISO/IEC 27034 but the ISO/IEC 21827.
GA 730640
Page 22 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Defence-in-depth
OK
Defence-in-depth
about
technological
context,
application
specifications, application data, organization and user data and roles
and permissions.
Security defect management
OK
Assess and manage security defects discovered during the development
cycle and after.
Patch management
OK
All security and privacy issues identified by the Final Security Review
process are fixed or mitigated.
Security assessment
OK
Addressed in ISO/IEC 27001.
Guideline/documentation
OK
System integration and use
OK
The ASMP addresses the security aspects of provisioning and operating
of applications.
OK
Security and privacy issues identified by the Final Security Review
process are fixed; those that cannot be addressed (e.g. vulnerabilities
posed by design level issues) are logged and corrected in the next
release.
Technological watch
Protection profile
NOK
Product lifecycle
Partial
ISO/IEC 27034 does not provide security profiles or protection profiles.
Mainly organizational and process-oriented.
7.7. NIST Standards and NIST Cyber Security Framework (CSF)
NIST standards
& CSF
Remarks
OK
NIST SP800-160 Nov 16 – section 3.4.5 specifically details the design
definition process and activities and tasks that should be carried out.
OK
NIST SP800-160 Nov 16 – Within section 3.4.5 there is a small section
on maintaining traceability through verification and validation
methods or techniques. There is also section 3.4.9 that details
verification processes in depth.
Security level
OK
NIST SP800-53r4 details the process of risk and how levels of risk can
drive the security measures required. NIST SP 800-160 details that
levels of criticality and assurance must be defined but only at a high
level. There is also a reference in the NIST CSF. Each of these
publications detail the requirement but there is no specific definition
of security levels for products.
Maturity level
High Level
http://csrc.nist.gov/groups/SMA/prisma/security_maturity_levels.html
Defence-in-depth
OK
The NIST CSF details how to apply defence-in-depth for assets, systems
and products.
Security defect management
OK
NIST SP800-160 details system defects and how they can lead to
vulnerabilities – this could also be applied to products.
Criteria
Design and Development
Verification and validation
GA 730640
Page 23 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Patch management
OK
NIST SP800-53r4 and NIST SP800-40 both detail patch management
processes.
Security assessment
OK
NIST SP 800-30r1 (control assessment NIST SP 800-53a)
Guideline/documentation
OK
NIST SP800-160r1 and NIST SP800-53r4 and CSF all detail guidance and
have documentation of product security.
System integration and use
OK
NIST SP800-64r2 and NIST SP800-160 both detail about system
integration and use which could apply to products.
Technological watch
OK
Whole special publication library – too many documents to reference
Protection profile
High Level
NIST SP800-53r4 Appendix H (IEC 15408 requirements mapped to NIST
controls). CSF has references to PP.
Product lifecycle
OK
NIST SP800-160r1 and NIST SP800-64r2 and CSF all discuss about
lifecycle management that could be applied at all levels including
products.
7.8. ANSSI
Criteria
Design and Development
ANSSI
Remarks
High-level
See guideline “Detailed Measures” (3.3), Managing Cybersecurity
for ICS (2.3.2).
See guideline “Classification Method and Key Measures”: Only
security approval (2.3) and audits (2.2.5) are described.
Verification and validation
Partial
A guide concerning how to approve security in 9 steps exists in
French.
See Managing Cybersecurity for ICS (2.3.2) only test phase is
described.
Security level
OK
Maturity level
NOK
Defence-in-depth
Security defect management
OK
OK
See guideline “Classification Method and Key Measures” (3).
See guideline “Detailed
Cybersecurity for ICS (2.2.3)
Measures”
(4.3)
and
Managing
See “Detailed Measures” (3.5 organisational measures and 4.4
technical measures)
See Managing Cybersecurity for ICS (2.2.5)
Patch management
OK
See Managing Cybersecurity for ICS (GP11) and “Detailed
Measures” (4.3.2)
Security assessment
OK
See guideline “Classification Method and Key Measures” (3)
Guideline/documentation
OK
Specific guidelines has been published for ICS; see website
GA 730640
https://www.ssi.gouv.fr/entreprise/bonnes-pratiques
Page 24 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
System integration and use
NOK
Technological watch
OK
See guideline “Classification Method and Key Measures” (2.2.6)
Detailed Measures” (3.3.6 and 3.3.7)
Protection profile
OK
3 types: Short-term, Mid-term (5y) and Long-term (not distributed
publically).
Product lifecycle
NOK
7.9. Microsoft SDL
Criteria
Microsoft SDL
Remarks
Design and Development
Partial
Only at SW level
Verification and validation
Partial
Only at SW level
Security level
Partial
Only at SW level. Addressed through “Bug bars” which are used to
define the severity thresholds of security vulnerabilities (Critical;
Important; Moderate and Low).
Maturity level
Partial
Only at SW level. Addressed through the “SDL Optimization
model” with 4 levels: Basic, Standardized, Advanced and Dynamic.
Defence-in-depth
Partial
Only at SW level. Concept defined in the standard protecting
through the different phases.
Security defect management
Partial
Only at SW level. A threat modelling tool is also proposed in the
standard to help with.
Patch management
Partial
Response to vulnerabilities is part of the development process
solely from the perspective of the Software development.
Security assessment
Partial
Only at SW level. Defined in the standard but no quantitative
methodology is proposed.
Guideline/documentation
OK
System integration and use
Partial
The framework covers the requirement for deployment guides.
System Integration as such is out of scope of the framework.
OK
Microsoft keeps threat modelling and code analysis tools updated.
Last version of the Microsoft SDL framework is 5.2 in 2012.
Technological watch
GA 730640
Page 25 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Protection profile
Product lifecycle
NOK
Partial
Microsoft SDL covers the main development aspects at SW level.
Commissioning, integration or operations is not scope of the
framework.
7.10. Coding rules
Criteria
Coding rules
Design and Development
NOK
Verification and validation
Partial
Security level
NOK
Maturity level
NOK
Defence-in-depth
NOK
Security defect management
NOK
Patch management
NOK
Security assessment
NOK
Guideline/documentation
OK
System integration and use
NOK
Remarks
Verification through secure code analysis tools.
Coding guidelines to implement.
OK
See guideline “Classification Method and Key Measures” (2.2.6)
Detailed Measures” (3.3.6 and 3.3.7). New flaws in code products
can be addressed through monitoring of CWE and OWASP
vulnerabilities/attacks database.
Protection profile
Partial
Certain coding standards and best practices provide different levels
of tests and rules to apply in the code, making available different
software protection profiles.
Complete lifecycle
NOK
Technological watch
GA 730640
Page 26 of 57
X2Rail-1 WP8
Deliverable D8.1
Selection of the “Secure-by-design” standard
ISA/IEC 62443-4
ISO 15408 (CC)
ISO/IEC 27034
NIST
ANSSI
Microsoft SDL
Design and Development
Criteria
OK
High-level
OK
OK
High-level
Partial
NOK
Verification and validation
OK
OK
OK
OK
Partial
Partial
Partial
Security level
OK
High-level
NOK
OK
OK
Partial
NOK
Maturity level
OK
OK
NOK
High-level
NOK
Partial
NOK
Defence in depth
OK
OK
OK
OK
OK
Partial
NOK
Security defect management
OK
OK
OK
OK
OK
Partial
NOK
Patch management
OK
OK
OK
OK
OK
Partial
NOK
Security assessment
OK
OK
OK
OK
OK
Partial
NOK
Guideline/documentation
OK
OK
OK
OK
OK
OK
OK
System integration and use
OK
OK
OK
OK
NOK
Partial
NOK
Technological watch
OK
Partial
OK
OK
OK
OK
OK
Protection profile
OK
OK
NOK
High Level
OK
NOK
Partial
Product lifecycle
OK
OK
Partial
OK
NOK
Partial
NOK
Table 1 – Evaluation criteria coverage overview on candidate standards
GA 730640
Page 27 of 57
Coding Rules
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
8. Conclusion
The aim of this report has been the selection of a normative framework for settling the basis of
a railway cybersecurity standard to be used as reference to develop secure railway products
under “Secure-by-design” principles.
Taking into account the results of the evaluation process against the objective pursued, four
standards have been selected as potential candidates (covering at least 80% of the identified
criteria):
1.
2.
3.
4.
ISA/IEC 62443-4 complies to all criteria;
ISO/IEC 15408 complies to all but three criteria;
ISO/IEC 27034 complies to all but four criteria;
NIST standards complies to all but two criteria;
In light of the framework focus for the secure-by-design standard, it appears that the ISA/IEC
62443-4 best fits to the standard coverage expectation while non-negligible gaps have been
identified for the three others candidates. Furthermore, NIST standards provide the needed
information but in a quite fragmented way.
In addition, on Figure 1 – Coverage of candidate standards against “Secure-by-design” framework scope
which represents the secure-by-design framework scope, it appears that among the four
candidates, ISA/IEC 62443-4 also best matches our expectations for.
Thus, considering:




the results of this analysis,
the coverage of framework scope,
the recommendation to use the ISA/IEC 62443 for the implementation of the
cybersecurity in the railway sector by the major international railway organisations and
normative bodies (i.e. UNIFE, CENELEC, etc.) and
that ISA/IEC 62443 is also used as the security risk assessment standard for the task 8.2
of X2Rail:
The ISA/IEC 62443-4-1 – “Secure product development requirements” and ISA/IEC 62443-4-2 –
“Technical security requirements for IACS systems” of the multi-part standard ISA/IEC 62443 is
proposed as the standard framework for the “Secure-by-design standard in the railway domain”.
GA 730640
Page 28 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Appendix A – References
1. ISA/IEC 62443-4-1 “Product development requirements”. Last draft from ISA/IEC used
for this document. http://isa99.isa.org/Public/Documents/ISA-62443-4-1-WD.pdf
2. ISA/IEC 62443-4-2 “Technical security requirements for IACS components”. Last draft
from ISA/IEC used for this document. http://isa99.isa.org/Public/Documents/ISA-624434-2-WD.pdf
3. ISO/IEC 15408:2009 “Common Criteria”. https://www.iso.org/standard/50341.html
4. ISO/IEC 27001:2013 “Information Security Management Systems”.
https://www.iso.org/standard/54534.html
5. ISO/IEC 27005:2011 “Information security risk management”.
https://www.iso.org/standard/56742.html
6. ISO/IEC 27034:2011 “Application security”. https://www.iso.org/standard/44378.html
7. NIST Standards & Other standards. http://csrc.nist.gov/publications/PubsSPs.html
8. ANSSI. “Protection profiles” and “Best practices”.
https://www.ssi.gouv.fr/administration/bonnes-pratiques/
9. Microsoft SDL v5.2 “Security Development Lifecycle”. https://msdn.microsoft.com/enus/library/windows/desktop/cc307406.aspx
10. Coding rules. GOTO Appendix B, section “Coding rules” in this document for multiple
references and links on this subject.
GA 730640
Page 29 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9. Appendix B – Further information about standards
9.1. ISA/IEC 62443-4
9.1.1. Scope of the standard
In this part of the IEC/ISA 62443 series, it can be found process requirements to assure the
secure development of products in Industrial Control Systems. It specifies a secure development
life-cycle (SDL) including security requirements, definition, secure design and implementation
(including coding guidelines), V&V, defect and patch management, and product phase-out.
9.1.2. Target audience
The target audience are component providers, in special software teams:



Developers and maintainers;
Software Project Managers and
Software Testers (for the tools).
In addition, it could be of great interest also for software acquirers to be able to define the
software requirements to reach higher levels of reliability, robustness and resistance to attacks.
9.1.3. Framework focus
This standard provides the process necessary for the product development from the beginning
of its life cycle and introduces security specific measures both at organizational and technical
levels throughout its different phases, providing so the inherent security sought in the security
standards under consideration. This standard does not address design, installation or operation
of the ICS component rather intends to help in order to implement the secure-by-design
concept. In addition, the requirements proposed help to align the development process of a
product with the strong security needs of industrial users as for example providers of ISA 624432-4 capabilities as asset owners or system integrators and maintainers contractors.
GA 730640
Page 30 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Figure 3 – Automation solution relation between ISA/IEC 62443 standards. © ISA/IEC
9.1.4. Type of requirements
This standard covers most of requirements to address a secure-by-design framework at process,
technical and organisational level through the whole life cycle of a product. The requirements
covered are shown in the following table (BR: Basic Requirements; RE: Requirement
Enhancement):
GA 730640
Page 31 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
GA 730640
Page 32 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Table 2 – Summary of ISA/IEC 62443-4-1 requirements. © ISA/IEC
GA 730640
Page 33 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.2. ISA/IEC 15408
9.2.1. Scope of the standard
The ISO/IEC 15408 standard, widely known as Common Criteria (CC), is a framework that guides
in the assessment of IT products in terms of security. Its philosophy is to provide assurance
based upon an evaluation of the IT product. The standard aims at:



Providing the consumers with a tool to identify if the product fulfils their security needs
in a simple way;
Providing the developers with a clear guidance on how to implement their products
from the security perspective, and
Providing the evaluators with clear criteria to assess a product according to security
requirements.
The ISO/IEC 15408 is divided into three parts:



ISO/IEC 15408-1 contains the introduction and defines the general model (Security
Target, Protection Profiles, etc.) in which security has to be handled.
ISO/IEC 15408-2 defines the set of all the Security Functional Requirements
ISO/IEC 15408-3 is reserved for the Security Assurance Requirements (SAR).
When analysing this standard under the umbrella of the Security-by-design, the focus has to be
set on the third part (ISO/IEC 15408-3) of the standard, since the SAR are the measures that
define the requirements to be fulfilled in the process of development of a product.
ISO/IEC 15408 – Part 3
ISO/IEC 15408 provides assurance through active investigation, where by active investigation it
is meant an evaluation of the IT product in order to determine its security properties. Evaluation
techniques can include for example analysis and checking of processes and procedures, their
appliance, analysis of the correspondence between TOE design representations, analysis of
guidance documents, independent functional testing, etc. The idea behind is that greater
assurance results are achieved by means of greater evaluation effort.
All the evaluation techniques are further specified in the set of Security Assurance
Requirements (SAR) described in this ISO/IEC 15408-3. The SAR is a description of how the TOE
is to be evaluated. These requirements are structured in classes. These classes, in turn, are
divided into assurance families, these in components, and finally the components in elements.
An assurance element is a security requirement which, if further divided, would not yield a
GA 730640
Page 34 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
meaningful evaluation result, i.e., it is the smallest security requirement recognized in ISO/IEC
15408. The assurance elements are classified into three groups:



Developer action elements: The activities to be performed by the developer.
Content and presentation of evidence elements: The evidence required what the
evidence shall demonstrate and what information the evidence shall convey.
Evaluator action elements: The activities that shall be performed by the evaluator.
A key aspect in this standard is the Evaluation Assurance Level (EAL). It is a numerical value that
goes from 1 to 7 and that quantifies the assurance of a certain TOE at the end of the evaluation.
Table 3 lists the seven EALs and the assurance implicit by each level.
Level
EAL 1
EAL 2
EAL 3
EAL 4
EAL 5
EAL 6
EAL 7
Meaning
Functionally tested
Structurally tested
Methodically tested and checked
Methodically designed, tested and reviewed
Semi-formally designed and tested
Semi-formally verified design and tested
Formally verified design and tested
Table 3 – Common Criteria Evaluation Assurance Levels (EAL). © ISO/IEC
For a certain class and family, different assurance components apply depending on the EAL
required. The Table 4 – Evaluation assurance level summary. © ISO/IECtaken from the ISO/IEC
15408-3:2008 standard represents this point. The components defined inside a family are
identified by a number starting from 1 and upwards. The number in the table represents for
each family which is the assurance component that has to be followed for each EAL. Thus, for
some families, the same component applies, but for others, the components to be used differ
from one EAL to another. The meaning of each class and family and the elements that form
each component are depicted in the aforementioned standard.
GA 730640
Page 35 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Table 4 – Evaluation assurance level summary. © ISO/IEC
The ISA/IEC 15408 – 3, in addition to defining the assurance level of a single TOE, defines the
Composed Assurance Packages, that consist in three different packages of requirements to be
applied to composed TOEs, which are comprised of components that have gone through TOE
evaluation. In this case, three levels are defined: level A (CAP-A), level B (CAP-B) and level C
(CAP-C). The meaning of each level is defined in Table 5. Depending on the aimed level, different
requirements will apply per each assurance class and family. A summary of the assurance
components to be applied per assurance class and family for each CAP is shown in theTable 6
Table 6 taken from the ISO/IEC 15408-3:2008 standard.
Level
CAP-A
CAP-B
CAP-C
Meaning
Structurally composed
Methodically composed
Methodically composed, tested and reviewed.
Table 5 – Composition Assurance Levels. © ISO/IEC
GA 730640
Page 36 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Table 6 – Composition assurance level summary. © ISO/IEC
The SARs are quite generic requirements. They specify the action to be carried out, but they do
not indicate how to bring them to practice. Some examples of assurance elements
(requirements) are:




The developer shall provide a statement of security objectives.
The developer shall provide a functional specification.
The evaluator shall determine that the functional specification is an accurate and
complete instantiation of the SFR.
The evaluator shall execute all tests in the test documentation to verify the developer
test results.
When defining a ST or PP, a subset of all the SARs has to be selected. The standard provides
some fixed operations that allow the ST/PP writer to modify the SARs (assignment, selection,
iteration and refinement). In addition SARs have dependencies among them, which signifies that
if an ST/PP uses that SAR, it generally needs to use those other SARs as well.
GA 730640
Page 37 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.2.2. Target audience
CC is suited for:




Consumers: Through the definition of PP, consumers can satisfy their needs through the
evaluation process described in the standard.
Developers and Product Vendors: complying with a PP, developers and vendors ensure
the requirements needed by users. In addition, companies wanting to validate or certify
their product will find the elements to fulfil for.
Certifiers/Evaluators: third-party companies can provide certificates through
independent evaluation.
Accreditors and approvers: institutions and authorities can define the EAL needed for a
certain IT system to guarantee security functions to be covered.
9.2.3. Framework focus
The ISO/IEC 15408-3 does not provide a concrete secure-by-design procedure that has all the
phases of the development of a product clearly defined. Instead, it defines a big amount of
requirements to be fulfilled from which a subset will be chosen for each ST or PP. In addition,
these requirements are generic and do not specify in a concrete way how to carry out the
different tasks. This means that the secure-by-design principle should be defined taking into
mind all the selected SARs and checking that they are fulfilled. In other words, it gives certain
“freedom” in the definition of the security by design strategy, but on the other hand, it specifies
a big number of procedural requirements to be satisfied by the strategy.
9.2.4. Type of requirements
Target of Evaluation (TOE): is defined as a set of software, firmware and/or hardware possibly
accompanied by guidance. Furthermore, the TOE may be an IT product, a part of an IT product,
a set of IT products, a unique technology that may never be made into a product, or a
combination of these.
A Security Target (ST) is a complete and rigorous description of a security problem for a certain
TOE. It contains among other aspects, the TOE description, threats, assumptions, security
objectives, security requirements, and rationales.
Another important aspect of CC is the Protection Profiles (PP). Whereas an ST always refers to a
specific TOE (a concrete product), a PP is intended to describe a TOE type (e.g. a firewall). The
same PP may therefore be used as a template for many different STs. In the definition of the ST,
conformance to a certain PP can be addressed.
GA 730640
Page 38 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
The security requirements in CC are divided into two groups: the Security Functional
Requirements (SFR) and the Security Assurance Requirements (SAR). The firsts are technical
requirements to be addressed by the TOE in order to counter the threats and fulfil the security
objectives. The SARs, on the other hand, define activities to be carried out to provide assurance
in the correctness of the TOE, i.e. their fulfilment help in reducing vulnerabilities in the TOE by a
correctly defined development process. It is worth highlighting that measures regarding the
operational environment (human security guards, procedures…) are not addressed in these
requirements and consequently the ISO/IEC 15408 does not consider assessment of those
measures. However, it does specify that the operational environment measures, despite not
being assessed, should be defined among the security objectives to be described in the ST.
In summary, ISO/IEC 15408 standard defines a model at organizational and procedural level to
create Protection Profiles which will gather the security requirements for the product assessed.
9.3. ISO/IEC 27034 (includes ISO/IEC 27001/2/5)
Note: ISO/IEC 27001/2/5 analysis is included in section 0.
9.3.1. Scope of the standard
ISO/IEC 27034 is a multi-part standard aiming at defining processes for considering security
along the application lifecycle, that are in line with other standards of the ISO/IEC family. The
standard ISO/IEC 27034 provides guidance for organizations in integrating security into the
processes used for managing their applications and explicitly takes a process-oriented approach
to specifying, designing, developing, testing, implementing and maintaining security functions
and controls in application systems. An overview of how ISO/IEC 27034 is associated with other
ISO/IEC standards is shown in Figure 4 - Relationship to other ISO/IEC standards. © ISO/IEC
GA 730640
Page 39 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Figure 4 - Relationship to other ISO/IEC standards. © ISO/IEC
Rather than outlining precise security control requirements this multi-part standard defines
processes to develop a set of Application Security Controls (ASC Library) depending on the
business, regulatory and technological context of the application. An application security control
is defined, according to the standard, as a data structure containing a precise enumeration and
description of a security activity and its associated verification measurement to be performed at
a specific point in an application's life cycle.
The requirements and processes specified in ISO/IEC 27034 are not intended to be implemented
in isolation but rather integrated into an organization's existing processes.
It has to be noted that at the time of writing the summary, the vast majority of the multi-part
standard, have not yet been published.
GA 730640
Page 40 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Figure 5 – ISO/IEC 27034 scope. © ISO/IEC
9.3.2. Target audience
It is aimed at architects, analysts, programmers, testers, IT teams, data base administrators,
admins, etc., who need to know when and which Application Security Controls should be
applied, who integrate Application Security Controls in their activities, who assure that
Application Security Controls meet the requirements of associated measurements, who get
access to tools and best practices and who facilitate peer review. It can also be used by auditors,
in order to know the scope and process of verification measurements for the corresponding
Application Security Controls, to make audit results repeatable, to identify verification
measurements which can generate supporting evidence to demonstrate that the application has
reached the required level of trust authorized by the management and standardize the
application security verification.
9.3.3. Framework focus
It introduces definitions, concepts, principles and processes involved in application security in
order to establish an Application Security Management Process (ASMP) for an organization. The
standard defines “application security” not as a state of security but as a process an
organization can perform for applying controls and measurements to its applications in order to
manage the risk of using them. Due to the detachment with any Software Life-Cycle, ISO/IEC
27034 “Life cycle reference model” is rather an organisation-specific “software assurance
programme” than a proper development software life cycle.
GA 730640
Page 41 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.3.4. Type of requirements
Mainly process-oriented and organizational requirements:









Organization and user’s data
Application data
Roles and permissions
Application specifications
Technological context
Processes involving the application
Application life cycle processes
Regulatory context
Business context
9.3.5. ISO/IEC 27001/2/5
9.3.5.1. Scope of the standard
The standard ISO/IEC 27005:2011 provides guidelines for information security risk management
and is designed to assist the satisfactory implementation of information security based on a risk
management approach.
The standard ISO/IEC 27005:2011 doesn't specify, recommend or even name any specific risk
management method. It does however imply a continual process consisting of a structured
sequence of activities, some of which are iterative:





Establish the risk management context;
Quantitatively or qualitatively assess relevant information risks;
Treat the risks appropriately, using those ‘levels of risk’ to prioritize them;
Keep stakeholders informed throughout the process;
Monitor and review risks, risk treatments.
Figure 6 – Illustration of the continual security risk assessment process.© ISO/IEC provides the
process workflow for the continual risk assessment method proposed.
GA 730640
Page 42 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Figure 6 – Illustration of the continual security risk assessment process.© ISO/IEC
9.3.5.2. Target audience
This standard ISO/IEC 27005:2011 is relevant to managers and staff concerned with information
security risk management within an organization and, where appropriate, external parties
supporting such activities.
This International standard is applicable to all types of organizations (e.g. commercial
enterprises, government agencies, non-profit organizations) which intend to manage risks that
could compromise the organization’s information security.
GA 730640
Page 43 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.3.5.3. Framework focus
It introduces definitions, concepts, principles and processes involved in information security risk
management in order to identify organizational needs regarding information security
requirements and to create an effective information security management system (ISMS).
Information security risk management should be a continual process. The process should
establish the external and internal context, assess the risks and treat the risks using a risk
treatment plan to implement the recommendations and decisions.
9.3.5.4. Types of requirements
Mainly process and requirements in information security risk management:








Criteria of risk management approach, risk evaluation, risk acceptance and impact
criteria
Scope and boundaries of information security risk management
Organization for information security risk management
Information security risk assessment process
Risk identification
Risk analysis
Risk evaluation
Information security risk treatment
Risk modification
Risk retention
Risk avoidance
Risk sharing
Information security risk acceptance
Information security risk communication and consultation
Information security risk monitoring and review
9.4. NIST CSF & Other NIST Standards
9.4.1. Scope of the standard
The National Institute of Standards and Technology (NIST) is a United States of America (U.S)
organisation and part of the Department of Commerce. Founded in 1901 it provides
measurement and standard based publications and frameworks that can be applied to the
smallest of technology to the largest and most complex creations. It is broken down into seven
GA 730640
Page 44 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
laboratories with the key one this work stream is focused on being the Information Technology
Laboratory which has a division looking at Computer Security.
Within the general Computer Security domain this is further broken down into elements related
to Cyber Security, with the two key elements that were under consideration as part of the
secure-by-design approach being assessed being:


Cyber-Physical Systems (CPS) or “smart” systems are co-engineered interacting
networks of physical and computational components. These systems will provide the
foundation of our critical infrastructure (e.g., smart grid, transportation), form the basis
of emerging and future smart services (e.g., smart city services), and improve our quality
of life in many areas (e.g., healthcare). ITL’s research helps to remove barriers to
progress in CPS – by advancing measurement, standards, tools, and guidance in areas
such as cybersecurity, privacy, networking, timing, and IT infrastructure. ITL works
closely with industry, government, and academia to advance the technical underpinnings
that are necessary to reap the benefits of CPS.
Cybersecurity - ITL is responsible for developing standards, guidelines, tests, and metrics
for the protection of non-national security federal information and communication
infrastructure. While developed for federal agency use, these resources are frequently
voluntarily used by non-federal organizations, including industry and academia, because
they provide highly adaptable, risk based, and cost-effective approaches to securing
systems. These standards and guidelines are developed in an open and transparent
manner that engages diverse stakeholders and leverages the contributions of diverse
technical experts from around the world. Our security automation project has made
important strides towards standardizing and automating critical information security
elements such as software vulnerabilities and secure configurations. The National
Vulnerability Database, the National Checklist Program, and the technical standards that
support them, are critical components in ensuring that security management is effective
and efficient.
The NIST Computer Security Division has published a number of standards with the main ones
being reviewed as part of this initial piece of work coming under the SP800 and SP1800 series.
At a high level the following standards were reviewed:

NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and
Organizations, 2013 Contains 18 control families (similar to ISO 27001/2)
Access control, awareness and training, Audit and Accountability, Security
Assessment and Authorization, Configuration Management, Contingency Planning,
Identification and Authentication, Incident Response, Maintenance, Media
Protection, Physical and Environmental Protection, Planning, Personnel Security,
GA 730640
Page 45 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard





Risk Assessment, System and Services Acquisition, Systems and Communications
Protection, System and Information Integrity, Program Management
NIST SP 800-82r2 Guide to Industrial Control Systems (ICS) Security, 2015
Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control
Systems (DCS), and Other Control System Configurations such as Programmable
Logic Controllers (PLC)
NIST SP 800-30r1 Guide for Conducting Risk Assessments (2012)
Defines risk assessment fundamentals and process as well as possible methods e.g.
threat assessment, vulnerability assessment, security control assessment covered by
NIST SP 800-53A
It also provides valuable information and templates about threat sources, threat
events, vulnerabilities and predisposing conditions, likelihood of occurrence, impact,
risk determination, informing risk response, risk assessment reports
NIST SP 800-37r1 Guide for Applying the Risk Management Framework to Federal
Information Systems, A Security Life-Cycle Approach (2010)
CATEGORISE system, SELECT controls, IMPLEMENT controls, ASSESS controls,
AUTHORIZE system, MONITOR controls
NIST SP 800-39r1 Managing Information Security Risk, Organization, Mission, and
Information System View (2011)
Describes concept of trust and trustworthiness of systems
NIST SP800-160 is a new standard from NIST (November 2016) that provides security
related implementation guidance for the standard ISO/IEC/IEEE 15288:2015 “Systems
and software engineering – system life cycle processes”.
The other element to this review of NIST standards was to look at the NIST Cyber Security
Framework. This framework builds upon the existing publications and standards and practices
for critical infrastructure organisations to help them better manage and reduce cybersecurity
risk. In addition to helping organisations manage and reduce risks, it was designed to foster risk
and cybersecurity management communications amongst both internal and external
organisational stakeholders.
9.4.2. Target audience
The framework is not designed to fit all organisations and its aim and purpose allows it to be
customised to meet sector and individual organisational needs. Specifically it should not be
implemented as an un-customised checklist or a one-size fits all approach for all critical
infrastructure organisations. If approached in the right manner the Framework will help an
organisation to better understand, manage, and reduce its cyber security risks. It will assist in
GA 730640
Page 46 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
determining which activities are most important to assure critical operations and service
delivery. In turn, that will help to prioritise investments and maximize the impact of each dollar
spent on cybersecurity and provides a common language to address cyber security risk
management; it is especially helpful in communicating inside and outside the organisation. That
includes improving communications, awareness, and understanding between and among IT,
planning, and operating units, as well as senior executives of organisations.
Specifically for NIST 800-160 the target audience is:








Individuals with systems engineering, architecture, design, development, and integration
responsibilities;
Individuals with software engineering, architecture, design, development, integration,
and software maintenance responsibilities;
Individuals with security governance, risk management, and oversight responsibilities;
Individuals with independent security verification, validation, testing, evaluation,
auditing, assessment, inspection, and monitoring responsibilities;
Individuals with system security administration, operations, maintenance, sustainment,
logistics, and support responsibilities;
Individuals with acquisition, budgeting, and project management responsibilities;
Providers of technology products, systems, or services; and
Academic institutions offering systems security engineering and related programs.
9.4.3. Framework focus
Although the NIST publications and standards provides a good level of information detail, not all
of it is relevant to European standards, regulations and legal requirements as it is very U.S.
centric. However, upon review and discussion it was agreed that elements of the NIST library
could be used to further develop the secure-by-design framework by complementing the
chosen framework if required.
Regarding NIST 800-160: it could be used as a guidance to complement ISA/IEC 62443 on those
areas where there is not enough detail. Specifically, it may be usable for the future
development of prototypes related to the cyber security work. The security considerations are
provided as systems security engineering activities and tasks and they are aligned with and
developed as security extensions to the system life cycle processes in ISO/IEC/IEEE 15288 –
“Systems and software engineering – System life cycle processes”.
9.4.4. Type of requirements
The Cyber Security core Framework (NIST CSF) provides a set of activities to achieve specific
cybersecurity outcomes, and references examples of guidance to achieve those outcomes. The
GA 730640
Page 47 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Core is not a checklist of actions to perform. It presents key cybersecurity outcomes identified
by industry as helpful in managing cybersecurity risk. The core comprises the following key
elements (detail sitting behind each sub-category):
Figure 7 – NIST CSF key elements. © NIST
GA 730640
Page 48 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
System Life Cycle Processes
Life Cycle
Stages
Organisation Project
Enabling Processes
Technical Management
Processes
Technical Processes
 Acquisition
 Supply
 Life Cycle Model
Management
 Infrastructure
Management
 Portfolio Management
 Human Resource
Management
 Quality Management
 Knowledge
Management
 Project Planning
 Project Assessment
and Control
 Decision Management
 Risk Management
 Configuration
Management
 Information
Management
 Measurement
 Quality Assurance
 Business or Mission
Analysis
 Stakeholder Needs
and Requirements
Definition
 System
Requirements
Definition
 Architecture
Definition
 Design Definition
 System Analysis
 Implementation
 Integration
 Verification
 Transition
 Validation
 Operation
 Maintenance
 Disposal
Concept
Development
Application
Agreement
Processes
Production
Utilization
Support
Retirement
Table 7 – “System Life Cycle Processes” and “Life Cycle Stages” from NIST 800-160. © NIST
9.5. ANSSI
9.5.1. Scope of the standard
ANSSI is the national cybersecurity agency of France. As a national authority, ANSSI reports to
the Secretary General for Defence and National Security (Secrétaire Général de la Défense et de
la Sécurité Nationale - SGDSN). The SGDSN assists the Prime Minister in fulfilling his
responsibilities in matters of national defence and security. There is no standard as such that
ANSSI has developed specifically for the railway industry but the agency regular publishes best
practices and guidelines for the critical infrastructure operators.
GA 730640
Page 49 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.5.2. Target audience
The intended audience for ANSSI documents and publications would be a variety of actors in
organisations. Depending on the nature of the industrial activity the set of regulations and
security rules are different. The documents of ANSSI are intended for:





Security Managers
Security Administrators
Auditors
Developers
Suppliers
9.5.3. Framework focus
As mentioned, ANSSI does not publish any framework; it does however publish sets of
regulations, best practices and guidelines that can be used independently based on the needs of
the organisations. The focus spread from security management activities to more technical
activities such as network level configurations. The documents of ANSSI however are publish as
guidelines and best practices, hence the requirements are very highly level and the respective
organisations that intend to or must comply to the requirements of ANSSI and the French law
have the responsibility to define more detailed actions.
9.5.4. Type of requirements
There are no requirements as such that ANSSI imposes, however according to the LPM (Loi de
Programmation Militaire) there are mandatory requirements that Critical Infrastructure
Operators must comply to since it is the French law. These high-level legal requirements include:




Identification of critical infrastructure information systems according to the criteria
defined by ANSSI.
Notifications of security incidents that affect the critical infrastructure operators. The
types of incidents to be notified are defined in the French legislation.
Compliance to predefined security rules defined by French legislation by each critical
infrastructure operators according to specific industry activity.
Auditing exercise by ANSSI to verify compliance of the security controls will be
conducted by ANSSI experts, authorised government agencies or qualified suppliers.
The ANSSI also published best practice security rules that all critical infrastructure operators
must already have in place or have planned to implement in the future. These include:
GA 730640
Page 50 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard













Information security policy
Security qualification
Security architecture
Security assurance
Log management
Detection mechanism
Incident management
Alert management
Crisis Management
Identity & access management
Privilege Management
Defence-in-depth
Indicators
9.6. Microsoft SDL
9.6.1. Scope of the standard
The Security Development Lifecycle (SDL, not to confuse with the Microsoft SDLC “Software
Development Life Cycle) is a software development process that helps companies to build more
robust software and address security compliance requirements through multiple phases in
which security software practices are defined into the development lifecycle. Together with the
SDL framework, Microsoft provides tools able to check and assist in the different phases of the
lifecycle (Threat Modelling tool, set of Code Security Analysers, etc.).
From a secure-by-design point of view, the seven phases of the standard cover most of the
requirements necessary to develop a secure software product under Microsoft framework.
These phases are:







Training
Requirements
Design
Implementation
Verification
Release
Response
GA 730640
Page 51 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.6.2. Target audience
The Microsoft Security Development Lifecycle framework is intended for the whole software
development team, including:




Analysts
Developers
Testers
Project Managers
9.6.3. Framework focus
The key principles for the framework are referred to as SD3+C – Secure by Design, Secure by
Default, Secure in Deployment and Communications. Each of the key principles imposes
different requirements in different phases on the development lifecycle. All of those
requirements aim to minimize security-related vulnerabilities in the design, code, and
documentation and to detect and eliminate vulnerabilities as early as possible in the
development life cycle. These improvements reduce the number and severity of security
vulnerabilities and improve the protection of users’ privacy.
9.6.4. Type of requirements
The types of requirements defined in the standard for every phase are:








Recommended trainings for target audience
Security requirements and recommendations
Privacy requirements and recommendations
Resources for further documentation in requirements
Process to adapt SDL to Development methodologies (Agile)
Technical coding rules
Examples of Security Bug Bars (Security levels of SDL)
Checklists for software development methodology
GA 730640
Page 52 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Figure 8 - Secure software development process model at Microsoft. © Microsoft
9.7. Coding rules
9.7.1. Scope of the standard
Due to the multiple existent languages for any particular system that manufacturers may use to
program its software, there have been only referenced standards and tools for three of the
main languages used in Industrial Control Systems: C, C++ and ADA.
Such standards, resources and tools, does not assure to a vendor developers or manufacturers
have developed a secure hardware, rather it shall be considered as a guideline and support to
encourage programmers to follow a uniform set of rules and guidelines determined by the
requirements of the project and organization, rather than by the programmer’s familiarity or
preference. Once established, these standards can be used as a metric to evaluate source code
(using manual or automated processes) to determine compliance with the standard.
Of all standards evaluated the technical specification ISO/IEC TS 17961:2013 “C secure” is the
most accepted reference in secure development. It is focused in C, but it can be used in most of
cases to C++ language due to its strong relation. Most of standards and guidelines in securecoding cover amend and/or map ISO/IEC TS 17961:2013 as MISRA (Motor Industry Software
Reliability Association) guidelines or NASA, which at the same time hierarchically complies with
MISRA practices.
Note: Some coding practices are already enforced by the EN 50128 “Software for Railway control
and protection systems” standard in order to comply with the targeted Safety Integrity Levels
(SIL).
GA 730640
Page 53 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
Table 8 - Comparison of ISO/IEC TS 17961 with other standards. © ISO/IEC
The CWE (Common Weakness Enumeration) set of software weaknesses allow to enable
effective discussion, description, selection and use of software security tools and services that
can find these weaknesses in source code and operational systems.
CERT (a Software Engineering Institute division) is developing secure-coding standards for
commonly used programming languages such as C, C++, and Java through a broad-based
community effort that includes members of the software development and software security
communities. CERT and CWE maintains a “secure-coding relationship” where CWE provides a
comprehensive repository of know weaknesses, while CERT secure-coding standards identify
insecure programming constructs that, if present in code, could expose a weakness or
vulnerability in the software. They publish numerous tools for a range of activities and checklists
in secure-coding.
9.7.2. Target audience
The main target audience for these coding rules are mainly Software Developers, Software
Project Managers and Software Testers (for the tools). In addition, it could be of great interest
also for software acquirers to be able to define the software requirements to reach higher levels
of reliability, robustness and resistance to attacks.
9.7.3. Framework focus
The standards and technical specifications evaluated should be used as reference on software
development lifecycles and not as a global standard to follow for any software development
team.
GA 730640
Page 54 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
9.7.4. Type of requirements
Firstly, it must be differenced the concept of “Language” standard with “Secure development”
standard, guideline, best practices or technical specification. The former establish the definition
and requirements of a programming language, the latter are based in diagnose to insecure code
and/or provides best practices beyond the requirements of a language standard to avoid known
errors or attacks due to flaws in code.
Language standards
These standards do not provide guideline to secure-coding. Just requirements when
programming in such languages:



Standard in C language (C11): ISO/IEC 9899:2011
Standard in C++ language: ISO/IEC 14882:2014
Standard in ADA language: ISO/IEC 8652:1995/Amd 1:2007
Secure development standards guidelines and resources
Today’s most standardised reference in secure development is the following technical
specification:

ISO/IEC TS17961:2013 “C secure” specifies rules for secure-coding in the C programming
language and includes code examples for each rule.
Additionally:

ISO/IEC TR 24731-1/2 provides alternative functions for the C Library (as defined in
ISO/IEC 9899:1999) that promote safer, more secure programming and also contains
functions that address insecurities with the C input-output facilities.
From MISRA:




MISRA C:2012: Guidelines for the Use of the C Language in Critical Systems
MISRA C++:2008: Guidelines for the Use of the C++ Language in Critical Systems
Guidelines for safety analysis of vehicle based programmable systems. Link:
https://www.misra.org.uk/Publications/tabid/57/Default.aspx
Many others in MISRA site: https://www.misra.org.uk
From NASA:

JPL Institutional Coding Standard for the C Programming Language (2009). Link:
http://lars-lab.jpl.nasa.gov/JPL_Coding_Standard_C.pdf
From CERT:
GA 730640
Page 55 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard

SEI CERT C/C++ Coding Standard (2016 Edition) identifying the root causes of today’s
most widespread software vulnerabilities, how they can be exploited, the potential
consequences, and secure alternatives.
Secure code analysis tools (sample)
Commercial solutions:





Astrée (tailored towards safety-critical embedded code) used by Airbus. Link:
https://www.absint.com/
CodeSonar (focused on embedded, M2M, and IoT equipment markets) used by NASA.
Link: https://www.grammatech.com/products/codesonar
Coverity (used by USA Gov., NASA, CERN, etc.). Link: http://www.coverity.com/
AdaTEST 95 is a unit and integration testing tool, enabling developers to verify standard
compliant or business critical code on host native and embedded target platforms. Link:
https:/www.qa-systems.com/tools/adatest-95/deep-code-coverage/
GNATcoverage is a specialized tool that analyses and reports program coverage. Link:
http://www.adacore.com/gnatcoverage/
Free solutions from CERT Division (Software Engineering Institute):




Clang Thread Safety Analysis mainly used to declare and enforce thread safety policies
in C and C++ programs. Link: http://www.cert.org/secure-coding/tools/clang-threadsafety-analysis.cfm
Compiler-Enforced Buffer Overflow Elimination is a research prototype that prevents
buffer overflows in multithreaded code and has additional features not found in other
memory safety mechanisms. Link: http://www.cert.org/secure-coding/tools/compilerenforced-buffer-overflow-elimination.cfm
Rosecheckers performs static analysis on C/C++ source files. It is designed to enforce the
rules in the CERT C Coding standard. Link: http://www.cert.org/securecoding/tools/rosecheckers.cfm
Secure Coding Validation is a suite set of tests developed to validate the rules defined in
ISO/IEC TS 17961. Link: http://www.cert.org/secure-coding/tools/validation-suite.cfm
GA 730640
Page 56 of 57
X2Rail-1
Deliverable D8.1
Selection of the “Secure-by-design” standard
10. Appendix C – Comments
Figures and tables added from ISA/IEC 62443 series have the permission from ISA to be used in
this document.
The evaluation of the ISA/IEC 62443-4-1 and ISA/IEC 62443-4-2 has been done with the most
current published document: “Draft 3, Edit 11, March 2016” for ISA/IEC 62443-4-1, and “Draft 4,
Edit 1 from January 12, 2017” for ISA/IEC 62443-4-2.
GA 730640
Page 57 of 57