First Level Security Certification (CSPN): The S2OPC Case Study
In October 2023, Systerel received the Security Visa from the French National Cybersecurity Agency (ANSSI) for the CSPN (First Level Security Certification) of its product: S2OPC. This achievement gives us the opportunity to focus on what the CSPN is and to provide feedback on the certification process.
About OPC UA¶
The OPC UA technology is a Machine-to-Machine communication standard developed and promoted by the OPC Foundation. It is a cornerstone for Industry 4.0 development, ensuring interoperability, data security, and advanced information modeling. Systerel, an active member of the OPC Foundation, has been implementing OPC UA for 10 years and contributes significantly to its evolution and dissemination.
Systerel has developed OPC UA-based solutions, including its secure open-source stack: S2OPC.
What is the CSPN?¶
Since 2008, ANSSI has issued CSPN certifications, which verify that an IT or an OT product has passed a security evaluation conducted by an ANSSI-approved evaluation center. This certification is based on “black box” tests performed under constrained time and conditions. It relies on criteria, methodology, and processes developed by ANSSI and published on its website. The CSPN serves as an alternative to Common Criteria (CC) evaluations.
CSPN includes a compliance analysis and penetration tests conducted by a third-party evaluator (ITSEF Information Technology Security Evaluation Facility) under ANSSI’s authority. These tests follow a scheme and reference framework that meet user security needs and integrate the latest technological advances. The entire process is managed by ANSSI’s national certification center.
Note
In other words, in France, CSPN provides an initial level of trust for a security product that meets the security requirements of most industrial players.
It is also noteworthy that ANSSI has signed an agreement with its German counterpart, BSI, for mutual recognition of CSPN and BSZ (Accelerated Security Certification) schemes. This mutual recognition in two European countries eliminates the need for manufacturers to undergo multiple certification procedures in different markets, reducing costs and commercial barriers.
Why Certify a Product?¶
Certification attests to a product’s robustness, establishing its resilience to threats. It offers several advantages:
For users: Choosing a certified product ensures that its functionalities provide a proven level of security and resist a determined level of attacks.
-
For companies in the software publishing sector, certification ensures:
compliance with critical standards
recognition by the French government and industries
validation of continuity programs, detailing the management of the product’s future evolution within the certification framework.
The Certification Process¶
Key Players:
the sponsor: In our case, a dedicated division of ANSSI, different from the certification center.
The evaluation center, also known as ITSEF
ANSSI’s certification center
The product developer: Here, Systerel
Steps:
Preparation of the request by the sponsor
Selection of an evaluation center by the sponsor
Certification request submitted by the sponsor to ANSSI’s certification center
Analysis of the request by the certification center based on the product’s security target
Evaluation process
Certification
More details on the certification process can be found on ANSSI’s website.
How Does CSPN Compare to CC Requirements?¶
A CC certification follows similar steps but without time or workload constraints. It is based on an Evaluation Assurance Level (EAL) scale ranging from 1 (minimum requirements) to 7 (maximum).
By comparison, a CSPN procedure spans a few dozen pages, whereas a CC procedure extends over several hundred. CSPN may be more suitable for products with a short development cycle, such as many industrial IoT devices.
S2OPC Certification Feedback¶
In October 2023, the certification process was completed: the ITSEF chosen by ANSSI evaluated S2OPC and submitted its report. ANSSI’s certification center analyzed the report and confirmed the successful CSPN certification.
The security mechanisms analyzed in this certification include: - signature and encryption of communications, - user authentication, - protection of user data, - protection against malformed messages.
The proper implementation of these mechanisms reduces the risks to users’ assets.
At the end of our CSPN certification process for S2OPC, we highlight:
Product improvement: The process leads to product enhancement and secure implementation. Fruitful exchanges with ANSSI led us to prohibit insecure S2OPC configurations and develop implementation examples as references for our users.
Potential delays: Given the high number of applications submitted to ANSSI, this process can be subject to delays.
Evolving regulatory framework: CSPN certification rules can evolve. Since 2022, it is no longer possible to certify a software library without including it in an implementation example. Systerel had to consider this evolution during the certification process.
Conclusion and Outlook¶
For S2OPC, the CSPN security visa provides significant market value, as no competing product currently holds a cybersecurity certificate.
The certification ensures that OPC UA standard cybersecurity mechanisms are implemented in a trusted manner, minimizing risks to protected assets (e.g., OPC UA address space). It offers additional trust regarding the cybersecurity hardening of S2OPC.
The CSPN security visa represents a first step, enabling critical infrastructure operators to use a certified component for OT communications.
About Systerel¶
Systerel is an independent engineering company specializing in the development, validation, and evaluation of critical real-time systems. The company has developed significant expertise in the OPC UA standard and also publishes S2OPC, a secure open-source implementation of this standard. Systerel provides comprehensive industrial support for this implementation, including training, specific developments around S2OPC and maintenance.
Comments