Title :
Certification and evaluation: A security economics perspective
Author :
Anderson, Ross ; Fuloria, Shailendra
Author_Institution :
Comput. Lab., Cambridge Univ., Cambridge, UK
Abstract :
There has been some discussion in the industrial control system security community of evaluation and certification. There are already at least two independent third party evaluators, and some have advocated common criteria certification of products used in critical systems. The broader IT security community has considerable experience of evaluation and certification, which we seek to summarise and share in this paper. Certification is not a silver bullet, and can very easily end up as spin rather than substance: as `security theatre´ designed to reassure customers or regulators rather than a genuine risk-reduction mechanism. It can also be very expensive, and once entrenched it can impose deadweight costs on industry that are difficult to eliminate even when certification processes are widely seen as failing. We discuss a number of further issues such as perverse incentives, usability and liability and argue that the industry should proceed with great caution.
Keywords :
certification; industrial control; security of data; IT security community; common criteria certification; industrial control system security; security economics; Boilers; Certification; Cities and towns; Computer security; Ethics; Fires; Hazards; Information security; Insurance; Laboratories;
Conference_Titel :
Emerging Technologies & Factory Automation, 2009. ETFA 2009. IEEE Conference on
Conference_Location :
Mallorca
Print_ISBN :
978-1-4244-2727-7
Electronic_ISBN :
1946-0759
DOI :
10.1109/ETFA.2009.5347129
