Ultra Intelligence & Communications

The Importance of 3rd Party Validation for Cyber Solutions

April 24th, 2017 / By

Why are 3rd party validations important for cyber solutions?

When I joined 3eTI a year ago, I recall often hearing about “Federal Information Processing Standards (FIPS)” and “Common Criteria (CC),” and their importance to cybersecurity from my peers. But at the time I had never heard of these and had little appreciation for why. My background is in industrial automation and that is still my focus within 3eTI. If you, like me, do not come from a military or federal government background, you’re likely asking yourself “what the heck is FIPS and CC, and why are they so important”? For those of you that aren’t aware what FIPS and CC mean, let me give you a little insight from what I have learned.

FIPS in this case is referring to FIPS 140-2 and CC is referring to Common Criteria. These are both public standards that are generally required by the US government for any computer systems that connect to their networks. FIPS 140-2 specifically addresses Cryptography modules and ranges from level 1 to 4 (4 being the most stringent). The standard covers encryption algorithms, tamper proofing/evidence, securing of cryptographic keys etc. Common Criteria is also a standard allowing vendors to define their security attributes using Protection Profiles (PP’s). The main measure of CC is with the Evaluation Assurance Level (EAL) and this ranges from 1-7 (7 being most stringent).

The key story behind the importance of FIPS and CC is that products supporting these have been independently validated by a qualified and unbiased third-party such as NIST or NIAP. This is also important for industries outside of the military and federal space because validation demonstrates that you are not solely trusting the manufacturer of a product to implement good security practices. The result is the same confidence level that we expect today with UL and TUV regarding safety requirements. The industrial sector has had very little in the way of third-party validation when it comes to cybersecurity functionality. Only now are we starting to see other cyber validations options emerging such as UL (2900) and ISA Secure. In a world where we see ICS-related device vulnerabilities posted daily, this is an important standard to look for when securing critical networks.

For the record, CyberFence meets FIPS 140-2 level 2 and CC EAL level 4.

The main takeaway is this: While CyberFence may be newer in the industrial sector, it’s been used for critical applications by the US military and government for years and has therefore been through a rigid, third-party validation process. While validation does not guarantee that a device is invulnerable, it does afford valuable assurance that many of the fundamental security issues critical to industrial OEMs have been addressed through testing.

Some of our OEM partners are even using our technology our OEM module to integrate into their existing products in order to seamlessly attain our FIPS and CC certifications without further testing or investment. We have found a growing demand for OEM solutions like ours that help manufacturers win opportunities in new critical-industry markets.