Comparing Common Criteria and ISA/IEC 62443

Many international frameworks exist to define industrial security requirements and best practices. Popular frameworks include the NIST Cybersecurity Framework, PCI DSS, ISO 21434 and ISO 27001. Other major players include ISA/IEC 62443, Industrial Communication Networks, Network and System Security, and ISO/IEC 15408, Common Criteria for Information Technology Security (also known as Common Criteria). As ISA/IEC 62443 rapidly gains momentum, many security professionals wonder whether they should transition from using Common Criteria to using ISA/IEC 62443 or both frameworks.

Whichever security framework security professionals choose will impact their company’s ability to develop and execute an efficient, cost-effective and sustainable security strategy.

How do you choose the right security framework for your company? Let’s begin by exploring the key elements of each framework.

The Common Criteria framework

The Common Criteria framework as we know it today comes out of standards developed in the 1980s to create requirements for products purchased by government agencies for civil and military applications. Although its focus continues to be defense and government security deployments, Common Criteria has been adopted for many other uses, including integrated circuits, smart cards, security modules, network devices and security software. Efforts are now under way to adapt Common Criteria for cloud deployments as well as systems evaluation.

The Common Criteria security evaluation includes requirements for what the product must do (security functional requirements, or SFRs) and what the evaluator must test, audit or inspect to determine whether the product meets security assurance requirements (SARs). Engineers perform evaluations to the Common Criteria framework according to ISO/IEC 18045, The Common Methodology for Information Technology Security Evaluation (CEM).

Common Criteria operates under national certification bodies or schemes with a mutual recognition agreement, i.e., the Common Criteria Recognition Arrangement (CCRA). The testing part of each scheme is typically done through private testing laboratories. Historically, protection profiles (PPs) developed for government agencies’ needs led to requirements that were highly specific to one application with limited cross-border usability.

However, the CCRA has overcome challenging restrictions and driven extensively mutual recognition of secure IT products in countries around the world. Although each country has its own certification process, the CCRA recognizes certifications to a collaborative protection profile (cPP), supporting the development of cPPs by technical communities for commercial-off-the-shelf product types. In this way, different products evaluated against the same PP create more consistent, comparable security evaluations even at lower assurance levels.

The ISA/IEC 62443 framework

ISA/IEC 62443 comprises 14 substandards and technical reports that define requirements and processes to implement and maintain secure industrial automation and control systems (IACSs). This holistic framework goes beyond product certification to cover systems, operations and services such as system integration and maintenance services provisioning. ISA/IEC 62443 also pertains to information security management systems (ISMSs) in operational technology (OT), processes for secure components development, service provider capabilities and risk management for OT environments.

Cybersecurity professionals can perform conformity assessments for ISA/IEC 62443 substandards in three scheme categories: IECEE CB certification, ISASecure™ certification system, and certification body proprietary schemes or systems.

IECEE and ISASecure™ facilitate mutual recognition (within each respective framework) by any other national certification body for further testing, assessment and certification purposes.

Comparison of Common Criteria and ISA/IEC 62443

While overlap exists between Common Criteria and ISA/IEC 62443, both frameworks are meaningfully different in terms of policies, procedures, metrics and range of security levels and related assessment methodologies. Whereas Common Criteria has been designed primarily for high-security needs, such as in public-sector deployments and military systems, ISA/IEC 62443 has been designed for industrial applications.

Looking for deeper insight into Common Criteria and ISA/IEC 62443 frameworks’ similarities and differences to help you determine the right choice for your company? In our technical report, UL Solutions experts provide a comprehensive comparative analysis of ISA/IEC 62443 and Common Criteria to support informed decision-making and strategy planning and help companies decide if one or both frameworks best suit their business needs.