Assurance security

Providing security can be achieved in many ways. It can take the form of company processes, security management, infrastructure components, users’ education, etc. Cybersecurity’s state of the art identifies many threats and almost as many potential solutions to counter them. However, one major difficulty is that it is often unclear how to know if the current security state of a system is adapted to its environment.

Cyber-security is not one monolithic challenge identical for every system in the world. Companies or individuals cannot all simply apply the exact same solutions to obtain the exact same  demonstrated results. When it comes to assess that one’s system security is adapted, it’s easy to be lacking proper proofs or justifications.

The activity to demonstrate that a product or a system meets its security requirements is called security assurance. Security assurance has been a challenge for the last three decades. This problem is the composition of three sub problems consisting in identifying (i) what must be evaluated (which product, version, function, threats, …) (ii) how should it be evaluated (review development
processes, product architecture, code, guides, external interfaces, internal interfaces, …) (iii) required competences and recognition for the evaluation (evaluation authority in charge of supervising the evaluation, expertise to run the tests, provision of the test environment, capability to produces required inputs, etc.). Those three problems are generally characterized by the following three

  • The Security Target (ST).
  • The assurance components.
  • The evaluation schemes.

Security evaluation is a difficult problem and would probably remain so due to systems complexity and rapid changes.

International context

Requiring cybersecurity certification is not something common. It is rarely requested and only in cases where very high security is expected, like military context or critical infrastructures (administrations, power plants, transport systems, etc.). Those certification requirements are then mainly local and defined by national agencies and only one assurance scheme is recognized by several countries, the Common Criteria (ISO 15 408) and mostly in Europe.

At the European level, cybersecurity certification has been very rarely required by the legislation. Only recently the European commission has defined its “Cyber Security Act” (officially published in 2019). This act covers the definition of certification schemes to be developed voluntarily sectors by sectors but does not directly enforce any certifications.

More specifically in the automotive domain, very few requirements exist yet even if the need for security assessment has been clearly identified by all the actors private or public. To our knowledge the only deployment subject to certification (Common Criteria certification) is the EU C-ITS deployments through the European C-ITS Certificate Policy and Policy. Meanwhile, the UN / WP.29 –
World Forum for Harmonization of Vehicle Regulations has defined the UN-155 Regulation on Vehicle Cyber Security which do not require cybersecurity certification of products within vehicle. Mostly the domain is covered by indirect requirements coming from more general regulations such as the General Data Protection Regulation (EU) 2016/679 or the NIS Directive (Network and
Information Security) UE 2016/1148 and they all require the developers or the system owners of the deployed product to assess themselves through best practices any security property.

In such a context it can be difficult to know how exactly one can guarantee the security provided to the end user.

Cityscape solution

Oppida has defined a dedicated approach that provides efficient and adapted assurance for multimodal systems, based on the project risk analysis. We defined evaluation tasks for the different stakeholders of the system at the different lifecycle stages (functional tests, offline penetration testing, operational penetration testing, operational configuration review, etc.). To defining those
adapted assurance tasks, we analysed two different factors. The first one we discussed was the level of risk faced by such system and the second one was the cost of assurance assessment.

Assurance is expensive and existing high assurance level evaluations are not affordable for a complete large and complex systems. That’s why we evaluated these parameters in the CitySCAPE context and identified a balance between the following elements: (i) Level of risks faced by each component, (ii) Complexity of the global system that requires assurance and associated assurance cost, (iii) Pre-existing developers’ quality and assurance processes in the industrial domain.

The assurance activities we proposed in the deliverable were inspired by the CC assurance ones and CSPN ones (full reference given in the deliverable). CitySCAPE assurance activities for critical component have the same objectives as CC ones but we relaxed many of the CC constraints in terms of format and evaluation requirements, to obtain lighter evaluation tasks still providing good


Oppida is a French company of the APPAVE group. It benefits from more than 20 years in cyber-security of Information and Communication Technologies (ICT). Its expertise covers all cybersecurity aspects of IT software (network, OS, web, etc.) and security products (VPN, firewall, PKI, signature modules, disk encryption, secure storage, etc.). Among other things Oppida is a notified ITSEF for Common Criteria (CC) evaluation, making its expertise internationally recognized ( and it is the oldest French software
ITSEF. Oppida has performed over a hundred security evaluation.