Although initially focused on industrial automation, this cyber security set of standards has also been adopted by the energy sector, since it provides a methodology for applying security in operational and field environments for cyber-physical systems. It can be used in conjunction with the ISO/IEC 27000 series (in particular with ISO/IEC 27019 for the energy domain) and with IEC 62351 which provides some security solutions.

For suppliers the requirements are set at the component level:‍

• Secure product development lifecycle requirements audit & certification (62443-4-1)
• Technical security requirements for IACS component evaluation & certification (62443-4-2)

Common Criteria is meant to be applicable to any product. The standard provides catalogues of functional requirements, and assurance requirements that specify how a product should be evaluated.
Common Criteria has been applied in the electricity sector in two protection profiles for smart metering. The German national security authority, BSI, has developed a protection profile for smart metering gateways, ESMIG has developed a protection profile for smart meters.

Common Criteria provides a workable way:

• to ensure independence of test labs through accreditation
• to get thorough testing at reasonable costs 
• to ensure repeatable and proven methodology.

The essence of the methodology is to analyze the documentation and in certain cases the source code before and during the vulnerability assessment phase of the target. This way a greater set of flaws could be identified and then corrected, because we gain a more detailed knowledge about how the target in scope works.

Based on the deficiencies/vulnerabilites found, we perform a “generalization” of the errors, provide recommendations about how to eliminate or correct them and perform a re-check. 

 A wide range of services are available:

• Vulnerability assessment
• Penetration testing & hardening
• Security by design & audit
• Secure code training