Cyber Activity Report 2017
Chairman: Alex Leadbeater, BT
Responsible for the standardization of cyber security and for providing a centre of relevant security expertise
Security lives everywhere, mediating all aspects of our digital lives. The rapid evolution and growth in the complexity of new systems and networks, coupled with the sophistication of changing threats, present demanding challenges for maintaining the security of Information and Communications Technologies (ICT) systems and networks. Security solutions must include a reliable and secure network infrastructure, but they must also protect the privacy of individuals and organizations.
Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the Internet and the communications and business it carries. Our Cyber Security committee (TC CYBER) is addressing many of these issues.
Security is particularly important to new developments based on networked digital systems such as the Internet of Things (IoT), Industry 4.0 and eHealth. For example, each new connected device in the IoT increases the risk of attack. Critical infrastructures can be disrupted through Denial of Service attacks introduced via something as insignificant as a webcam. In addition, virtualization technologies which, in combination with data networking, have enabled Cloud computing, offer numerous benefits, but they also bring with them specific security threats. To counter these threats, it is essential to develop trusted computing platforms.
At the same time, sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure practice by governments and businesses, and there has been a proliferation of legislation worldwide, driven by these growing security concerns. Balancing the twin demands of privacy and protection is a major challenge. Solutions include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.
ETSI’s Cyber Security committee (TC CYBER) is addressing all of these issues. Working closely with stakeholders, the committee produces standards to meet strategic, high-level needs, and co-ordinates the work of those committees within ETSI which deal with security aspects in their own technical areas. TC CYBER also develops standards itself for security requirements that are not catered for elsewhere in ETSI, and offers security advice and guidance to users, manufacturers and network and infrastructure operators. Its work is well supported by both industry and academia.
In 2017, TC CYBER produced a Technical Report (TR) on the Implementation of the Network and Information Security (NIS) Directive, providing advice on its implementation that lays down measures for a common high level of security of network and information systems across the European Union (EU).
Demand for end-to-end privacy from users presents some major challenges for telecom network operators, accelerated by the advent of 5G mobile, the Internet of Things (IoT), media/application service providers and ‘encrypt everything’ initiatives. This trend is manifested through increasing demand to encrypt traffic between end-points, where application servers interact directly with software clients on users’ devices.
Accordingly, standards activities related to network gateway cyber defence have increased significantly due to an array of business and compliance obligations. A new TR on Network Gateway Cyber Defence gives recommendations on implementing ‘middleboxes’ into boundaries between networks, helping network providers to safeguard against viruses, malware and other threats.
We started work on a four-part Technical Specification (TS) to specify a middlebox security protocol: a protocol to enable trusted, secure communication sessions between network end-points and one or more middleboxes between them using encryption. The specification is intended to facilitate implementation profiles for a wide array of implementations and applications.
We completed and published our reference TR on the Global Cyber Security Ecosystem, a comprehensive overview of cyber security resources including organizations, publications, reference libraries or discussion groups, at the global, regional or national level.
Following the previous year’s publication of our TR on protection measures for ICT in the context of critical infrastructure, in 2017 we began developing a TS defining metrics for the identification and categorization of critical infrastructures.
In response to European Commission (EC) Mandate M/530 on Privacy by Design, we continued work on a TS on mechanisms for privacy assurance and the verification of Personally Identifiable Information together with a TS on identity management and naming schema protection mechanisms that will identify means to prevent identify theft and cybercrime. We also neared completion of a TR providing a practical introductory guide to privacy.
Work progressed on a TS on the application of Attribute- Based Encryption (ABE) for data protection on smart devices, Cloud and mobile services, and a TS which will specify the standard features needed to use ABE as Attribute Based Access Control. These specifications may help in supporting the EU’s General Data Protection Regulation (GDPR).
Work also progressed on a specification for an interface to enable a trusted domain to perform sensitive functions coming from another domain.
We are updating our two-part TS on security methods and protocols, addressing countermeasures and Threat, Vulnerability and Risk Analysis methods. Part 1 was published with delivery of Part 2 to follow in 2018.
TC CYBER works in close co-operation with numerous international, regional and national organizations and governments involved in cyber security including the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO).