Interoperable Europe logo
Rolling Plan for ICT standardisation
Join this collection

-CYBERSECURITY / NETWORK AND INFORMATION SECURITY

(A.) Policy and legislation

(A.1) Policy objectives

The EU’s Cybersecurity Strategy for the Digital Decade (JOIN/2020/18 final), aims to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. Furthermore, Cybersecurity must be integrated into all digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks.

The NIS Directive (Directive concerning measures for a high common level of security of network and information systems across the Union, (EU) 2016/1148) introduces obligations on companies to appropriately manage the cybersecurity risks they face and also to notify cybersecurity incidents to competent authorities. In order to promote a convergent implementation cybersecurity risk management and incident notification requirements across the EU, Member States should encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems.

The EU Cybersecurity Act (Regulation EU 2019/881) established the European Cybersecurity Certification Framework in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes. The European cybersecurity certification framework provides for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.

Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks identifies a series of actions in order to support the development of a Union approach to ensuring the cybersecurity of 5G networks.

The communication setting up ICT standardisation priorities for the DSM refers to cybersecurity as a priority domain for Europe.

European Electronic Communications Code (Directive 2018/1972) provides for a possibility to require that providers make available free of charge calling line identification (CLI). Directive 2002/58/EC safeguards the privacy of users by giving them the means to protect their right to privacy when calling line identification is implemented.

Calling/Caller ID spoofing is a technique where the information displayed in the CLI field is manipulated with the intention of deceiving the called party into thinking that the call originated from another person, entity or location. It is very often used by fraudsters to take advantage of the inherent trust that end-users have in the integrity of CLI information to facilitate scams. Some operators use CLI spoofing for illegal rerouting/arbitrage schemes (e.g. roaming non EU- originated traffic). Manipulation of CLI can also be a part of a legitimate activity, which adds complexity to this issue.

(A.2) EC perspective and progress report

The Communication on ICT standardisation priorities for the digital single market proposes actions on cybersecurity, considered as priority domain for Europe:

  • For security and notification requirements for operators of essential services, the focus will be on establishing a number of reference standards and/or specifications relevant to network and information security, including, where relevant, harmonised standards, to serve as a basis for encouraging the coherent adoption of standardisation practices across the EU.
  • For security and notification requirements for digital service providers, in line with the objectives of the Digital single market strategy, the Directive aims to establish a harmonised set of requirements so that they can expect similar rules wherever they operate in the EU

It is important that all levels of an organisation –particularly the strategic level and the management board - are aware of the need for standards and frameworks for cybersecurity. Moreover, between organisations that are partners in (vital) online chains, clear agreements will have to be made on the different standards. In general, organisations, manufacturers or providers involved in the design and development of ICT products, ICT services or ICT processes are encouraged to implement appropriate measures at the earliest stages of design and development to protect the security of those products, services and processes to the highest possible degree, in such a way that the occurrence of cyberattacks is presumed and their impact is anticipated and minimised (‘security-by-design’). As the security-by-design principle is becoming also a legal obligation under certain sectors, there is the need to build on the existing measures to reach a common and agreed level of protection which will enable future technological developments. The need for security to be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation should also be considered in the context of relevant standardisation activities. It is therefore important to undergo an analysis of the existing standards that can mitigate the current risks and map the current and presumed future risks that still need to be addressed by specific standards.

CLI spoofing as such is a persistent problem that has been observed for a long time but is difficult to quantify. However, it may be more frequent in IP-networks and in the case of international calls (to bypass termination rates and to take advantage of the roaming regulation). Illegitimate CLI spoofing is to the detriment of all parties, be it end-users, providers, and regulators. There is no standardised solution to CLI spoofing in Europe. Some countries are working on national solutions, but this may result in fragmentation of the market if solutions are not interoperable. CLI spoofing should be looked into from the European perspective. Possible solutions should be analysed having regard to the specificities of the European markets and rules, concerning e.g. privacy. Lack of a common European approach may result in European operators being forced to adopt a reactive approach and implement solutions not designed for the conditions in which they are functioning.

Evolution of technologies, such as quantum, could provide further ways to improve cybersecurity, i.e., through the application of  quantum cryptography.

(A.3) References
  • Joint Communication The EU’s Cybersecurity Strategy for the Digital Decade, JOIN/2020/18 final – 16/12/2021
  • Joint Communication on Resilience, Deterrence and Defence:  Building strong cybersecurity for the EU,  JOIN(2017) 450 final, 13.9.2017
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
  • Commission Recommendation (EU) 2019/553 of 3 April 2019 on cybersecurity in the energy sector (notified under document C(2019) 2400)
  • Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
  • Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises -  C/2017/6100
  • Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks - C/2019/2335
  • COM(2016)176 ICT Standardisation Priorities for the Digital Single Market
  • COM(2015)192 A Digital single market strategy for Europe
  • COM(2017)228 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy - A Connected Digital Single Market for All and accompanying Staff Working Document SWD(2017)155
  • Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures (01/2020) https://ec.europa.eu/digital-single-market/en/news/cybersecurity-5g-networks-eu-toolbox-risk-mitigating-measures
  • Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace — JOIN(2013) 1 final — 7/2/2013
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

(B.) Requested actions

Action 1 SDOs to develop standards for critical infrastructure protection and thus in support of and responding to the requirements laid down in the NIS Directive.

Action 2 SDOs to assess existing standards required to support the European Cyber-security Certification Framework to ensure that standards are available for providing the core of any certification activity. In particular, SDOs are encouraged to work on standards related to the specification and assessment of security properties in ICT products and services as well as those related to security in processes related to the design, development, delivery and maintenance of an ICT product or service.

Action 3 SDOs to investigate the issue of malware on personal computers. ENISA (the European union agency for network and information security) has concluded that many personal computers contain malware that is can monitor (financial) transactions. As we are becoming increasingly dependent on eBusiness and e-transactions, a European initiative should investigate this topic

Action 4 SDOs to investigate requirements for secure protocols for networks of highly constrained devices and heavily constrained protocol interaction (low bandwidth/ ultra-short session duration (50ms)/low processing capabilities.

Action 5 SDOs to investigate the availability of standards as regards to the security and incident notification requirements for digital service providers as defined in the NIS Directive and in support of possible other pieces of EU law.

Action 6 SDOs to develop a “guided” version of ISO/IEC 270xx series (information security management systems including specific activity domains) specifically addressed to SMEs, possibly coordinating with ISO/IEC JTC1 SC27/WG1 to extend the existing guidance laid out in ISO/IEC 27003. This guidance should be 100% compatible with ISO/IEC 270xx and help SMEs to practically apply it, including in scarce resource and competence scenarios

Action 7 SDOs to assess gaps and develop standards on cybersecurity of consumer products in support of possible certification schemes completed under the European Cybersecurity Act and in support of possible other pieces of EU law.

Action 8 SDOs to prepare a report on measures to mitigate, prevent and/or detect CLI spoofing. The report should address the technical, operational, standardisation and cost aspects of the different possible solutions (STIR/SHAKEN, blockchain, Solid, etc.) from the European perspective. It should also consider how such solutions could be deployed and managed at the European level.

(C.) Activities and additional information  

(C.1) Related standardisation activities
CEN and CENELEC

CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’ focuses on Information Technology (IT) and develops European standards for data protection, information protection and security techniques, including: Organizational frameworks and methodologies; IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services. The ISO 27000 standards are adopted as European Standards by this Joint Technical Committee.

CLC/TC 65X ‘Industrial-process measurement, control and automation’ coordinates the preparation of European Standards for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The EN IEC 62443 series address Operational Technology (OT) found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas.

Cybersecurity standards are also being developed in several vertical sectors, for example: CEN/TC 301 ‘Road Vehicles’, CEN/TC 377 ‘Air-traffic management’, CLC/TC 9X ‘Electrical and electronic applications for railways’, CLC/TC 57 ‘Power systems management and associated information exchange’, CEN-CLC/JTC 19 ‘Blockchain and Distributed Ledger Technologies’, CEN/TC 224 ‘Personal identification and related personal devices’, CLC/TC 45AX ‘Instrumentation, control and electrical power systems of nuclear facilities’. 

ETSI

TC CYBER, leads the ETSI work on security and is recognized as a major trusted centre of expertise offering market-driven cyber security standardisation solutions, advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. TC CYBER works closely with stakeholders to develop standards that increase privacy and security for organizations and citizens across Europe and worldwide.

TC CYBER produces standards across a range of topics including the first globally applicable standard on the security of the consumer Internet of Things (EN 303 645) published in June 2020), security and evaluation requirements for consumer mobile device (including 5G devices), network security (the Middlebox Security Protocol TS 103 523 series to create the next generation of security-focused proxies), cryptography for access control and personally identifying information (Attribute-Based Encryption TS 103 458 and TS 103 532).

TC CYBER QSC: works on Quantum Cryptography with a focus on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. Work covers the migration towards a post-quantum world (TR 103 619) and the specification of Quantum-Safe Hybrid Key Exchanges. (TC CYBER publications and TC CYBER work programme).

ISG QKD (Quantum Key Distribution): works to support the industrialisation of QKD technology to secure ICT networks. Its publications and work programme cover requirements for security proofs of QKD protocols and authentication, precise characterisation of QKD modules and components, and approaches to integrate QKD into networks. Work considers the security of system implementations and aims to assist the certification of QKD systems using the Common Criteria.

ETSI also works on other specific security topics including the security of mobile communications including the 5G network equipment security assurance specifications (3GPP SA3), network functions virtualisation (ETSI NFV ISG), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (RRS WG3) and emergency telecommunications (including terrestrial trunked radio (TETRA)), smart cards and secure elements (TC SCP) and electronic signatures and trust service providers with a set of standards for the certification of trust services TC ESI (ESI activities).

IEC

Technical Committee IEC/TC 65 ‘Industrial-process measurement, control and automation’ develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

Working Group IEC/TC 65/WG 10 ‘Security for industrial process measurement and control - network and system security’ is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2:2019 ‘Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components’ was published in 2019 and IEC 62443-3-2:2020 ‘Security for industrial automation and control systems - Part 3-2: Security risk assessment and system design’ was published in 2020. The publication of International Standard IEC 62443-2-1 (edition 2) ‘Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners’ is expected in 2021.

In Europe, IEC/TC 65 is mirrored by CLC/TC 65X ‘Industrial-process measurement, control and automation’. This CENELEC standardisation work is carried out for equipment and systems, and closely coordinated with IEC/TC 65.

Technical Committee IEC/TC 57 ‘Power systems management and associated information exchange’ is responsible for the IEC 62351 standards series ‘Power systems management and associated information exchange - Data and communications security’. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC’s conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

The OASIS Cyber Threat Intelligence (CTI) TC defines a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX) language provides a common set of descriptors for security threats and events. The Trusted Automated Exchange of Indicator Information (TAXII) specification provides common message exchange patterns.

The OASIS Open Command and Control (OPenC2) TC provides a suite of specifications to administer command and control of cyber defence functions distributed across multiple systems.

The Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC provides a standard to describe the prevention, mitigation, and remediation steps in a course of action “playbooks” in a structured machine-readable format that can be shared across organizational boundaries and technology solutions.

The OASIS Common Security Advisory Framework (CSAF) TC provides standard structured machine-readable formats for security vulnerability-related advisories based on existing industry practice.

The OASIS Threat Actor Context (TAC) TC establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information. This framework allows organizations to strategically correlate and analyze attack data, which could lead to a better understanding of their adversary’s goals, capabilities, and trends in targeting and techniques.

The Open Cybersecurity Alliance OASIS Open Project aims to bring together vendors and end users in an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. The OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures.

ISO/IEC JTC 1

Technical Committee ISO/IEC JTC 1/SC 27 ‘Information security, cybersecurity and privacy protection’ produces the International Standards for the protection of electronic information assets and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

  • Security requirements capture methodology;
  • Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
  • Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
  • Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
  • Security aspects of identity management, biometrics and privacy;
  • Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
  • Security evaluation criteria and methodology.

Included in the 198 published International Standards are the ISO 27000 Information Security Management Standards series. http://www.iso.org/iso/iso_technical_committee?commid=45306

ITU-T

ITU-T SG2 is currently developing a new Supplement on Countering Spoofing (E.sup.spoofing to E.157). Its purpose is not the development of anti-fraud and identity verification platforms, but rather it provides information that could assist in implementing measures to counter spoofing. It should be noted that Calling Party Number authentication mechanisms are not a global solution against fraud or spoofing, the study of which is covered in various technical standardisation bodies. https://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=15044

ITU-T SG17 (Security) develops globally harmonized standards on telecommunication and information security, application security, cyberspace security, identity management and authentication. On application security, currently ITU-T SG17 works specifically on software defined networking, cloud computing, intelligent transport systems, distributed ledger technologies, quantum key distribution networks etc. Nearly 300 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series.

More info: http://itu.int/ITU-T/go/tsg17

http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17

ITU-T SG20 under question Q6/20 studies aspects related to Security, Privacy, Trust and Identification for IoT and SC&C. In August 2017, it approved Recommendation ITU-T Y.4805 “Identifier service requirements for the interoperability of Smart City applications”, Currently, SG20 is working on a draft Recommendation on “Agility by design for Telecommunications/ICT Systems Security used in the Internet of Things” (Y.IoT-Agility).

More info: http://itu.int/ITU-T/go/tsg20

ITU-T SG11 focuses on security of existing protocols including revision of SS7 stack and their impact on digital financial services (DFS). Following the Member States’ demands on dealing with the spoofing of calling party number, SG11 revised ITU-T Q.731.3, which specifies an exceptional procedure for transit exchange connected to CPE (Customer Premises Equipment) with the purpose of providing predefined calling party number by the originating operator. ITU-T SG11 assumes that all calling party numbers delivered in the telecommunications network should be generated or verified by an operator. The security of existing signalling protocols is the cornerstone of the trust between financing entity and its customer as ICT network is used to provide access to customers’ bank accounts.

In this regard, SG11 approved ITU-T Q.3057 “Signalling requirements and architecture for interconnection between trustable network entities” and a Technical Report QSTR-SS7-DFS “SS7 vulnerabilities and mitigation measures for digital financial services transactions”. Also SG11 organized a “Brainstorming session on SS7 vulnerabilities and the impact on different industries including digital financial services” (Geneva, 22 October 2019) https://www.itu.int/en/ITU-T/Workshops-and-Seminars/102019/Pages/default.aspx

More info: http://itu.int/ITU-T/go/tsg11

ITU-T SG13 is carrying out work on trust in telecommunications and safe quantum communication . It approved Recommendation ITU-T Y.3800 on “Framework for Networks supporting Quantum Key Distribution” (QKDN) and has 10 open work items on this topic. Recommendation ITU-T Y.3053 Amd1 on “Framework of trustworthy networking with trust-centric network domains was also approved. There are six ongoing work items on this topic. See a dedicated flipbook on “Trust in ICT”: https://www.itu.int/en/publications/Documents/tsb/2017-Trust-in-ICT-2017/mobile/index.html

More info: http://itu.int/ITU-T/go/tsg13

The ITU-T Focus Group Digital Financial Services delivered a technical report on the Security Aspects of Digital Financial Services which provided recommendations on security best practices for DFS providers to reduce the threats and vulnerabilities to digital financial services applications. https://www.itu.int/en/ITU-T/studygroups/2017-2020/09/Documents/ITU_FGDFS_SecurityReport.pdf

Following the completion of the activities of the  ITU-T Focus Group Digital Financial Services in 2017, the ITU established the Security, Infrastructure and Trust Working Group under the Financial Inclusion Global Initiative (a joint programme of the ITU, World Bank and Bank for International Settlements and supported by the Gates Foundation). The Security, Infrastructure and Trust Working Group has three workstreams (out of 4) focusing in particular on the security aspects of DFS: App and Infrastructure Security, Distributed Ledger Technologies Security and Trust.

More information on the technical reports produced by the Security, Infrastructure and Trust Working Group for each of the above workstreams are available on its website: https://www.itu.int/en/ITU-T/extcoop/figisymposium/Pages/FIGISITWG.aspx

W3C

W3C runs several groups in the area of Security   :

  • Web Cryptography working group, which is defining an API that lets developers implement secure application protocols for web applications, including message confidentiality and authentication services, by exposing trusted cryptographic primitives from the browser.
  • Web Application Security “WebAppSec” working group, which is developing standards to ensure that web applications are delivered free from spoofing, injection, and eavesdropping.
  • Hardware-based secure services community group, which analyses use-cases where browser (and web application)’s developers could benefit from secure services in the field of cryptographic operation, citizen identity and payment to native applications.
  • Web bluetooth community group, which is developing a specification for bluetooth APIs to allow websites to communicate with devices in a secure and privacy-preserving way.
  • Web NFC community group, which is creating a near field communication API that is browser-friendly and adheres to the web’s security model.

https://www.w3.org/Security

IEEE

IEEE has standardisation activities in the cybersecurity/network and information security space and also addresses anti-malware technologies, encryption, fixed and removable storage, and hard copy devices, as well as applications of these technologies for smart grids or in healthcare. The ‘Security in Storage’ Working Group of the Cybersecurity & Privacy Standards Committee standardizes cryptographic and data authentication procedures for storage devices. IEEE 1619.2, for example, specifies an architecture for encryption of data in random access storage devices. In June 2020 P2883 was approved to specify methods of sanitizing logical storage and physical storage as well as providing technology-specific requirements and guidance for the elimination of recorded data.

For securing wired LANs WG 802.1 of the IEEE LAN/MAN Standards Committee has developed the IEEE 802.1AE standard which defines a Layer 2 security protocol called Medium Access Control Security (MACSec) that provides point-to-point security on Ethernet links between nodes. IEEE actively develops security standards for healthcare and medical devices as well as wearables. The ‘Personal Health Device’ Working Group develops IEEE 11073-40101 to define processes for vulnerability assessment as part of the medical device interoperability series of standards. The ‘Healthcare Device Security Assurance’ Working Group develops a family of standards for wirelessly connected diabetes devices (P2621.x)

The ‘Privacy and Security Architecture for Consumer Wireless Devices’ Working Group standardizes a privacy and security architecture for wireless consumer devices (P1912). For more information visit https://ieeesa.io/rp-nis

IETF

The following IETF WGs are active in this area:

The Managed Incident Lightweight Exchange (MILE) WG develops standards to support computer and network security incident management. The WG is focused on two areas: IODEF (Incident Object Description Exchange Format, RFC5070), the data format and extensions to represent incident and indicator data, and RID (Real-time Inter-network Defense, RFC6545), the policy and transport for structured data.

The Security Automation and Continuous Monitoring (SACM) WG is working on standardising protocols to collect, verify, and update system security configurations that allow high degree of automation. This facilitates securing information and the systems that store, process, and transmit that information. The focus of the WG is the assessment of network endpoint compliance with security policies so that corrective measures can be provided before they are exposed to those threats.

The aim of DDoS Open Threat Signalling (DOTS) WG is to develop a standards based approach for the realtime signalling of DDoS related telemetry and threat handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation.

The goal of the Interface to Network Security Functions (I2NSF) WG is to define a set of software interfaces and data models for controlling and monitoring aspects of physical and virtual NSFs. A Network Security Function (NSF) is a function used to ensure integrity, confidentiality, or availability of network communications, to detect unwanted network activity, or to block or at least mitigate the effects of unwanted activity. The hosted, or cloud-based, security service is especially attractive to small and medium size enterprises who suffer from a lack of security experts to continuously monitor networks, acquire new skills and propose immediate mitigations to ever increasing sets of security attacks.

The full list of IETF Working Groups in the Security Area is available here: https://datatracker.ietf.org/wg/#sec

https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#NISec

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications. http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

ECMA   

Secure ECMAScript (SES) is a runtime environment for running ECMAScript (JavaScript) strict-mode code under object-capability (ocap) rules. ECMA Technical Committee TC39 maintains and updates the general purpose, cross platform, vendor-neutral programming language ECMAScript (JavaScript).

Other activities related to standardisation

ECSO    

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management.

https://www.ecs-org.eu/

ECSO WG1 has published the State of the Art Syllabus (SOTA) (December 2017), which lists all standards and specifications related to cyber security. The SOTA document gives a good overview of cyber security standards, initiatives and certification schemes, both at the European and international level (including national elements), for assessment and certification of items. https://www.ecs-org.eu/documents/uploads/updated-sota.pdf

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts.  http://openid.net/wg/risc/charter/

NIST

NIST has started work in several areas, active documents with two reports already published which provide guidance on critical security controls and security by default for products and services. Other areas of work include critical infrastructure protection, privacy matters and cybersecurity issues.

Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm

Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm

Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm

National Institute of Standards and Technology Initiates   Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm

Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

Cyber Security PPP

The cPPP will be instrumental in structuring and coordinating digital security industrial resources in Europe

https://ec.europa.eu/digital-single-market/en/cybersecurity-industry

(C.2) additional information

The Danish business community is developing a prototype for a data ethics and cybersecurity seal for companies. The seal will create transparency for consumers and help ambitious companies gain a competitive advantage. The seal is expected to be launched by the end of 2020.

In the Netherlands, the national government has selected a group of security specifications for its comply-or-explain policy (e.g. DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, RPKI), and is actively using various adoption strategies to get the specifications implemented. An effective tool that was developed to drive adoption is the website www.internet.nl (available in English). Organisations and individuals can easily test whether websites offer support for modern Internet Specifications, and the code is open source.

Also in the Netherlands, a method to help improve secure software lifecycle management, including software development, was developed under the title Secure Software Framework (SSF). The framework is applied by software developers in innovative projects, where security of software is of the utmost importance. The framework was published by the Secure Software Alliance (SSA), a public-private program in which developers of software, end users, professional bodies, institutes for research and education and the Dutch Ministry of Economic Affairs and Climate cooperate to promote secure software and connect initiatives in this area. The SSF is part of the Roadmap for Digital Hard- and Software Security of the Ministry of Economic Affairs and Climate.

In September 2020 in the Netherlands, a public-private coalition called the Online Trust Coalition (OTC) was launched, with the purpose to provide an unambiguous, efficient method for cloud service providers to demonstrate that their services are reliable and secure. And by doing so, to help to implement the relevant laws and regulations (e.g. EU Cybersecurity Act).”

In Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it  was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

  • Develop a reference document
  • Define and develop an update and versioning mechanism
  • Host the reference document
  • Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU:  https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map

Report abusive content Share