Skip to main content

Cybersecurity / network and information security (RP 2023)

 

(A.) Policy and legislation

(A.1) Policy objectives

The EU's Cybersecurity Strategy for the Digital Decade (JOIN/2020/18 final), aims to ensure a global and open Internet with strong guardrails to address the risks to the security and fundamental rights and freedoms of people in Europe. Following the progress achieved under the previous strategies, it contains concrete proposals for deploying three principal instruments –regulatory, investment and policy instruments – to address three areas of EU action – (1) resilience, technological sovereignty and leadership, (2) building operational capacity to prevent, deter and respond, and (3) advancing a global and open cyberspace. Furthermore, Cybersecurity must be integrated into all digital investments, particularly key technologies like Artificial Intelligence (AI), encryption and quantum computing, using incentives, obligations and benchmarks.

The Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) introduces obligations on companies to appropriately/firmer manage the cybersecurity risks and incidents they face across the supply chain. Along closer cooperation and capacity building among the Member States and the relevant entities, minimum security requirements and reporting requirements are to be observed. In order to promote a convergent implementation of the cybersecurity risk management and incident notification requirements across the EU, Member States should encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems. The NIS2 Directive modifies the eIDAS Regulation and include the requirements for the trust services.

The EU Cybersecurity Act (Regulation EU 2019/881) established the European Cybersecurity Certification Framework in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes. The European cybersecurity certification framework provides for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle. As also laid down in the mandate provided by the EU Cybersecurity Act, the European Union Agency for Cybersecurity (ENISA) can be requested to prepare candidate EU cybersecurity certification schemes. There is a close linkage between the tasks assigned by ENISA to that purpose, and the Rolling Plan for ICT Standardisation.

Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks identifies a series of actions in order to support the development of a Union approach to ensuring the cybersecurity of 5G networks.

As a result of the above mentioned policy initiatives, the European Commission has requested the European Union Agency for Cybersecurity (ENISA) to prepare a candidate EU cybersecurity certification scheme for the certification of ICT products based on Common Criteria (EUCC), of ICT cloud services (EUCS) and the certification of key 5G mobile network components and suppliers' processes (EU5G).

Furthermore, in September 2021 President Ursula von der Leyen in her State of the Union address referred to the Cyber Resilience Act in order to make the European Union more resilient.
The draft Cyber Resilience Act that was available to public consultation in May 2022 aims to establish common cybersecurity standards and essential security requirements for digital products and may require further standardisation.

The AI Act and the revision of the eIDAS Regulation both add to the trust in digital services and may invoke further standardisation activities in support of managing the cybersecurity risks in the building block of data.

The communication setting up ICT standardisation priorities for the DSM refers to cybersecurity as a priority domain for Europe.

Council Resolution on Encryption (EU) 13084/1/20, was adopted in November 2020 to enable EU “leveraging its tools and regulatory powers to help shape global rules and standards...to enhance the EU's ability to protect itself against cyber threats, to provide for a secure  communication environment, especially through quantum encryption, and to ensure access to data  for judicial and law enforcement purposes.” The Resolution calls for joining forces with the tech industry to establish an active discussion with the technology  industry, while associating research and academia, to ensure the continued implementation and use of strong encryption technology.  It notes the need to develop a regulatory framework across the EU to enable authorities to use their investigative powers which are subject to proportionality, necessity and judicial oversight under their domestic legislation, while respecting common European values and upholding fundamental rights and preserving the advantages of encryption. Possible solutions should be developed in a transparent manner in cooperation with national and international communication service providers and other relevant stakeholders using technical solutions and standards.

Today, a substantial part of investigations against all forms of crime and terrorism involve encrypted information. Encryption is essential to the digital world, securing digital systems and transactions. It is an important tool for the protection of cybersecurity and fundamental rights, including freedom of expression, privacy and data protection. At the same time, it can also be used as a secure channel for perpetrators where they can hide their actions from law enforcement and the judiciary. The Commission will work with Member States to identify possible legal, operational, and technical solutions for lawful access and promote an approach, which both maintains the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime and terrorism.

(A.2) EC perspective and progress report

The Communication on ICT standardisation priorities for the digital single market identified as challenges – among others – the increasing reliance of the economy on digital technologies, along with the complexity across the value chain in many of its applications, as well as access rights to standards that call for improved cooperation in the growing ecosystem of existing and emerging standardisation bodies and organisations. The EU Cybersecurity Strategy and Standardisation Strategy emphasise the need to foster broader multi-stakeholder participation and international cooperation in the area of standardisation in support of the resilience of the EU digital single market but also for reaping the benefits from the investments in standardisation and certification. Work towards addressing these challenges is ongoing.

The EU candidate cybersecurity certification schemes EUCC, EUCS (draft) and in particular EU5G (in preparation) stand example for the extensive body of standards being utilized in conformity assessment and certification to improve and make transparent the effectiveness of the risk controls pertained in the use of ICT products, services and process.

The Communication on ICT standardisation priorities for the digital single market resonates with the past policy instruments mentioned above for the priority domain cybersecurity, the “bedrock of trust and reliability”, with the following focus:

  • A very high quality of cybersecurity, as specified in standards, to be built into any new technology or service (“security-by-design”) helps to mainstream cybersecurity requirements into ICT products, services and processes as well as operators to manage their cybersecurity risks out-of-the-box and during the lifecycle by means of evaluation and certification methodologies as employed in EU cybersecurity certification schemes.
  • Communication enabled distributed digital devices and services in IoT, AI, and eIDAS require seamless and interoperable secure authentication and processors across all involved subjects and objects to enable secure and transparent access to, exchange and processing of data (“protection-by-design”).
  • Harmonised standards for risk and security management and notification requirements for operators of essential services, are the focus of the upcoming NIS2 directive to serve as a basis for encouraging the coherent adoption of standardisation practices across the EU.
  • Collaboration and multi-stakeholder governance remains key in standardisation as stressed in the EU Cybersecurity Strategy and EU Standardisation Strategy.

The specification of essential cybersecurity requirements envisaged in the European Cyber Resilience Act may set the baseline of what European citizens can expect from the digital products, processes and services they use daily. Such standards will complement the EU Cybersecurity Act as the preparation of market-driven EU certification schemes has already started.
The Union Rolling Work Programme entailed to the Cyber Resilience Act will outline further building blocks for the consideration of future cybersecurity certification schemes.

The Cybersecurity certification schemes will support the building blocks of ICT standard setting and will increasingly rely upon standardisation to establish and harmonise the cybersecurity functional and assessment requirements applied to cybersecurity certification.

Assessments and certification of ICT products, services and processes helps consumers making informed decisions as a means technological autonomy. Certification further helps identifying such products and services on the grounds of a solid assessment of the cybersecurity requirements by a proficient evaluator. Transparent standards and specifications for the definition and verification of cybersecurity requirements form the very foundation of the “cybersecurity-by-design-and-default” proposition the European Union aims for, such as the continuous monitoring of the threat landscape for the purpose of aftermarket improvements to the sold ICT and the support with threat intelligence to remain resilient in the next wave of cyberattacks.

Further progress across technologies that are currently available to a limited set of users, such as quantum cryptography and artificial intelligence, could permit for more ways to improve the European Union’s cybersecurity, i.e. for instance through the application of quantum cryptography or machine learning respectively.

It is important that all levels of an organisation – particularly the strategic level, business owners and the management board - are aware of the need for standards and frameworks for cybersecurity. Moreover, between organisations that are partners in (vital) online chains, clear agreements will have to be made on the standards applicable to sectors. The need for security to be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation should also be considered in the context of relevant standardisation activities. It is therefore important to undergo an analysis of the existing standards that can mitigate the current risks and map the current and presumed future risks that still need to be addressed by specific standards.

 ‘Cybersecurity-by-design-and-default’ as engendered in European policy instruments like certification schemes as well as the European Community’s move towards resilience over the lifecycle of digital technologies show the way for standardisation activities. Collaboration on European and international level and broad participation in the multi-stakeholder ecosystem of standardisation further reinforce the European Union’s cybersecurity posture.

The transparency of standards should not stop at the preparation phase but also leverage on their accessibility for a wide reception and adoption by the audience concerned. In particular, evaluation methodologies used in certification schemes should be quotable and available in machine readable format.

(A.3) References
  • JOIN/2020/18 final – Joint Communication The EU's Cybersecurity Strategy for the Digital Decade
  • Joint Communication on Resilience, Deterrence and Defence:  Building strong cybersecurity for the EU,  JOIN(2017) 450 final
  • JOIN(2013) 1 final  Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act).
  • Commission Recommendation (EU) 2019/553 of 3 April 2019 on cybersecurity in the energy sector (notified under document C(2019) 2400)
  • Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast)
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
  • Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union
  • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the EU (NIS Directive)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to personal data processing and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
  • Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises -  C/2017/6100
  • Commission Recommendation (EU) 2019/534 of 26 March 2019 on the Cybersecurity of 5G networks - C/2019/2335
  • COM(2016)176 ICT Standardisation Priorities for the Digital Single Market
  • COM(2015)192 A Digital single market strategy for Europe
  • COM(2017)228 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy - A Connected Digital Single Market for All and accompanying Staff Working Document SWD(2017)155
  • Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures (01/2020) 
  • COM/2020/795 Communication on A Counter-Terrorism Agenda for the EU: Anticipate, Prevent, Protect, Respond
  • COM/2021/206 Final Proposal For A Regulation Of The European Parliament And Of The Council Laying Down Harmonised Rules On Artificial Intelligence (Artificial Intelligence Act) And Amending Certain Union Legislative Acts
  • COM(2022) 454 final Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
  • Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

(B.) Requested actions

Action 1: SDOs to develop standards and sectorial specifications for critical infrastructure protection in support of and responding to the requirements in anticipation of the reviewed NIS2 Directive. Foster the application of EN 62443 series (base on IEC 62443 series) for the firm establishment of EU regulatory requirement operational technology (OT) security including critical infrastructures.

Action 2: SDOs to assess the content of existing standards and specifications applied under the European Cybersecurity Certification Framework in order to revise existing documents or create new standards. It should be ensured that these standards are gradually and timely made available for providing support to any certification activity, particularly as the preparation and implementation of certification schemes has come under the remit of ENISA on Common Criteria (EUCC), Cloud services (EUCS) and 5G (EU5G). In particular, SDOs are encouraged to develop and harmonise standards related to the specification and assessment of security properties in ICT products and services (including cloud services), as well as those related to security in processes related to the design, development, delivery and maintenance of an ICT product or service, as well as methodologies concerning assurance levels for industry sectors.

Action 3: SDOs to investigate and prepare harmonised evaluation methodologies of cybersecurity risks, controls and interfaces as required by EU policy instruments such as the Certification Framework of the EU Cybersecurity Act, the Cyber Resilience Act and others for their horizontal application into trusted products such as semiconductors, the European Digital Identity Wallet, and other digital technologies.

Action 4: SDOs to assess areas and options for the preparation and implementation of European cybersecurity policy, in particular of essential cybersecurity requirements relevant to the digital products and ancillary services referred by the Cyber Resilience Act, but also of relevance to complement the instruments related to the Machinery Directive, the Radio Equipment Directive or to the machine learning component for the AI Act.

Action 5: SDOs to investigate requirements for secure and interoperable communication protocols for mobile and fixed networks of distributed devices and services that may in addition rely upon limited resources and interfaces.  Requirements should address relevant mechanisms of authenticating, registering, and processing user identities seamlessly across devices, services and applications.

Action 6: SDOs to investigate the availability of standards and specifications in general or for business sectors as regards to the requirements to risk management across the supply chain and incident notification for operators of essential services in anticipation of the NIS2 Directive and in support of possible other pieces of EU law , including certification schemes as defined in the Cybersecurity Act.

Action 7: SDOs to assess gaps and develop standards on cybersecurity of consumer products in support of possible certification schemes completed under the European Cybersecurity Act and in support of other possible instruments of EU law.

Action 8: SDOs to explore options for the composition and matching of assurance statements as issued under the Certification Framework of the Cybersecurity Act also in conjunction to the provisions of related EU policy instruments like the Cyber Resilience Act, the NIS2 Directive or the new eIDAS regulation.

Action 9: SDOs should foster/establish cooperation with the European Cybersecurity Coordination Centre in order to facilitate the results of current research and outputs from the funding programmes Horizon Europe and Digital Europe.

Action 10: SDOs to assess gaps and develop standards in support of trust services under the NIS2 proposal and other possible instruments of EU law

(C.) Activities and additional information 

(C.1) Related standardisation activities
CEN & CENELEC

CEN-CLC/JTC 13 'Cybersecurity and Data Protection' focuses on Information Technology (IT) and develops European standards for data protection, information protection and security techniques, including: Organizational frameworks and methodologies; IT management systems; Data protection and privacy guidelines; Processes and products evaluation schemes; ICT security and physical security technical guidelines; smart technology, objects, distributed computing devices, data services. The ISO/IEC 27000 standards, the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045are adopted as European Standards by this Joint Technical Committee.

CLC/TC 65X 'Industrial-process measurement, control and automation' coordinates the preparation of European Standards for industrial process measurement, control and automation (e.g. EN IEC 62443-4-1 Security for industrial automation and control systems – Secure product development lifecycle requirements). The EN IEC 62443 series address Operational Technology (OT) found in industrial and critical infrastructure, including but not restricted to power utilities, water management systems, healthcare and transport systems. These are sectorial standards, which can also be applied across many technical areas.

Cybersecurity standards are also being developed in several vertical sectors, for example: CEN/TC 301 'Road Vehicles', CEN/TC 377 'Air-traffic management', CLC/TC 9X 'Electrical and electronic applications for railways', CLC/TC 57 'Power systems management and associated information exchange', CEN-CLC/JTC 19 'Blockchain and Distributed Ledger Technologies', CEN/TC 224 'Personal identification and related personal devices', CLC/TC 45AX 'Instrumentation, control and electrical power systems of nuclear facilities'. 

ETSI

TC CYBER, is the ETSI centre of expertise for cybersecurity and produces standards for the cybersecurity ecosystem, consumer IoT/devices, protection of personal data and communication, network security, cybersecurity tools and guides, and in support of EU legislation (GDPR, CSA, RED, NIS/NIS2) (details in the CYBER Roadmap). TC CYBER work already supports Actions 2, 4 and 7 with EN 303 645 and complementary deliverables on consumer IoT devices, and Action 2 with TS 103 732, protection profile for consumer mobile device which is being submitted to certification against Common Criteria to assist the manufacturers in the security certification of their products. (TC CYBER publications and TC CYBER work programme).

TC CYBER QSC: works on Quantum Cryptography with a focus on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. Work covers the migration towards a post-quantum world (TR 103 619) and extending that knowledge to other sectors to assist in migration (e.g. for ITS in the development of DTR/CYBER-QSC-0018) and the specification of Quantum-Safe Hybrid Key Exchanges.

ISG QKD (Quantum Key Distribution): works to support the industrialisation of QKD technology to secure ICT networks.
Its publications and cover requirements for security proofs of QKD protocols and authentication, precise characterisation of QKD modules and components, and approaches to integrate QKD into networks. Work considers the security of system implementations and aims to assist the certification of QKD systems using the Common Criteria.

ISG MEC (Multi-access Edge Computing):  led the publication of a White Paper on “MEC security: Status of standards support and future evolutions” written by several authors participating in ETSI ISG MEC, ETSI ISG NFV SEC and ETSI TC CYBER. The work identified aspects of security where the nature of edge computing leaves typical industry approaches to cloud security insufficient. As a follow-up, the MEC group started a related study on MEC Security in (ETSI GR MEC041).

ETSI also works on other specific security topics including the security of mobile communications including the 5G network equipment security assurance specifications (3GPP SA3), network functions virtualisation (ETSI NFV ISG), intelligent transport systems (ITS WG5), digital enhanced cordless telecommunications (DECT™), M2M/IoT communications (oneM2M published standards, latest drafts), reconfigurable radio systems (RRS WG3), IPv6 based secure internet protocol best practices, IPv4 sunsetting guidelines (ETSI ISG IPE) and emergency telecommunications (including terrestrial trunked radio (TETRA)), secure element technologies (TC SET) and electronic signatures and trust service providers with a set of standards for the certification of trust services TC ESI (ESI activities).

More recently ISG ETI (Encrypted Traffic Integration) has been expanding development of the Zero Trust Architecture to address the problems cited in ETSI GR ETI 001.

IEC         

Technical Committee IEC/TC 65 'Industrial-process measurement, control and automation' develops International Standards for systems and elements used for industrial-process measurement and control concerning continuous and batch processes.

Working Group IEC/TC 65/WG 10 'Security for industrial process measurement and control - network and system security' is responsible for the IEC 62443 series on Industrial communication networks, which addresses the prevention of illegal or unwanted penetration, intentional or unintentional interference with the proper and intended operation, or inappropriate access to confidential information in industrial automation and control systems.

IEC 62443-4-2:2019 'Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components' was published in 2019 and IEC 62443-3-2:2020 'Security for industrial automation and control systems - Part 3-2: Security risk assessment and system design' was published in 2020. The publication of International Standard IEC 62443-2-1 (edition 2) 'Security for industrial automation and control systems - Part 2-1: Security program requirements for IACS asset owners'  is expected in 2021.

In Europe, IEC/TC 65 is mirrored by CLC/TC 65X 'Industrial-process measurement, control and automation'. This CENELEC standardisation work is carried out for equipment and systems, and closely coordinated with IEC/TC 65.

Technical Committee IEC/TC 57 'Power systems management and associated information exchange' is responsible for the IEC 62351 standards series 'Power systems management and associated information exchange - Data and communications security'. The different security objectives of this series include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

IECEE/ICAB        

Conformity Assessment (CA) is any activity, which results in determining whether a product or other object corresponds to the requirements contained in a standard or specification. The IEC runs four CA systems, each of which operates Schemes based on third-party conformity assessment certification. They establish that a product is reliable and meets expectations in terms of performance, safety, efficiency, durability, etc. This is especially crucial for Cybersecurity.

IECEE, the IEC system for Conformity Assessment Schemes for Electrotechnical Equipment and Components, which issues internationally recognized certification on Cybersecurity, operates the CB scheme, facilitating cooperation among accepted National Certification Bodies (NCBs) worldwide. NCBs perform market surveillance functions, which ensure that the overall production line is constantly compliant with the initial testing/certification.

The IECEE Full Certification Scheme is an extension of the IECEE CB Scheme, where initial and/or periodic surveillance of production is performed. The Scheme provides the evidence that each certified product offers the same quality/safety level as type-tested sample.

The CAB (Conformity Assessment Board) is responsible for setting the IEC's conformity assessment policy, promoting and maintaining relations with international organizations on conformity assessment matters.

OASIS

The OASIS Cyber Threat Intelligence (CTI) TC defines a set of information representations and protocols to support automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis. The Structured Threat Information eXpression (STIX) language provides a common set of descriptors for security threats and events. The Trusted Automated Exchange of Indicator Information (TAXII) specification provides common message exchange patterns.

The OASIS Open Command and Control (OPenC2) TC provides a suite of specifications to administer command and control of cyber defence functions distributed across multiple systems. A JSON Abstract Data Notation (JADN) Version 1.0 specification was published in August 2021

The Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity TC provides a standard to describe the prevention, mitigation, and remediation steps in a course of action “playbooks” in a structured machine-readable format that can be shared across organizational boundaries and technology solutions. CACAO Security Playbooks v1.0 specification was published in January 2021.

The OASIS Common Security Advisory Framework (CSAF) TC provides standard structured machine-readable formats for security vulnerability-related advisories based on existing industry practice. The TC delivered CSAF Common Vulnerability Reporting Framework (#CVRF) V1.2 in 2017 and released a Common Security Advisory Framework Version 2.0 for review in August 2021

The OASIS Threat Actor Context (TAC) TC establishes a common knowledge framework that enables semantic interoperability of threat actor contextual information. This framework allows organizations to strategically correlate and analyze attack data, which could lead to a better understanding of their adversary's goals, capabilities, and trends in targeting and techniques. Updated versions 2.1 of STIX and TAXI were published in June 2021

The Open Cybersecurity Alliance OASIS Open Project aims to bring together vendors and end users in an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. The OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures.

ISO/IEC JTC 1

Technical Committee ISO/IEC JTC 1/SC 27 'Information security, cybersecurity and privacy protection' produces the International Standards for the protection of electronic information assets and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

    • Security requirements capture methodology;
    • Management of information and ICT security; in particular information security management systems, security processes, and security controls and services;
    • Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
    • Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
    • Security aspects of identity management, biometrics and privacy;
    • Conformance assessment, accreditation and auditing requirements in the area of information security management systems;
    • Security evaluation criteria and methodology.

Included in the 198 published International Standards are the ISO 27000 Information Security Management Standards series as well as the Common Criteria for Information Technology Evaluation ISO/IEC 15408 and the Common Methodology for Information Technology Evaluation ISO/IEC 18045. 

http://www.iso.org/iso/iso_technical_committee?commid=45306

ITU-T

ITU-T SG2 developed a new Supplement on Countering Spoofing (E.sup.spoofing to E.157). Its purpose is not the development of anti-fraud and identity verification platforms, but rather it provides information that could assist in implementing measures to counter spoofing. It should be noted that Calling Party Number authentication mechanisms are not a global solution against fraud or spoofing, the study of which is covered in various technical standardization bodies.
https://www.itu.int/ITU-T/workprog/wp_item.aspx?isn=15044

ITU-T SG17 (Security) develops globally harmonized standards on telecommunication and information security, application security, cyberspace security, identity management and authentication, data security including privacy-reserving technologies such as de-identification and multi-party compuation. On application security, ITU-T SG17 works specifically on software defined networking, cloud computing, intelligent transport systems, distributed ledger technologies, quantum key distribution networks etc. Nearly 300 ITU-T Recommendations have been developed including the security Recommendations under the ITU-T X-series.

More info: http://itu.int/ITU-T/go/tsg17

http://www.itu.int/ITU-T/recommendations/index_sg.aspx?sg=17

ITU-T SG20 under question Q6/20 studies aspects related to Security, privacy, trust and identification for IoT and SC&C. ITU-T SG20 approved Recommendation ITU-T Y.4805 “Identifier service requirements for the interoperability of Smart City applications”, Recommendation ITU-T Y.4459 “Digital entity architecture framework for IoT interoperability”, Recommendation ITU-T Y.4807 “Agility by design for Telecommunications/ICT Systems Security used in the Internet of Things”, Recommendation ITU-T Y.4808 “Digital entity architecture framework to combat counterfeiting in IoT”, Recommendation ITU-T Y.4809 “Unified IoT Identifiers for intelligent transport systems”, Recommendation ITU-T Y.4810 “Requirements of data security for the heterogeneous IoT devices” and Recommendation ITU-T Y.4811 “Reference framework of converged service for identification and authentication for IoT devices in decentralized environment”.

 ITU-T SG20 determined draft Recommendation ITU-T Y.4500.3 “oneM2M – Security solutions” (Y.oneM2M.SEC.SOL), and is working on draft Recommendation “Framework of identification and connectivity of moving devices in smart city” (Y.FW.IC.MDSC), draft Recommendation “Framework of IoT-devices authentication in smart city” (Y.IoT-Ath-SC), draft Recommendation “Identity of IoT devices based on secure procedures to enhance trust of IoT systems” (Y.IoT-IoD-PT) and draft Recommendation “Reference framework of cybersecurity risk management of IoT ecosystems on smart cities” (Y.IoT-Smartcity-Risk).

More info: https://itu.int/go/tsg20

ITU-T SG11 focuses on security of existing protocols including revision of SS7 stack and their impact on digital financial services (DFS). Following the Member States' demands on dealing with the spoofing of calling party number, SG11 revised ITU-T Q.731.3, which specifies an exceptional procedure for transit exchange connected to CPE (Customer Premises Equipment) with the purpose of providing predefined calling party number by the originating operator. ITU-T SG11 assumes that all calling party numbers delivered in the telecommunications network should be generated or verified by an operator. The security of existing signalling protocols is the cornerstone of the trust between financing entity and its customer as ICT network is used to provide access to customers’ bank accounts.

In this regard, SG11 approved ITU-T Q.3057 “Signalling requirements and architecture for interconnection between trustable network entities” and consented two new draft Recommendations ITU-T Q.3062 “Signalling procedures and protocols for enabling interconnection between trustable network entities in support of existing and emerging networks” and ITU-T Q.3063 “Signalling procedures of calling line identification authentication”. This series of Recommendations describes the use of digital signature (digital certificates) in the signalling exchange which may guarantee the trustworthiness of the sender.

SG11 also approved Technical Report QSTR-SS7-DFS “SS7 vulnerabilities and mitigation measures for digital financial services transactions” and Technical Report QSTR-USSD (2021) “Low resource requirement, quantum resistant, encryption of USSD messages for use in financial services”.

SG11 organized series of events on signalling security.

More info: https://itu.int/go/SIG-SECURITY

ITU-T SG13 is carrying out work on trust in telecommunications.

W3C

W3C runs several groups in the area of Security:

    • Web Cryptography working group, which is defining an API that lets developers implement secure application protocols for web applications, including message confidentiality and authentication services, by exposing trusted cryptographic primitives from the browser.
    • Web Application Security "WebAppSec" working group, which is developing standards to ensure that web applications are delivered free from spoofing, injection, and eavesdropping.
    • Hardware-based secure services community group, which analyses use-cases where browser (and web application)'s developers could benefit from secure services in the field of cryptographic operation, citizen identity and payment to native applications.
    • Web bluetooth community group, which is developing a specification for bluetooth APIs to allow websites to communicate with devices in a secure and privacy-preserving way.
    • Web NFC community group, which is creating a near field communication API that is browser-friendly and adheres to the web's security model.

https://www.w3.org/Security

IEEE

IEEE has standardisation activities in the cybersecurity/network and information security space and also addresses anti-malware technologies, encryption, fixed and removable storage, and hard copy devices, as well as applications of these technologies for smart grids or in healthcare.
The ‘Security in Storage’ Working Group of the Cybersecurity & Privacy Standards Committee standardizes cryptographic and data authentication procedures for storage devices. IEEE 1619.2, for example, specifies an architecture for encryption of data in random access storage devices. In June 2020 P2883 was approved to specify methods of sanitizing logical storage and physical storage as well as providing technology-specific requirements and guidance for the elimination of recorded data.

For securing wired LANs WG 802.1 of the IEEE LAN/MAN Standards Committee has developed the IEEE 802.1AE standard which defines a Layer 2 security protocol called Medium Access Control Security (MACSec) that provides point-to-point security on Ethernet links between nodes.
IEEE actively develops security standards for healthcare and medical devices as well as wearables. The ‘Personal Health Device’ Working Group develops IEEE 11073-40101 to define processes for vulnerability assessment as part of the medical device interoperability series of standards. The ‘Healthcare Device Security Assurance’ Working Group develops a family of standards for wirelessly connected diabetes devices (P2621.x)

A new standards project focuses on authentication: IEEE P2989 – Standard for Authentication in Multi-Server Environment.

IEEE 1609.2.1 specifies certificate management protocols to support provisioning and management of digital certificates to end entities, that is, an actor that uses digital certificates to authorize application activities, according to IEEE Std 1609.2(TM).

IEEE SA is taking a holistic view on cybersecurity and initiated several critical pre-standardisation Industry Connections programs in this area:

  • IC20-011 IoT Ecosystem Security
  • IC20-021 Meta Issues in Cybersecurity
  • IC21-001 Cybersecurity in Agile Cloud Computing

A new area of work focused on “Human Augmentation” is also working on issues such as security, privacy and identity: IEEE P2049.2 - Standard for Human Augmentation: Privacy and Security and IEEE P2049.3 - Standard for Human Augmentation: Identity.

The IEEE Computer Society AI Standards committee is working on IEEE P2986 - Recommended Practice for Privacy and Security for Federated Machine Learning. 

The ‘Privacy and Security Architecture for Consumer Wireless Devices’ Working Group standardizes a privacy and security architecture for wireless consumer devices (P1912).
For more information visit https://ieeesa.io/eu-rolling-plan

IETF

The following IETF WGs are active in this area:

There are many situations in which it is desirable to transfer a copy of a digital credential to another person. For example, a private car owner may want to provide access to their vehicle to a friend or a family member. A private homeowner may want to provide access to their home to their cat sitter. An individual staying at a hotel may want to transfer a copy of a hotel room key to their spouse. Today, no such standardized method exists in a cross-platform, credential type-agnostic capacity. The ​Transfer dIGital cREdentialS Securely (tigress) Working Group will standardize a protocol that will facilitate such credential transfers from one person's device to another person's device.

The ​Managed Incident Lightweight Exchange (MILE) WG develops standards to support computer and network security incident management. The WG is focused on two areas: IODEF (Incident Object Description Exchange Format, RFC5070), the data format and extensions to represent incident and indicator data, and RID (Real-time Inter-network Defense, RFC6545), the policy and transport for structured data.

The ​Security Automation and Continuous Monitoring (SACM) WG worked on standardising protocols to collect, verify, and update system security configurations that allow a high degree of automation. This facilitates securing information and the systems that store, process, and transmit that information. The focus of the WG was the assessment of network endpoint compliance with security policies so that corrective measures can be provided before they are exposed to those threats.

The aim of ​DDoS Open Threat Signalling (DOTS) WG is to develop a standards based approach for the realtime signalling of DDoS related telemetry and threat handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation.

The goal of the ​Interface to Network Security Functions (I2NSF) WG is to define a set of software interfaces and data models for controlling and monitoring aspects of physical and virtual NSFs. A Network Security Function (NSF) is a function used to ensure integrity, confidentiality, or availability of network communications, to detect unwanted network activity, or to block or at least mitigate the effects of unwanted activity. The hosted, or cloud-based, security service is especially attractive to small and medium size enterprises who suffer from a lack of security experts to continuously monitor networks, acquire new skills and propose immediate mitigations to ever increasing sets of security attacks.

The full list of IETF Working Groups in the Security Area is available here: ​https://datatracker.ietf.org/wg/#sec

​https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#NISec

3GPP

SA WG3 is responsible for security and privacy in 3GPP systems, determining the security and privacy requirements, and specifying the security architectures and protocols. The WG also ensures the availability of cryptographic algorithms which need to be part of the specifications.

http://www.3gpp.org/specifications-groups/sa-plenary/sa3-security

ECMA   

Secure ECMAScript (SES) is a runtime environment for running ECMAScript (JavaScript) strict-mode code under object-capability (ocap) rules. ECMA Technical Committee TC39 maintains and updates the general purpose, cross platform, vendor-neutral programming language ECMAScript (JavaScript).

oneM2M

oneM2M’s architecture defines a common middleware technology in a horizontal layer between devices and communications networks and IoT applications. This standardizes secure links between connected devices, gateways, communications networks and cloud infrastructure. The oneM2M SDS – System Design and Security working group is also responsible for security and privacy. The following non-exhaustive list highlights some specifications which define and describe security features in oneM2M:

  • TS-0001 Functional Architecture
  • TS-0003 Security Solutions
  • TS-0016 Secure Environment Abstraction
  • TS-0032 MAF and MEF Interface Specification (MAF = M2M Authentication Framework; MEF = M2M Enrolment Function)

ITU-T SG20 transposed oneM2M specifications in their Y.450x series. See also Y.oneM2M.SEC.SOL.

All specifications are openly accessible at https://www.onem2m.org/technical.

(C.2) Other activities related to standardisation
ECSO    

The European Cyber Security Organisation (ECSO) represents the contractual counterpart to the European Commission for the implementation of the Cyber Security contractual Public-Private Partnership (cPPP).

WG1 focuses on standardisation, certification, labelling and supply chain management.

https://www.ecs-org.eu/

ECSO WG1 has published the State of the Art Syllabus (SOTA) (December 2017), which lists all standards and specifications related to cyber security. The SOTA document gives a good overview of cyber security standards, initiatives and certification schemes, both at the European and international level (including national elements), for assessment and certification of items.

https://www.ecs-org.eu/documents/uploads/updated-sota.pdf

OIDF

Risk and incident sharing and coordination working group [RISC]

RISC (chartered 2015) provides data sharing schemas, privacy recommendations and protocols to share information about important security events in order to thwart attackers from using compromised accounts with one service provider to gain access with other service providers. RISC focuses on peer to peer sharing of information related to the state of individual accounts. 

http://openid.net/wg/risc/charter/

NIST

NIST has started work in several areas, active documents with two reports already published which provide guidance on critical security controls and security by default for products and services. Other areas of work include critical infrastructure protection, privacy matters and cybersecurity issues.

Cyber-Physical Systems for Global Cities Project http://www.nist.gov/el/smartgrid/cpsforglobalcities.cfm

Cybersecurity for Smart Grid Systems http://www.nist.gov/el/smartgrid/cybersg.cfm

Cybersecurity for Smart Manufacturing Systems http://www.nist.gov/el/isd/cs/csms.cfm

National Institute of Standards and Technology Initiates   Development of New Cybersecurity http://www.nist.gov/itl/cybersecurity-framework-021313.cfm

Reference Architecture for Cyber-Physical Systems Project Framework http://www.nist.gov/el/smartgrid/cpsarchitecture.cfm

Cyber Security PPP

The cPPP will be instrumental in structuring and coordinating digital security industrial resources in Europe

https://ec.europa.eu/digital-single-market/en/cybersecurity-industry

(C.3) Additional information

The Danish business community is developing a prototype for a data ethics and cybersecurity seal for companies. The seal will create transparency for consumers and help ambitious companies gain a competitive advantage. The seal is expected to be launched by the end of 2020.

In the Netherlands, the national government has selected a group of security specifications for its comply-or-explain policy (e.g. DNSSEC, DKIM, TLS, SPF, DMARC, STARTTLS, DANE, RPKI), and is actively using various adoption strategies to get the specifications implemented. An effective tool that was developed to drive adoption is the website www.internet.nl (available in English). Organisations and individuals can easily test whether websites offer support for modern Internet Specifications, and the code is open source.

Also in the Netherlands, a method to help improve secure software lifecycle management, including software development, was developed under the title Secure Software Framework (SSF). The framework is applied by software developers in innovative projects, where security of software is of the utmost importance. The framework was published by the Secure Software Alliance (SSA), a public-private program in which developers of software, end users, professional bodies, institutes for research and education and the Dutch Ministry of Economic Affairs and Climate cooperate to promote secure software and connect initiatives in this area. The SSF is part of the Roadmap for Digital Hard- and Software Security of the Ministry of Economic Affairs and Climate.

In September 2020 in the Netherlands, a public-private coalition called the Online Trust Coalition (OTC) was launched, with the purpose to provide an unambiguous, efficient method for cloud service providers to demonstrate that their services are reliable and secure. And by doing so, to help to implement the relevant laws and regulations (e.g. EU Cybersecurity Act)."

In Germany, the Federal Agency for Information Security (BSI) bases several national cyber-security standards -concerning both critical infrastructures and SMEs- on the ISO/IEC EN 270xx family and the Federal Network Agency (BNetzA) mandates the use of ISO/IEC 27019 (with a few additional requirements in the national IT Security catalogue) for grid network operators with mandatory certification.

In Spain the National Security Framework (ENS), updated in May 2022, is based in current information security and Cybersecurity standards. The ENS promotes the procurement, under the principle of proportionality, of those products and services which have certified security functionality, considering the availability in the near future of the EUCC and the EUCS.  Besides, in the ENS, the protection of cloud services also refers to the requirement of security certification in view of the coming EUCS.

ENISA and the European Computer Security Incident Response Team (CSIRT) community have jointly set up a task force with the goal of reaching a consensus on a ‘Reference Security Incident Classification Taxonomy’. Following a discussion among the CSIRT community during the ‘51st TF-CSIRT meeting’ (15 May 2017 in The Hague, Netherlands), it  was concluded that there is an urgent need for a taxonomy list and name that serves as a fixed reference for everyone. This is where the so-called ‘Reference Incident Classification Taxonomy Task Force’ comes into play. The aim of this task force is to enable the CSIRT community in reaching a consensus on a universal reference taxonomy. Additionally, the task force covers the following objectives:

  • Develop a reference document
  • Define and develop an update and versioning mechanism
  • Host the reference document
  • Organise regular physical meetings with stakeholders

The ENISA NCSS Interactive Map lists all the documents of National Cyber Security Strategies in the EU:  https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national-cyber-security-strategies-interactive-map