Technical Committee (TC) CYBER (cybersecurity) Activity Report 2022

Chair: Alex Leadbeater, BT

Responsible for the standardization of cybersecurity, and for providing a centre of relevant security expertise.

 

The needs for security and privacy are inescapable aspects of our digital lives. Rapid growth in the complexity of new systems and networks, plus the sophistication of changing threats, present demanding challenges to maintain the security of Information and Communications Technologies (ICT) infrastructures.

Security is particularly important to developments in networked systems such as the Internet of Things (IoT) and Industry 4.0. In addition, technologies such as virtualization and cloud computing bring with them specific security threats.

Sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure products and services, and there has been a proliferation of legislation worldwide driven by these growing security concerns. Balancing the twin demands of privacy and protection is a major challenge. Solutions must include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.

Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the communications and business we depend on. A trusted centre of expertise, our Cybersecurity Technical Committee (TC CYBER) develops market-driven standardization solutions to meet strategic high-level needs, as well as offering guidance to regulators, users, manufacturers and network operators.

TC CYBER works in close co-operation with numerous international, regional and national organizations and governments involved in cyber security, including the European Cybersecurity Agency (ENISA), CEN, CENELEC, the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO). The committee also develops standards for security requirements that are not catered for elsewhere in ETSI.

Originally published in March 2022 and subsequently updated in September, TC CYBER’s ‘Guide to Cyber Security for Consumer Internet of Things’ TR 103 621 augments the committee’s pioneering suite of deliverables on consumer IoT (Internet of Things) security. This new Technical Report serves to help manufacturers and other stakeholders to meet the provisions defined for consumer IoT devices as detailed in existing deliverables EN 303 645 and TS 103 645.

Also published as an output on the committee’s consumer IoT work, TS 103 848 is a new Technical Specification detailing testable security requirements for home gateways. Covering the complete lifecycle from development to decommission and subsequent end-of-life, it considers security aspects of the device architecture in terms of hardware, software, interfaces and data.

Complementing this, TR 103 869 - published in May - presents a security threat analysis on carrier-grade network routers deployed in IP metropolitan area networks (MANs) and IP backbone networks.

Published in January as a Technical Report, TR 103 838 presents a guide to Coordinated Vulnerability Disclosure. Aimed at organizations wishing to implement a vulnerability disclosure process, the guide features examples of policy, action plans and generic advice on responding to a disclosure.

Published in March, TR 103 719 offers a Guide to Identity-Based Cryptography. Providing an overview of the technologies, use-cases, properties for Identity Based Encryption (IBE), a goal of the guide is to allow engineers to develop and adopt IBE solutions, for both encryption and in digital signature applications.

2022 also marked the issue of updates to a number of existing TC CYBER deliverables.

A vital component of modern networks including 5G, middleboxes provide strengthened protection against sophisticated new cyberattacks. However their deployment can raise complex questions around issues of security, privacy and trust. Further expanding the committee’s work on middleboxes, February saw publication of a revision to TS 103 523-2: Transport Layer MSP (TLMSP), Part 2 of ETSI’s Middlebox Security Protocol (MSP) – a specification that defines a protocol for fine-grained access control to communications traffic. Allowing endpoint control of entities that can access data for cyber defence purposes and protect against unauthorized access, this allows middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical developments.

The committee meanwhile issued a minor update to the previously published specification TS 102 165-1 titled ‘Methods and protocols; Part 1: Method and pro forma for Threat, Vulnerability, Risk Analysis (TVRA). This

Two parts of CYBER’s multi-part report on Critical Security Controls for Effective Cyber Defence were also updated. Part 1 TR 103 305-1 offers a general introduction to Critical Security Controls, while Part 4 TR 103 305-4 describes CSC facilitation mechanisms.

Quantum Safe Cryptography

Quantum computers pose a major challenge to conventional cryptographic techniques, where information such as bank account details become subject to potential discovery and misuse.

The focus of our CYBER QSC Working Group is on the practical implementation of quantum-safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. The group’s work also feeds into other groups and standards bodies such as International Telecommunications Union (ITU), Internet Engineering Task Force (IETF), International Standards Organisation (ISO) and GlobalPlatform.

While CYBER QSC objectives include architecture, implementation and protocols, they do not include the development of cryptographic primitives. This is conducted in academia and other groups who specialize in the area, such as ETSI’s Security Algorithms Group of Experts (SAGE) and the National Institute of Standards and Technology (NIST) in the U.S.

During the year work continued on various deliverables, notably:

  • A Technical Report presenting recommendations on a QSC migration strategy for ITS and C-ITS use cases,
  • An extended CYBER QSC roadmap,
  • Revision to an existing Technical Specification on quantum-safe hybrid key exchanges.

Events

Running over three days in October, the ETSI Security Conference 2022 (previously ETSI Security Week), saw healthy debate on a broad spectrum of cyber-related issues, including EU and Global Cyber Security Regulation, Policy, Security Innovation and Standardization. Topics explored included 5G, AI, the Cyber Security Act (CSA), IoT / connected device security, security in a post-quantum era and Co-ordinated Vulnerability Disclosure (CVD).

Organized as a virtual/hybrid event on 15th March in Brussels by ENISA, CEN, CENELEC and ETSI, the Cybersecurity Standardisation Conference 2022 focused on the theme of ‘European Standardisation in support of the EU cybersecurity legislation’.

 

See the full list of TC CYBER and CYBER QSC Work Items in development here.