Technical Committee (TC) CYBER (cybersecurity) Activity Report 2021

Chair: Alex Leadbeater, BT

Responsible for the standardization of cybersecurity, and for providing a centre of relevant security expertise.

The needs for security and privacy are inescapable aspects of our digital lives. Rapid growth in the complexity of new systems and networks, plus the sophistication of changing threats, present demanding challenges to maintain the security of Information and Communications Technologies (ICT) infrastructures.

Security is particularly important to developments in networked systems such as the Internet of Things (IoT) and Industry 4.0. In addition, technologies such as virtualization and cloud computing bring with them specific security threats.

Sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure products and services, and there has been a proliferation of legislation worldwide driven by these growing security concerns. Balancing the twin demands of privacy and protection is a major challenge. Solutions must include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.

Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the communications and business we depend on. A trusted centre of expertise, our Cybersecurity Technical Committee (TC CYBER) develops market-driven standardization solutions to meet strategic high-level needs, as well as offering guidance to regulators, users, manufacturers and network operators.

TC CYBER works in close co-operation with numerous international, regional and national organizations and governments involved in cyber security, including the European Cybersecurity Agency (ENISA), CEN, CENELEC, the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO). The committee also develops standards for security requirements that are not catered for elsewhere in ETSI.

Published in August 2021, TS 103 701 augments TC CYBER’s pioneering suite of deliverables on consumer IoT (Internet of Things) security. Titled ‘Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements’, the Technical Specification details test scenarios for assessing cybersecurity of consumer IoT products against the provisions of EN 303 645/TS 103 645 – ETSI’s world-leading consumer IoT security standard. By describing how a conformity assessment is performed in a structured and comprehensive way, this allows supplier organizations – such as manufacturers, vendors or distributors – to assess compliance of their devices against ETSI EN 303 645 through self-assessment or via testing labs. The specification is intended for use with the EN in creating IoT assurance schemes. It will also be used as input into future work on IoT assurance schemes under the EU Cybersecurity Act and Radio Equipment Directive (RED).

The committee’s work on consumer related security standards was complemented by the publication in November of a further Technical Specification. TS 103 732 ‘Consumer Mobile Device Protection Profile’ offers a set of security and evaluation requirements to be used in the security assessment of consumer mobile devices.

During the year TC CYBER experts discussed ETSI standards EN 303 645 and TS 103 701 in workshops on IoT security, organized by the InDiCo project with Japan, South Korea, USA and Brazil.

Following on from the group’s landmark work on security standards for consumer equipment, in 2021 TC CYBER continued preparatory work for potential harmonized standards in support of the Radio Equipment Directive (RED), and the activation of specific sub-articles related to cybersecurity and privacy. An ad hoc group was set up under the leadership of TC CYBER – with participation from TC ERM and TC RRS – to discuss the supporting draft Standardization Request and related Commission Delegated Regulation (EU) 2022/30 of 29 October 2021.

A vital component of modern networks including 5G, middleboxes provide strengthened protection against sophisticated new cyberattacks. However their deployment can raise complex questions around issues of security, privacy, and trust.

Expanding TC CYBER’s work on middleboxes, February saw publication of TS 103 523-2: Transport Layer MSP (TLMSP), Part 2 of ETSI’s Middlebox Security Protocol (MSP) – a specification that defines a protocol for fine-grained access control to communications traffic. Allowing endpoint control of entities that can access data for cyber defence purposes and protect against unauthorized access, this allows middleboxes to perform their functions securely whilst keeping up with the rapid pace of technical developments.

This was followed by December’s publication of Part 5, TS 103 523-5, that addresses enterprise network security aspects of middleboxes.

Published in March, ETSI White Paper #43 describes high-level technical features, motivations and use cases for TC CYBER’s standardized Middlebox Security Protocol. The paper references ETSI’s existing multi-part suite of MSP specifications (TS 103 523-1/2/3), originally published in 2020.

May saw publication of the first part of a multi-part Technical Report addressing cybersecurity for SMEs. TR 103 787-1 ‘Cybersecurity Standardization Essentials’ introduces a five-step process for reducing cybersecurity risks using standards and frameworks.

MIKEY-SAKKE is an identity-based authenticated key exchange protocol, designed for government and enterprise to build secure, highly scalable cross-platform multimedia communications services. 2021 saw approval by TC CYBER of its first PAS (Publicly Available Specifications), with the submission by Secure Chorus of their own specifications for connecting products using the MIKEY-SAKKE protocol.

Work was also completed on a new Technical Report TR 103 838 (subsequently published early in 2022) that offers a guide to Coordinated Vulnerability Disclosure. Aimed at organizations wishing to implement a vulnerability disclosure process, the guide features examples of policy, action plans and generic advice on responding to a disclosure.

See the full list of TC CYBER deliverables published in 2021 here.

Quantum Safe Cryptography

Quantum computers pose a major challenge to conventional cryptographic techniques, where information such as bank account details become subject to potential discovery and misuse.

The focus of our CYBER QSC Working Group is on the practical implementation of quantum-safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. The group’s work also feeds into other groups and standards bodies such as International Telecommunications Union (ITU), Internet Engineering Task Force (IETF), International Standards Organisation (ISO) and GlobalPlatform.

While CYBER QSC objectives include architecture, implementation and protocols, they do not include the development of cryptographic primitives. This is conducted in academia and other groups who specialize in the area, such as ETSI’s Security Algorithms Group of Experts (SAGE) and the National Institute of Standards and Technology (NIST) in the U.S.

During the year CYBER QSC notably published/updated three Technical Reports:

TR 103 616 offers a comparison of various proposals in the academic literature for quantum-safe signature schemes. The report provides an overview of a representative selection of lattice-based, hash-based, multivariate-based, code-based, isogeny-based and HIMMO schemes and study security, efficiency, parameterisations and practical implementation issues.

TR 103 692 discusses security issues around the implementation of Stateful Hash-Based Signature (S-HBS) schemes in different environments.

TR 103 823 presents technical descriptions of Key Encapsulation Mechanisms (KEMs) selected by NIST for Round 3 of their post-quantum standardization process.

Meanwhile work continued on other QSC deliverables, including:

  • Technical Report on migration strategy for ITS and C-ITS use cases
  • Technical Report on impact of quantum computing on cryptographic security proofs
  • Revision to Technical Specification on quantum-safe hybrid key establishment methods.

See the full list of TC CYBER Work Items currently in progress here.

Events

Held virtually from 14-18 June, ETSI Security Week 2021 attracted an online audience of more than 1,000 viewers from over 70 countries. Sessions variously addressed securing Artificial Intelligence; IoT – including the next Cybersecurity Act Scheme and industry feedback on IoT certification; Network Function Virtualization (NFV) and how risks, threats and vulnerabilities can be mitigated with ETSI NFV standards; an overview of Multi-access Edge Computing (MEC) security standardization, including use cases for 5G; and cybersecurity policy with future plans for standards under the Cyber Security Act.

ENISA, CEN, CENELEC and ETSI jointly organised a third workshop on ‘European Standardization in support of the EU Cybersecurity Act’ on 2-4 February 2021, with the ETSI GA Chair, Board Chair, ETSI D-G, TC Chair and key TC CYBER experts speaking at the event.

The ETSI Technical Conference on Quantum Safe Cryptography was also held in February as a virtual event.