Technical Committee (TC) CYBER (cybersecurity) Activity Report 2020

Chair: Alex Leadbeater, BT

Responsible for the standardization of cybersecurity and for providing a centre of relevant security expertise.

Security and privacy are inescapable aspects of our digital lives. Rapid growth in the complexity of new systems and networks, plus the sophistication of changing threats, present demanding challenges to maintain the security of Information and Communications Technologies (ICT) infrastructures.

Security is particularly important to developments in networked systems such as the Internet of Things (IoT) and Industry 4.0. In addition, technologies such as virtualization and cloud computing bring with them specific security threats.

At the same time, sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure practice by governments and businesses, and there has been a proliferation of legislation worldwide, driven by these growing security concerns. Balancing the twin demands of privacy and protection is a major challenge. Solutions must include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.

Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the communications and business we depend on. A trusted centre of expertise, our Cybersecurity Technical Committee (TC CYBER) develops market-driven standardization solutions to meet strategic high-level needs, as well as offering guidance to regulators, users, manufacturers and network operators.

TC CYBER works in close co-operation with numerous international, regional and national organizations and governments involved in cyber security, including the European Cybersecurity Agency (ENISA), the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO). The committee also develops standards for security requirements that are not catered for elsewhere in ETSI.

As more devices in the home connect to the Internet, the cybersecurity of the Internet of Things (IoT) has become a growing concern. Developed in conjunction with CEN/CENELEC and drawing on expertise from industry, academia and government, our standard for cybersecurity in the Internet of Things [EN 303 645] was published in June 2020, establishing a security baseline for Internet-connected consumer products while providing a basis for future IoT certification schemes.

Compliance with the standard – that specifies provisions for the security of Internet-connected consumer devices and their associated services – will restrict attackers’ ability to launch DDoS attacks, mine cryptocurrency and spy on users in their own homes. IoT products in scope include connected children’s toys and baby monitors, connected safety-relevant products such as smoke detectors and door locks, smart cameras, TVs and speakers, wearable health trackers, connected home automation and alarm systems, connected appliances (such as washing machines and fridges) and smart home assistants. Work also continued on the development of a complementary test specification and implementation guide for the new standard.

In December the committee published the first part  [TS 103 523-1] of a multi-part specification defining the security properties of a Middlebox Security Protocol (MSP). A vital component of modern networks, middleboxes provide strengthened protection against sophisticated new cyberattacks; however their deployment can raise complex questions around issues of security, privacy and trust. MSP Part 1 addresses this gap with a new security framework that allows middleboxes to perform vital functions whilst keeping up with the rapid pace of technical development. Further parts of this series will create a complete set of protocols to enable secure functional operation of next generation middleboxes.

Other publications during the year variously considered: external encodings for the Advanced Encryption Standard [TS 103 718]; mechanisms for privacy assurance and verification [TS 103 485]; observations on security for smart meters [TR 103 644]; and techniques for the assurance of digital material used in legal proceedings [TS 103 643]. We also revised our report [TR 103 306] on the global cybersecurity ecosystem.

In June 2020 ETSI joined the newly formed Stakeholder Cybersecurity Certification Group (SCCG). Representing a broad range of interests and including representatives of trade associations, companies, academic institutions, consumer organizations, conformity assessment bodies, SDOs and other membership organizations, the group offers advice to the EC on strategic issues regarding the European cybersecurity certification framework. It also assists the Commission in preparation of the Union rolling work programme, which sets priorities for the definition of schemes within the EU cybersecurity certification framework.

Quantum Safe Cryptography

Quantum computers pose a major challenge to conventional cryptographic techniques, where information such as bank account details become subject to potential discovery and misuse.

The focus of our CYBER QSC group is on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. The group’s work also feeds into other groups and standards bodies such as International Telecommunications Union (ITU), Internet Engineering Task Force (IETF), International Standards Organisation (ISO) and GlobalPlatform.

While CYBER QSC objectives include architecture, implementation and protocols, they do not include the development of cryptographic primitives. This is conducted in academia and other groups who specialize in the area, such as ETSI Security Algorithms Group of Experts (SAGE) and the National Institute of Standards and Technology (NIST) in the U.S.

In July CYBER QSC released a Technical Report [TR 103 619] defining migration strategies and recommendations for Quantum-Safe schemes, as well as enhancing cryptography awareness across all business sectors. The report defines a framework of actions that organizations should take to enable smooth migration to a fully Quantum-Safe cryptographic state.

In December 2020 the group published its first Technical Specification [TS 103 744] on hybrid key exchange. This defines methods and architectures for combining a quantum-safe key encapsulation method with a classical key exchange method, ensuring that the resulting negotiated keys are as secure as the strongest of the individual schemes being combined.

ETSI Security Week 2020

Held in June, the first all-virtual ETSI Security Week attracted a record audience of more than 4,200 unique online views from participants in over 50 countries. Speakers and moderators included global telco operators, vendors, academia, security organizations, EC, ENISA and other bodies including 3GPP and GSMA.

Webinars focused on four key cybersecurity topics: how to deploy 5G securely in different market sectors; the Cybersecurity Act and the future European Standard developed by ETSI on security for IoT consumer devices; advanced cryptography; and the new Smart Secure Platform.

 

LOOK OUT FOR IN 2021 – TC CYBER/QSC WORK IN PROGRESS:

CYBER

  • Technical Specification (TS) on cybersecurity assessment for consumer IoT products – specification of mandatory and recommended test scenarios, plus guidance and examples to support implementation
  • TS on security and evaluation requirements for consumer mobile devices –identifying key assets on devices to be protected and main security threats
  • TS on identity management and discovery for IoT devices - defining data structure for managing identifiers and properties of a device that are exposed in use cases including discovery, attachment and communication: application of these authority-attribute trees to SAREF ontology
  • TS on Middlebox Security Protocol; Part 5: Enterprise Network Security - use cases, mappings, architectures, protocol profiles for network layer MSP for enterprise network and data centre access control
  • TS on critical security controls for middleboxes – technical measures to detect, prevent, respond to and mitigate damage from cyber-attacks against MSP enabled middleboxes
  • Revision to TS on methods and protocols for security counter measures - Part 2: Protocol Framework Definition; Security Counter Measures
  • TS on baseline security for telecommunications operators (fixed and mobile) - taking into account challenges such as 5G and NFV
  • TS on cybersecurity for consumer IoT; residential smart door locking devices
  • TS on security threats and related requirements for sensor hub
  • TS on Publicly Available Specification (PAS); KMS certificate definition
  • TS on PAS; one-to-one voice communication
  • TS on PAS; one-to-one voice messaging
  • TS on PAS; group voice communications
  • TS on PAS; specification of interface to enable KMS discovery
  • TR on home gateway security threat and mitigation – analysis of threats to hardware, software, data and interfaces, plus mitigation of these threats across lifecycle from product development to decommissioning
  • TR on guide to cybersecurity for consumer IoT
  • TR on Guide to identity-based cryptography - survey and explainer for IBE (Identity Based Encryption) technologies, use cases and properties
  • TR on e-Voting cybersecurity – examination of existing work on requirements for e-Voting service trust, security, resiliency and privacy
  • TR on cybersecurity for SMEs; Part 1: cybersecurity standardization essentials
  • TR on guide to coordinated vulnerability disclosure – contains examples of vulnerability disclosure policy, action plans and generic advice on how to respond to a vulnerability disclosure
  • TR on network router security threat and mitigation – with focus on router hardware, software, data, and interfaces to identify and analyze security threats to which they are subject, plus mitigation against these threats throughout the network router lifecycle

CYBER QSC

  • TR on state management for stateful authentication mechanisms – investigation into security issues for managing state in, and appropriateness of using, stateful hash-based signature schemes in different deployments
  • TR on NIST Round 3 Key Encapsulation Mechanisms (KEMs) - provides technical descriptions of Key Encapsulation Mechanisms (KEMs) selected by NIST for the third round of their post-quantum standardization process
  • TR on migration strategy for ITS and C-ITS use cases
  • TR on quantum-safe signatures - overview of various lattice-based, hash-based, multivariate-based, code-based, isogeny-based and HIMMO schemes