Technical Committee (TC) CYBER (cybersecurity) Activity Report 2019

Chair: Alex Leadbeater, BT

Responsible for the standardization of cybersecurity and for providing a centre of relevant security expertise.

Cybersecurity permeates every aspect of our digital lives. Rapid growth in the complexity of new systems and networks, plus the sophistication of changing threats, present demanding challenges to maintain the security of Information and Communications Technologies (ICT) infrastructures.

Security is particularly important to developments in networked digital systems such as the Internet of Things (IoT) and Industry 4.0. In addition, technologies such as virtualization and Cloud computing bring with them specific security threats.

At the same time, sensitivity towards the privacy of individuals/organizations and their data is intensifying with media exposure of insecure practice by governments and businesses, and there has been a proliferation of legislation worldwide, driven by these growing security concerns. Balancing the twin demands of privacy and protection is a major challenge. Solutions must include a reliable and secure network infrastructure, but they also depend on trust on the part of users – both individuals and businesses – that privacy, confidentiality, secure identification, privacy-friendly security, the visibility of security and other concerns are properly addressed.

Security standardization, sometimes in support of legislative actions, has a key role to play in protecting the Internet and the communications and business it carries. Our Cyber Security committee (TC CYBER) is addressing many of these issues. Working with other stakeholders, the committee produces standards to meet strategic high-level needs, and co-ordinates the work of those committees within ETSI which deal with security aspects in their own technical areas.

TC CYBER works in close co-operation with numerous international, regional and national organizations and governments involved in cyber security, including the International Telecommunication Union (ITU) and the International Organization for Standardization (ISO). We also develop standards for security requirements that are not catered for elsewhere in ETSI, and offers security advice and guidance to users, manufacturers and network and infrastructure operators.

Connected devices are already present in many homes, tempting hackers who may exploit fundamental vulnerabilities to access other devices and data on the same household networks or launch large-scale DDoS (Distributed Denial of Service) cyber-attacks.

Anticipating June 2019’s enactment of the EU Cybersecurity Act (CSA), we released a Technical Specification [TS 103 645] that sets a baseline for the security of Internet-connected consumer products. The group also initiated its transposition into an EN in May.

During the year we also published or updated the following technical reports and specifications:

  • [TR 103 370] Practical introductory guide to technical standards for privacy
  • [TR 103 644] Increasing smart meter security
  • [TS 103 523-3 V1.3.1] Middlebox Security Protocol; Part 3: Enterprise Transport Security (revision)
  • [TR 103 331 V1.2.1] Structured threat information sharing (revision)

Taking place from 17-21 June 2019, ETSI Security Week provided a forum to debate various aspects of cybersecurity. Topic included the cybersecurity landscape and policy action (Cybersecurity Act and ePrivacy Regulation), security aspects of AI, and how security can keep pace with changes in technology, networks and society. A concurrent Hackathon event focused on our Middlebox Security Protocol, while daily ‘ETSI Explainer’ sessions showcased latest work on hot security topics.

TC CYBER hosted two webinars as part of Cybersecurity Month in October. One provided an overview of ETSI’s cybersecurity standardization activities and consumer IoT security, while the other focused on ESI.

In January the TC CYBER Chair and Vice Chairs spoke alongside the ETSI DG at the second workshop on the Cybersecurity Act and its link with standardization, organized by CEN, CENELEC, ENISA and ETSI.

Quantum Safe Cryptography

CYBER QSC was founded as an ETSI Industry Specification Group in 2015 and subsequently converted to a Working Group of TC CYBER in March 2017. Its focus is on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. The work of Cyber QSC has also fed into other groups and standards bodies such as International Telecommunications Union (ITU), Internet Engineering Task Force (IETF), International Standards Organisation (ISO), Global Platform and others.

CYBER QSC objectives include architecture, implementation and protocols, but do not include the development of cryptographic primitives.  This is conducted in academia and other groups who specialize in the area, such as ETSI Security Algorithms Group of Experts (SAGE) and the National Institute of Standards and Technology (NIST) in the U.S.

In 2019 CYBER QSC published the Technical Report “Quantum-Safe Identity-Based Encryption” [TR 103 618], describing how Identity-Based Encryption operates within the confines of the requirement to be quantum-safe. Lattice-based Hierarchal Identity-Based Encryption (HIBE) is described in terms of implementation and parameter selection, as well as performance estimates for both 32-bit and 64-bit microprocessors.

Organized by ETSI in partnership with Institute for Quantum Computing (IQC) in Canada and Amazon Web Services (AWS), the 7th  ETSI/IQC Quantum Safe Cryptography Workshop took place in November at the Amazon Headquarters in Seattle, USA.

Look out for in 2020 – TC CYBER work in progress

  • Revision to Standard (EN) on cybersecurity for consumer IoT (Internet of Things) devices
  • Technical Specification (TS) on cybersecurity assessment for consumer IoT products – specification of mandatory and recommended test scenarios, plus guidance and examples to support implementation
  • TS on security and evaluation requirements for consumer mobile devices –identifying key assets on devices to be protected and main security threats
  • TS on Middlebox Security Protocol; Part 1: Capability Requirements – enabling trusted, secure communication sessions between network endpoints and one or more middleboxes between them using encryption
  • TS on Middlebox Security Protocol; Part 2: Transport layer MSP, profile for fine-grained access control
  • TS on Middlebox Security Protocol; Part 5: Enterprise Network Security - use cases, mappings, architectures, protocol profiles for network layer MSP for enterprise network and data centre access control
  • TS on critical security controls for middleboxes – technical measures to detect, prevent, respond to and mitigate damage from cyber-attacks against MSP enabled middleboxes
  • TS on baseline security for telecommunications operators (fixed and mobile) - taking into account challenges such as 5G and NFV
  • TS on external encodings for Advanced Encryption Standard (AES) – to increase resistance of white-box AES implementations against attacks based on differential computation analysis and differential fault analysis
  • TS on quantum-safe hybrid key exchange - methods and architectures for combining quantum-safe key encapsulation method with classical key exchange methods
  • TS on mechanisms for privacy and assurance verification - addressing Identity Management with respect to privacy, naming structures with respect to Personally identifiable information (PII) and objects that may be associated as proxies to entities requiring PII protection, protocols and policy mechanisms to give assurance and the verification of assurance for PII
  • TS on identity management and discovery for IoT devices - defining data structure for managing identifiers and properties of a device that are exposed in use cases including discovery, attachment and communication: application of these authority-attribute trees to SAREF ontology
  • Revision to TS on methods and protocols for security counter measures - Part 2: Protocol Framework Definition; Security Counter Measures
  • Technical Report (TR) on quantum-safe signatures - overview of various lattice-based, hash-based, multivariate-based, code-based, isogeny-based and HIMMO schemes
  • TR on strategies and techniques for migration from non-QSC to quantum-safe environments
  • TR on state management for stateful authentication mechanisms – investigation into security issues for managing state in, and appropriateness of using, stateful hash-based signature schemes in different deployments
  • TR on Guide to identity-based cryptography - survey and explainer for IBE (Identity Based Encryption) technologies, use-cases and properties
  • TR on home gateway security threat and mitigation – analysis of threats to hardware, software, data and interfaces, plus mitigation of these threats across lifecycle from product development to decommissioning
  • TR on e-Voting cybersecurity – examination of existing work on requirements for e-Voting service trust, security, resiliency and privacy
  • CYBER QSC extended roadmap