Posted by Sabine Dahmen-Lhuissier 26601 Hits

Mission

Introducing… ETSI’s Technical Committee: CYBER

The world has never been more connected than it is today. The Internet has become critical to our everyday lives, for businesses and individuals, and so too has its security. With our growing dependence on networked digital systems comes an increase in the variety and scale of threats and cyber attacks.

A variety in the protective methods used by countries or organizations can make it difficult to assess risk systematically and to ensure consistent, adequate security. Therefore, standards have a key role to play in improving cybersecurity – protecting the Internet and IoT, securing communications and providing security tools for businesses that need them. ETSI TC CYBER is making these standards for today and for the future.

ETSI TC CYBER is recognized as a major trusted centre of expertise offering market-driven cybersecurity standardization solutions, advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. ETSI TC CYBER works closely with stakeholders to develop standards that increase privacy and security for organizations and citizens across Europe and worldwide. We provide standards that are applicable across different domains, for the security of infrastructures, devices, services, protocols, and to create security tools and techniques.

TC CYBER is the most security-focused technical committee in ETSI, and we have many strands of work. This roadmap describes each of TC CYBER's key areas where standardisation can help on the journey to better security.

Our work

    Understanding the cybersecurity ecosystem

TC CYBER created a Technical Report on the Global cybersecurity Ecosystem (TR 103 306 which is now available and updated on a wiki page), to discover and assemble lists of global cybersecurity constituents. We believe this knowledge is important, as we need to find where TC CYBER can best contribute to the global security landscape. It attempts to be as inclusive as possible to expand our collective insight into the extent and diversity of the ecosystem, including:

forums that develop techniques, technical standards and operational practices major IT developer forums affecting cybersecurity activities for continuous information exchange global and national centres of excellence reference libraries, conferences, and publications heritage sites and historical collections

This area of work is all about creating a common cybersecurity ecosystem, but it also shows TC CYBER’s reach both in Europe and globally.

Protection of personal data and communication

Protecting personal data has become a hot topic, especially since publication of the GDPR, and with ePrivacy on the horizon, TC CYBER is doing the work to match.

TS 103 458 describes high-level requirements for Attribute-Based Encryption (ABE). One objective is to provide user identity protection, preventing disclosure to an unauthorized entity. It defines personal data protection on IoT devices, WLAN, cloud and mobile services, where secure access to data has to be given to multiple parties, according to who that party is. ABE lets you define user access based on attributes – for employees in a company, this could be the department they work in, or if they are in a probation period – restricting access to data to those who are allowed to view it.

TS 103 532 focuses on Attribute-Based Encryption to control access to data, aiming to provide user identity protection whilst preventing disclosure of data to an unauthorized entity.

Recent work focuses on protecting identity of devices and users, inspired by industry’s need for GDPR compliance. Much connectivity currently operates on all-or-nothing trust; you connect your device to a network and it has to be trusted completely, or not at all (and then it doesn’t work!) TS 103 486 describes how devices can be discovered pseudonymously and builds a more nuanced trust establishment mechanism.

TR 103 370 focuses on technical standards that can be used for data protection according to GDPR, which centres around personally identifying information. TS 103 485 defines mechanisms for privacy assurance. TC CYBER recognizes its role in supporting European regulation and legislation.

   Consumer Mobile and IoT security and privacy

As more devices in our homes connect to the internet and as people entrust their personal data to an increasing number of services, the cybersecurity of the Internet of Things is becoming a growing concern. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS cyber attacks. 

EN 303 645/TS 103 645 supports a good security baseline for internet-connected consumer products, provisioning a set of 13 provisions, with the top three being: no default passwords, implement a vulnerability disclosure policy, and keep software updated. This baseline deliverable is complemented with an assessment specification and an implementation guide, all detailed on the Consumer IoT security page. Currently, TC CYBER is working on a smart door lock vertical standard, based on ETSI EN 303 645.

TC CYBER has also developed and continues working on a Common Criteria Protection Profile for consumer mobile devices focusing on devices with high computation power and rich user interface such as smart phones and tablets (TS 103 732).

Other IoT work in TC CYBER includes a report on Critical Security Controls (TR 103 305-3), which is applicable to IoT. ETSI hosts an annual IoT Week in October too; you can find out more about this on the IoT events page.

Cybersecurity for critical national infrastructures

Critical infrastructure is defined in TR 103 303 as: “any infrastructure for which loss or damage in whole or in part will lead to significant negative impact on one or more of the economic activity of the stakeholders, the safety, security or health of the population”. Examples include power plants, drinking water, hospitals and train lines.

TR 103 303 reviews roles and subsequent measures for the protection of Critical Infrastructure, where the Critical Infrastructure in whole or in part is composed of technologies using cybersecurity mechanisms. The resulting measures and processes for Critical Infrastructure Protection (CIP) are defined and relevant mechanisms to be implemented are identified.

The guidance on implementing the NIS Directive (Networks and Information Systems Directive) in TR 103 456 applies to critical national infrastructures. We are currently analysing the impact of the revision of the NIS Directive.

 Network Security

ETSI creates standards that are driven by industry need. Since 2017, CYBER identified that Middleboxes are a crucial part of network function and defence, whether you call them proxies, middleboxes, firewalls or intrusion detection systems.

This led to the creation of the Middlebox Security Protocol, or MSP – which is being delivered in parts, so as to be extensible where necessary – as the TS 103 523 series.

MSP allows proxies access to only the parts of the data that they need, controls whether the data can be modified or not, gives the client and server visibility of what the proxies are doing, and protects proxies from malicious clients or servers. MSP gives improvements to overall system security compared to usage of a traditional MITM proxy and enables new scenarios to be supported that were traditionally unavailable.

MSP is more widely applicable than traditional MITM proxies, as it facilitates similar functions but does so more securely and with more control. It can be used to:

enable data centre operations, such as: load-balancing, troubleshooting, malware detection, investigation of network attacks, and more, on encrypted networks restrict access of data on a fine-grained scale, protecting privacy for users specify required security properties of middleboxes and their visibility to endpoints

TC CYBER started activities to secure elements of the networks.

First, they addressed the Home Gateway security with a threat analysis (TR 103 743) and security requirements (TS 103 748). They are currently working on Network Routers as well as optical network and device security.     Cybersecurity tools and guides

TC CYBER works on several specific techniques and tools to enhance cybersecurity.

Implementing a vulnerability disclosure policy is a key requirement in ensuring on-going strong cyber security after a product has been placed on the market. ETSI TR 103 838 provides a guide to coordinated vulnerability disclosure. It contains generic advice on how to respond to and manage a vulnerability disclosure, a defined triage process, advice on managing vulnerabilities in third party products or suppliers. It also includes an example of a vulnerability disclosure policy.

The Critical Security Controls (TR 103 305) are a five-part series of pragmatic guidance and advice that are widely applicable to many enterprises - and very understandable. Each part focuses on a separate aspect of enterprise security.

TS 103 457 solves the problem where organizations want to protect customer data whilst still using a cloud that is not under their direct control. TS 103 457 standardizes an interface between a "secure vault" that is trusted and a cloud that could be anywhere, where such sensitive data is stored in the vault. This allows a sensitive function to exist in a lower security environment, with data held securely. This widely applicable; for example, this interface can be used with NFV technology to allow secure authentication of users for billing purposes. Virtualisation means that processing can happen anywhere and might be untrusted, so these secure vaults are needed to protect sensitive functions and data. This need is more common than ever as NFV technology becomes widespread.

Other techniques we worked on is to protect software in a white box model – another growing need in security today, external encodings for the Advanced Encryption Standard (AES), and a guide to Identity-Based cryptography.

We released a specification to provide assurances of digital material that are so strong that they can be used in legal or criminal proceedings. This specification identifies a process of receiving, transforming and outputting material that can be assured digitally – and importantly, the assurance of the material is not dependent on the process having been carried out by a specially-trained human expert. This innovative piece of work shows yet again the forward-leaning nature of TC CYBER and our willingness to embrace new standards that are derived from industry need.

We're also updating our TS 102 165 series on cybersecurity methods with the Threat, Vulnerability, Risk Analysis (TVRA) and counter measues.

One of our latest initiatives is about Open Security Controls Assessment Language (OSCAL) Use Guidelines.

Our previous work in this area also includes TR 103 331 (Structured threat information sharing), as cyber threat information sharing - often described as threat intelligence sharing - is one of the most important components of an organization's cybersecurity program. This report provides a survey of ongoing activities and the resulting platforms that are aimed at structuring and exchanging cyber threat information – to inform TC CYBER’s future work.

Direct support to EU legislation 

We recognize our key role to play in helping stakeholders comply with regulation, such as the Radio Equipment Directive, NIS Directive, ePrivacy, GDPR and the Cybersecurity Act, demonstrated by our publications giving guidance to meet the legal measures and technical requirements of the NIS Directive and GDPR. TC CYBER understands its responsibility in supporting EU legislation.

We issued guidance on implementing the NIS Directive (Networks and Information Systems Directive) in TR 103 456. Its strength results in ETSI's ability, as a regional and global organization, to bring together industry expertise and global cybersecurity knowledge, including its own cybersecurity technical specifications and report. We are currently analysing the impact of the revision of the NIS Directive.

Our specification TS 103 485 provides a set of considerations for industry and mechanisms to use when aiming to achieve compliance to the requirements in the General Data Protection Regulation (EU) 2016/679 [5] (GDPR). TR 103 370 also provides guidelines and best practices to manage privacy, aiming to help achieve compliance with GDPR.

In collaboration with all relevant ETSI technical committees – and in close co-operation with CEN and CENELEC - TC CYBER actively contributed in 2021 and 2022 to the preparation of the Standardization Request in support of the Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 activating article 3(3)(d,e,f). Mid-2022, the European Commission decided to address such Standardization Request to CEN and CENELEC only. TC CYBER is actively contributing to the CEN/CLC JTC13 WG8 work on this topic thanks to the existing close cooperation between TC CYBER and CEN/CLC JTC 13.

Our most recent EN 303 645 and its complementary assessment specification and implementation guide could also be used in a certification scheme if the EC request ENISA to prepare a cybersecurity certification scheme for IoT under the Cybersecurity Act. Our work on security and evaluation requirements for consumer mobile device could be also of use if certification of 5G mobile devices would ever be considered.

    Quantum-safe cryptography 

The emergence of quantum computing will present a serious challenge to current cryptographic techniques. Previously secure and encrypted information – such as bank account details, identity information and military data – will become subject to discovery and possible misuse. New ‘quantum-safe’ cryptographic techniques have emerged in recent years that provide protection against quantum threats.

We are addressing these security issues by developing recommendations and specifications for the transition to quantum-safe applications in our Working Group on Quantum Safe Cryptography (QSC) within TC CYBER. We aim to standardise methods that mitigate the potentially disruptive technology of quantum computing.

You may have heard of the NIST process to standardize quantum-safe algorithms – ETSI is complementing this approach with practical advice on implementation, integration, migration times and risk assessment – all aimed at industry.

QSC's focus is on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. This is exemplified by QSC's report TR 103 619 defining migration strategies and recommendations for Quantum-Safe schemes, and enhancing cryptography awareness across all business sectors. QSC also published a technical specification on hybrid key exchange.

ETSI is also working on the related concept of Quantum Key Distribution (QKD).

The future

TC CYBER is an active committee with many work items open at any one time.

Click on the bubbles below for more information on what future topics TC CYBER has on its road map...

A list of possibilities

    For AI see also our TC SAI        

Find out more

For more on ETSI's security work, check out the cybersecurity page on our website.

If you are interested to join ETSI including TC CYBER, please refer to membership information and contacts on the CYBER committee page. 

Consumer IoT security

See the details of the Consumer IoT security Road Map.

Posted by Sabine Dahmen-Lhuissier 104380 Hits

What is EN 301 549?

EN 301 549 “Accessibility requirements for ICT products and services” is a European Standard. It defines the requirements that products and services based on information and communication technologies (ICT) should meet to enable their use by persons with disabilities.

EN 301 549 is a harmonised standard, that supports the European Directive 2016/2102 on the accessibility of the websites and mobile applications of public sector bodies (the Web Accessibility Directive). Therefore, it can be used to demonstrate compliance with that Directive.  Annex A of EN 301 549 provides information on how to do so.

The standard is planned to be updated to also support the European Directive 2019/882 on the accessibility requirements for products and services.

Applicability of EN 301 549

EN 301 549 can be applied to any type of ICT-based products and services. This includes software (web pages, mobile applications, desktop applications…), hardware (smartphones, personal computers, information kiosks…) and any combination of hardware and software.

To that end, the requirements of the standard are self-scoping. This means that they consist of two parts; the first part is a precondition for the second part, which holds the actual requirement. If the precondition is met by a product or service, then the product or service must conform to the second part of the requirement.

How is EN 301 549 structured?

The standard contains, among other contents:

A description of the needs of persons with disabilities, written as functional performance statements, explaining the functionality that is needed to enable users with different abilities to locate, identify and operate functions in technology (chapter 4). The accessibility requirements, organised by functions or product features, rather than by commercial product or service categories (chapters 5 to 13). The description of which requirements of the Standard presume conformance with European Directive 2016/2012 (the Web Accessibility Directive) (annex A). A description of the relationship between requirements and functional performance statements (annex B).

A short history of EN 301 549

This standard has been jointly produced by the three European standardisation organizations: CEN (European Committee for Standardisation), CENELEC (European Committee for Electrotechnical Standardisation) and ETSI (European Telecommunications Standards Institute).

EN 301 549 was originally published in 2014 to support public procurement of accessible ICT, as a response to the European Commission Mandate 376. It has been updated several times since then.

The latest version of EN 301 549 V3.2.1 was published in 2021 and officially supports the Web Accessibility Directive since August 2021 (Commission Implementing Decision (EU) 2021/1339).

EN 301 549 will be revised with the aim to publish V4.1.1 in 2025 in support of the European Directive (EU)2019/882 on the accessibility requirements for products and services (the European Accessibility Act), as a response to the European Commission Mandate 587. The revision work item of ETSI Technical Committee Human Factors (TC HF) can be seen via the Portal, along with its target schedule.

Posted by Sabine Dahmen-Lhuissier 5049 Hits

2019 Fellow: Our exclusive interview with Fred Hillebrand

Fred, what was your main involvement with ETSI?

I was appointed Chair of Technical Committee SMG (Special Mobile Group) for the period from 1996 to 2000. SMG was responsible for GSM and UMTS standardization. It had 150 delegates in plenary, 11 Sub-Committees and 50 Working Groups.

What was the main ongoing work?

GSM had been converted from a monolithic system to a platform with an open long-term feature evolution called GSM Phase 2+ in 1993. During the period from 1996 to 2000, SMG worked hard on this evolution.

How successful was GSM in the world market?

GSM was the leading 2G mobile communication system. The number of countries that implemented GSM networks grew from 70 to 140 in the period from 1996 to 2000. To ensure the continuation of this success, standardization with a strong focus on global market needs and a high speed of innovation was needed.

Was the GSM Phase 2+ programme sufficient for the future success?

In 1995/6 it became clear that a satisfying mobile Internet access required much higher data rates than GSM Phase 2+ could provide. Fortunately, a European research program called UMTS had achieved some useful results.

How was this integrated into the standardization process?

TC SMG and all the relevant stakeholders agreed to add a 3G evolution to the GSM platform, based on the UMTS research results. This would be based on a new UMTS Terrestrial Radio Access (UTRA) and on an evolution of the GSM core network.

What was the biggest obstacle to overcome?

As in GSM, the selection of the radio access system! After intensive work and a difficult decision-making process, SMG was able to select the basic parameters of UTRA in January 1998 in a Plenary with the all-time high of 250 participants.

What happened on other continents?

We cooperated during this period with partners in Japan, Korea and the USA. These partners came to the same decision on the 3G radio solution. Then they wanted to contribute and to influence the emerging common 3G standard.

How could you do this complex work together?

I realized that it was impossible to develop a consistent set of technical specifications through decentralized work in different organizations. In order to remedy this situation, I initiated a single global working structure for the future, which eventually became 3GPP. 3GPP applied the model of an “ETSI Partnership Project”, as defined in the ETSI reform of 1996.

How successful was 3GPP?

The new organization started successfully at the end of 1998. Nowadays, 3GPP is undoubtedly the worldwide centre of excellence in mobile communications. ETSI took a leading role in 3GPP and gained broad global influence on future mobile communication standardization.

Posted by Sabine Dahmen-Lhuissier 5229 Hits

2019 Fellow: Our exclusive interview with David Chater-Lea

Can you tell us a bit more about your background? How did you get into critical communications?

Actually, I’ve always been interested in radio, and got an amateur radio licence at the age of 17. So I naturally ended up working in mobile radio and joined what would become Motorola in the UK. One of the most interesting aspects of mobile communications was finding out how your customers worked, to determine what solutions were needed. Police forces were major customers, and it was especially important to understand how they were using their equipment, as radio was a tool for safety as well as communication.

How did you career evolve to standardization?

The industry evolved to go beyond group communications and add data communications. In the case of emergency communications, voice was augmented with status and text messages exchanged between policemen and dispatchers. And in a competitive marketplace where customers want to buy products from different suppliers, you need to standardize the technology. My first experience in ETSI standards was in the late 1980s, with a binary technology working over analogue radio. However, by the 1990s, when digital radio started to arrive, we realized that digital communication needs a great deal more standardization than analogue technology to achieve full interoperability. A standard gives customers and governments confidence that they can buy from one company or another and this encourages competition with more and more features, and also reduced prices.

TETRA is one of ETSI’s biggest success stories. What’s the impact today?

From a European standard, it has become a global standard, now used in more than 110 countries, so actually used by millions of users. The emergency services are the biggest market for TETRA, and right from the start they saw that this could be the technology that they needed for cooperation between countries, and became involved in its standardization. But also, from the early days, it has been used by metro rail systems, and other forms of transport.  It is now in use in many professional applications.

With 5G coming up, is the technology going to change?

TETRA provides speech and data but it can’t give you the speed of a 4G or 5G network, and these higher data speeds will obviously bring new capabilities to jobs in emergency services. Commercial mobile networks benefit from a huge amount of useful data but they were not designed for mission-critical communications. So, as ETSI is part of 3GPP, four years ago we started the 3GPP working group SA6, of which I have now completed two terms as a vice-chairman, to provide new capabilities and define critical communications over mobile networks. They won’t replace TETRA for now, as TETRA has been designed for ultra-reliability and ultimate security, which may not be the case for all mobile operator services designed for commercial services. But if voice is the ultimate communication today that needs to have the highest level of resilience, in the future as data and video gets more built into the users' processes, voice may become slightly less important. We’ll see things evolve then…

 

Posted by Sabine Dahmen-Lhuissier 5244 Hits

2019 Fellow: Our exclusive interview with Robert Macchi

Can you tell us a bit more about your background, how you got into Fixed Service (FS) radio communications?

It was actually due to several events. At secondary school, where I learnt mechanics, I was employed by GTE. After one year, restless for professional life, I joined Politecnico university to study electronics. Then I took a chemistry examination, the only exam I failed in my life, which confirmed that electronics was my way forward. When I returned, as a graduate, to GTE, I had the choice between production or R&D, I went for R&D…

You are considered THE reference for Fixed Service radio. How did standardization start in the radio industry?

In the late 70s, CEPT established TM4, which produced some recommendations. When ETSI was born in 1988, TM4 became the TM4 working group of ETSI TC ATTM, which I attended and became the Chair of in 1997.

During the mid 90s, CEPT worked on recommendations and sharing/compatibility with other services for Fixed Services bands. Horizontal radio activities flourished in CEPT and ITU-R, and being involved in all of them enabled me to acquire some limited but professionally enriching expertise in other radio services.

And what was the role of ETSI in this area?

Before the first European radio directive (RTTED), ETSI ENs on Fixed Services were already recognized overseas thanks to the comprehensive Tx/Rx/antenna parameters. The new Radio Equipment Directive (RED) increased this visibility and ETSI European standards (ENs) gained worldwide acceptance and were subsequently implemented on national markets.

The ETSI TM4 group turned 25 pre-RTTED ENs into globally accepted standards with the EN 302 217 series. And the Harmonized Standard EN 302 217-2 has become a reference for point-to-point equipment for any application and any Fixed Service allocated band.

What is the status of Fixed Service radio today?

Up to the 80s, FS composed the bulk of fixed networks. The advent of more efficient and reliable fibre optic reduced the need for long-haul FS use; however, in the early ‘90s, the success of GSM networks revived interest in FS. The speedy deployment of base stations for territory coverage found the perfect match in FS links. With more efficient mobile networks, Fixed Service using wider channel bandwidth of millimetric bands, easily managed the increase of payload capacity.

Today an average of 70% of base stations are connected to a fibre optic network through one or more Fixed Service links, which the media tends to forget, being more focused on “xG Access” and “Fibre Optic” as leading technologies improving global communication and citizens’ welfare.

Based on that figure, I somehow indulge myself in dreaming (or better having a nightmare) about how communications might have evolved without Fixed Service…

With 5G coming up, how will fixed radio evolve and contribute network evolution?

From a FS perspective, solving challenges such as larger payload, improved performance, easier deployment should be within the reach of the industry.

5G topology suggests larger base-station numbers with reduced relative distances. The quicker and often cheaper FS deployment will still be advantageous. FS will also benefit from new FS frequency bands within the 92/174.8 GHz range.

Therefore, even if Fibre Optic increases its penetration rate in first backhauling levels, the absolute number of FS should remain equivalent and is likely to increase. FS technology will continue to evolve, as ever.

And 6G is just around the corner...