Introducing… ETSI’s Technical Committee: CYBER
The world has never been more connected than it is today. The Internet has become critical to our everyday lives, for businesses and individuals, and so too has its security. With our growing dependence on networked digital systems comes an increase in the variety and scale of threats and cyber attacks.
A variety in the protective methods used by countries or organizations can make it difficult to assess risk systematically and to ensure consistent, adequate security. Therefore, standards have a key role to play in improving cybersecurity – protecting the Internet and IoT, securing communications and providing security tools for businesses that need them. ETSI TC CYBER is making these standards for today and for the future.
ETSI TC CYBER is recognized as a major trusted centre of expertise offering market-driven cybersecurity standardization solutions, advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. ETSI TC CYBER works closely with stakeholders to develop standards that increase privacy and security for organizations and citizens across Europe and worldwide. We provide standards that are applicable across different domains, for the security of infrastructures, devices, services, protocols, and to create security tools and techniques.
TC CYBER is the most security-focused technical committee in ETSI, and we have many strands of work. This roadmap describes each of TC CYBER's key areas where standardisation can help on the journey to better security.
Understanding the cybersecurity ecosystem
TC CYBER created a Technical Report on the Global cybersecurity Ecosystem (TR 103 306 which is now available and updated on a wiki page), to discover and assemble lists of global cybersecurity constituents. We believe this knowledge is important, as we need to find where TC CYBER can best contribute to the global security landscape. It attempts to be as inclusive as possible to expand our collective insight into the extent and diversity of the ecosystem, including:
- forums that develop techniques, technical standards and operational practices
- major IT developer forums affecting cybersecurity
- activities for continuous information exchange
- global and national centres of excellence
- reference libraries, conferences, and publications
- heritage sites and historical collections
This area of work is all about creating a common cybersecurity ecosystem, but it also shows TC CYBER’s reach both in Europe and globally.
Protection of personal data and communication
Protecting personal data has become a hot topic, especially since publication of the GDPR, and with ePrivacy on the horizon, TC CYBER is doing the work to match.
TS 103 458 describes high-level requirements for Attribute-Based Encryption (ABE). One objective is to provide user identity protection, preventing disclosure to an unauthorized entity. It defines personal data protection on IoT devices, WLAN, cloud and mobile services, where secure access to data has to be given to multiple parties, according to who that party is. ABE lets you define user access based on attributes – for employees in a company, this could be the department they work in, or if they are in a probation period – restricting access to data to those who are allowed to view it.
TS 103 532 focuses on Attribute-Based Encryption to control access to data, aiming to provide user identity protection whilst preventing disclosure of data to an unauthorized entity.
Recent work focuses on protecting identity of devices and users, inspired by industry’s need for GDPR compliance. Much connectivity currently operates on all-or-nothing trust; you connect your device to a network and it has to be trusted completely, or not at all (and then it doesn’t work!) TS 103 486 describes how devices can be discovered pseudonymously and builds a more nuanced trust establishment mechanism.
TR 103 370 focuses on technical standards that can be used for data protection according to GDPR, which centres around personally identifying information. TS 103 485 defines mechanisms for privacy assurance. TC CYBER recognizes its role in supporting European regulation and legislation.
Consumer Mobile and IoT security and privacy
As more devices in our homes connect to the internet and as people entrust their personal data to an increasing number of services, the cybersecurity of the Internet of Things is becoming a growing concern. Poorly secured products threaten consumer’s privacy and some devices are exploited to launch large-scale DDoS cyber attacks.
EN 303 645/TS 103 645 supports a good security baseline for internet-connected consumer products, provisioning a set of 13 provisions, with the top three being: no default passwords, implement a vulnerability disclosure policy, and keep software updated. This baseline deliverable is complemented with an assessment specification and an implementation guide, all detailed on the Consumer IoT security page. Currently, TC CYBER is working on a smart door lock vertical standard, based on ETSI EN 303 645.
TC CYBER is also working on security and evaluation requirements for consumer mobile devices focusing on devices with high computation power and rich user interface such as smart phones and tablets (TS 103 732).
Other IoT work in TC CYBER includes a report on Critical Security Controls (TR 103 305-3), which is applicable to IoT. ETSI hosts an annual IoT Week in October too; you can find out more about this on the IoT events page.
Cybersecurity for critical national infrastructures
Critical infrastructure is defined in TR 103 303 as: “any infrastructure for which loss or damage in whole or in part will lead to significant negative impact on one or more of the economic activity of the stakeholders, the safety, security or health of the population”. Examples include power plants, drinking water, hospitals and train lines.
TR 103 303 reviews roles and subsequent measures for the protection of Critical Infrastructure, where the Critical Infrastructure in whole or in part is composed of technologies using cybersecurity mechanisms. The resulting measures and processes for Critical Infrastructure Protection (CIP) are defined and relevant mechanisms to be implemented are identified.
ETSI creates standards that are driven by industry need. Since 2017, CYBER identified that Middleboxes are a crucial part of network function and defence, whether you call them proxies, middleboxes, firewalls or intrusion detection systems.
This led to the creation of the Middlebox Security Protocol, or MSP – which is being delivered in parts, so as to be extensible where necessary – as the TS 103 523 series.
MSP allows proxies access to only the parts of the data that they need, controls whether the data can be modified or not, gives the client and server visibility of what the proxies are doing, and protects proxies from malicious clients or servers. MSP gives improvements to overall system security compared to usage of a traditional MITM proxy and enables new scenarios to be supported that were traditionally unavailable.
MSP is more widely applicable than traditional MITM proxies, as it facilitates similar functions but does so more securely and with more control. It can be used to:
- enable data centre operations, such as: load-balancing, troubleshooting, malware detection, investigation of network attacks, and more, on encrypted networks
- restrict access of data on a fine-grained scale, protecting privacy for users
- specify required security properties of middleboxes and their visibility to endpoints
TC CYBER started activities to secure some element of the networks. First, they addressed the Home Gateway security with a threat analysis (TR 103 743) and security requirements (TS 103 748). They are currently working on Network Routers as well as optical network and device security.
Cybersecurity tools and guides
TC CYBER works on several specific techniques and tools to enhance cybersecurity.
Implementing a vulnerability disclosure policy is a key requirement in ensuring on-going strong cyber security after a product has been placed on the market. ETSI TR 103 838 provides a guide to coordinated vulnerability disclosure. It contains generic advice on how to respond to and manage a vulnerability disclosure, a defined triage process, advice on managing vulnerabilities in third party products or suppliers. It also includes an example of a vulnerability disclosure policy.
The Critical Security Controls (TR 103 305) are a five-part series of pragmatic guidance and advice that are widely applicable to many enterprises - and very understandable. Each part focuses on a separate aspect of enterprise security.
TS 103 457 solves the problem where organizations want to protect customer data whilst still using a cloud that is not under their direct control. TS 103 457 standardizes an interface between a "secure vault" that is trusted and a cloud that could be anywhere, where such sensitive data is stored in the vault. This allows a sensitive function to exist in a lower security environment, with data held securely. This widely applicable; for example, this interface can be used with NFV technology to allow secure authentication of users for billing purposes. Virtualisation means that processing can happen anywhere and might be untrusted, so these secure vaults are needed to protect sensitive functions and data. This need is more common than ever as NFV technology becomes widespread.
Other techniques we worked on is to protect software in a white box model – another growing need in security today, external encodings for the Advanced Encryption Standard (AES), and a guide to Identity-Based cryptography.
We released a specification to provide assurances of digital material that are so strong that they can be used in legal or criminal proceedings. This specification identifies a process of receiving, transforming and outputting material that can be assured digitally – and importantly, the assurance of the material is not dependent on the process having been carried out by a specially-trained human expert. This innovative piece of work shows yet again the forward-leaning nature of TC CYBER and our willingness to embrace new standards that are derived from industry need.
We're also updating our TS 102 165 series on cybersecurity methods with the Threat, Vulnerability, Risk Analysis (TVRA) and counter measues.
Our previous work in this area also includes TR 103 331 (Structured threat information sharing), as cyber threat information sharing - often described as threat intelligence sharing - is one of the most important components of an organization's cybersecurity program. This report provides a survey of ongoing activities and the resulting platforms that are aimed at structuring and exchanging cyber threat information – to inform TC CYBER’s future work.
Direct support to EU legislation
We recognize our key role to play in helping stakeholders comply with regulation, such as the Radio Equipment Directive, NIS Directive, ePrivacy, GDPR and the Cybersecurity Act, demonstrated by our publications giving guidance to meet the legal measures and technical requirements of the NIS Directive and GDPR. TC CYBER understands its responsibility in supporting EU legislation.
We issued guidance on implementing the NIS Directive (Networks and Information Systems Directive) in TR 103 456. Its strength results in ETSI's ability, as a regional and global organization, to bring together industry expertise and global cybersecurity knowledge, including its own cybersecurity technical specifications and report. We are currently analysing the impact of the revision of the NIS Directive.
Our specification TS 103 485 provides a set of considerations for industry and mechanisms to use when aiming to achieve compliance to the requirements in the General Data Protection Regulation (EU) 2016/679  (GDPR). TR 103 370 also provides guidelines and best practices to manage privacy, aiming to help achieve compliance with GDPR.
In collaboration with all relevant ETSI technical committees – and in close co-operation with CEN and CENELEC – during 2022 and 2023 TC CYBER intends to actively participate in improving the cybersecurity posture of radio equipment in response to the expected Standardization Request in support of the Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 activating article 3(3)(d,e,f).
Our most recent EN 303 645 and its complementary assessment specification and implementation guide could also be used in a certification scheme if the EC request ENISA to prepare a cybersecurity certification scheme for IoT under the Cybersecurity Act. Our work on security and evaluation requirements for consumer mobile device could be also of use if certification of 5G mobile devices would ever be considered.
The emergence of quantum computing will present a serious challenge to current cryptographic techniques. Previously secure and encrypted information – such as bank account details, identity information and military data – will become subject to discovery and possible misuse. New ‘quantum-safe’ cryptographic techniques have emerged in recent years that provide protection against quantum threats.
We are addressing these security issues by developing recommendations and specifications for the transition to quantum-safe applications in our Working Group on Quantum Safe Cryptography (QSC) within TC CYBER. We aim to standardise methods that mitigate the potentially disruptive technology of quantum computing.
You may have heard of the NIST process to standardize quantum-safe algorithms – ETSI is complementing this approach with practical advice on implementation, integration, migration times and risk assessment – all aimed at industry.
QSC's focus is on the practical implementation of quantum safe primitives, including performance considerations, implementation capabilities, protocols, benchmarking and practical architectural considerations for specific applications. This is exemplified by QSC's report TR 103 619 defining migration strategies and recommendations for Quantum-Safe schemes, and enhancing cryptography awareness across all business sectors. QSC also published a technical specification on hybrid key exchange.
ETSI is also working on the related concept of Quantum Key Distribution (QKD).
TC CYBER is an active committee with many work items open at any one time.
Click on the bubbles below for more information on what future topics TC CYBER has on its road map...
A list of possibilities
|For AI see also our ISG SAI|
Find out more
For more on ETSI's security work, check out the cybersecurity page on our website.
If you are interested to join ETSI including TC CYBER, please refer to membership information and contacts on the CYBER committee page.